Web Security Lecture 3 - Information Collection - sqlmap

A, sqlmap

Sqlmap penetration is an open source tool that can automate the detection and use of SQL injection flaws as well as the process of taking over the database server. He has a powerful detection engine, many niche characteristics suitable for ultimate penetration testing and extensive switch, get the data to access the underlying file system and connected by band performed on the operating system command from a database from a fingerprint database

Official Website: http: //sqlmap.org/

1.1 Sqlmap Features

• Fully supports MySQL, the Oracle, PostgreSQL, in the Microsoft SQL Server, in the Microsoft Access, IBM
  the DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB, Informix and other database management systems.
• Fully supports Boolean == == blinds,Time type blinds、Based on the injection error messages、Joint inquiry injectionwithHeap inquiry injection。
• inDatabase Credentials、IP addresses、portwithdata storage nameUnder conditions where the support does not allow direct connection to the database via the SQL injection point.
• Support enumerate users, password hashes, privileges, roles, databases, data tables and columns . It supports automatic identification and password hash format through the dictionary to crack the password hashes.
• Download a fully supported database, a table, a table can be downloaded only in certain columns, and even download only part of the data in a column, it all depends on the user's choice.
• It supports the search for the specified database management systemdata storage name、Table NameorColumn Name

1.2 Sqlmap download http://sqlmap.org/

1.3 sqli and dvwa environment to build the shooting range

https://blog.csdn.net/Yauger/article/details/104227171

1.4 sqlmap injected introduction

The so-called SQL injection, is inserted through the SQL command to the web form submitted query string or enter a domain name or page request, and ultimately to deceive the server to execute malicious SQL commands. Specifically, it is the use of existing applications, the ability to inject SQL commands executed back-end database engine, it can enter SQL statements in a web form to get the database on the Web site of a security vulnerability, rather than by the designer intent to execute SQL statements

SQL injection HTTP packet has an unknownAnywhere

1.5 sqlmap output level

Parameters: -v

Sqlmap output information by simple to complex is divided into seven levels were 0,1,2,3,4,5 and 6. -V parameter to specify a certain level, such as using the -v parameter to specify the output level is 6 6. The default output level is 1.

• 0 : Only Python's tracebacks information , an error message [ERROR] and critical information [CRITICAL]
• 1 : Simultaneous display of general information [INFO] and warning information [the WARNING]
• 2 : simultaneously displaying the debugging information [the DEBUG]
• 3 : Simultaneous display of injection used in the attack load
• 4 : simultaneously displaying HTTP request header
• 5 : simultaneously displaying HTTP response header
• 6 : simultaneously displaying HTTP response body

1.6 Sqlmap acquisition target

1.6.1 sqlmap Direct database

• Service database -MySQL, Oracle

   python sqlmap.py -d "mysql://用户名:密码@地址:端口/数据库名字" -f --banner --dbs --users
   
   -d  连接数据库
   -f  --fingerprint 
   --banner 
   --dbs     
   --users
  

• File database -SQLite

1.6.2 sqlmap Specify the destination URL

• sqlmap direct detection of a single URL, parameter -u or --url

   URL格式:http(s)://targetur\[:port\]/
  

1.6.3 sqlmap read different file types SQL injection

• 1. To facilitate the search engines, many websites generated specifically for search engine xml format site map parameter is-x

• 2. From the multi-line text format files, reading a plurality of targets, a plurality of target detection parameters-m

• 3 may be a HTTP request stored in the file , and then use the parameter-r

• 4. From the profile sqlmap.conf read parameter is a target detection-c

1.7 sqlmap parameter setting request

There are many HTTP request method (Method) , may be in different positions ( the GET, the POST, Cookie, and User-Agent carry different parameters, etc.). Often only carry the specific parameters of a particular method of initiating the request is legally valid request at a particular location. Sqlmap run in addition to the target, and sometimes also need to specify some details of the HTTP request.

1.7.1 HTTP Methods

Generally, sqlMap automatically judged using a GET method or POST method, but in some cases may be a method like rare PUT required, then you need to use **Parameters -methodTo specify the method. **

1.7.2 sqlmap set the parameters submitted post

Parameters --data = ""

By default, HTTP method for performing the HTTP request is GET, but by providing data in the POST request sent implicitly to its POST . These data as a parameter is used to detect SQL injection

1.7.3 sqlmap are used to set the cookie parameters

--cookie 
--cookie-del 
--load-cookies 
--drop-set-cookie

web applications with cookie-based authentication process, to test the page is only accessible when logged in, login status cookie identification,
would like to take advantage of SQL injection vulnerabilities on the cookie value, we want to detect the presence of cookie injection

1.7.4 sqlmap process using a cookie

1.登录或浏览页面
2.找到cookie
3.在sqlmap中使用--cookie cookie值

1.7.5 sqlmap used to set the user-agent

• By default, sqlmap use the following user agent to perform HTTP requests:

   sqlmap/1.0-dev-xxxx(http://sqlmap.org)
  

• sqlmap user-agent specified

   使用参数   --user-agent = '指定的user-agent'  
   随机参数   --random-agent
  

sqlmap set the parameters of proxy

--proxy    		设置HTTP代理服务器位置 格式:--proxy http(s): //ip[端口]
--proxy-cred  	设置HTTP代理服务器认证信息 格式:--proxy-cred user:pwd
--proxy-file	设置多条代理在文件中
--ignore-proxy  当希望通过忽略系统范围内的HTTP(S)代理服务器设置来针对本地网络的目标部

used to set the delay sqlmap

Parameter --delay 0.5

sqlmap探测过程中会发送大量探测Payload到目标,如果默认情况过快的发包速度会导致目标预警。 
为了避免这样的情况发生,可以在探测设置sqlmap发包延迟。默认情况下,不设置延迟

sqlmap set timeout

Parameters --timeout 10.5

在考虑超时HTTP请求之前,可以指定等待的秒数。有效值是一个浮点数,比如10.5秒。默认是30秒    

Tested cache needs to be deleted:

sqlmap timeout set number of retries

--Retries count parameter set corresponding to the number of retries, the retry default 3

random parameter set sqlmap

Parameters Parameter name --randomize sqlmap can specify random parameter name to change its worth during each request. The length and type of the original value consistent provided

sqlmap set to ignore 401

If the test site occasionally returns an HTTP 401 error, and you want to ignore it and without providing proper credentials continue to test, you can use -ignore-401

-ignore-401 parameters to ignore errors unverified

parameter

• -safe-url visit every one will look at safety URL
• Carry when visiting secure URL -safe-post POST data
• -safe-req load secure HTTP requests from a file
• -safe-freq after each test will be accessible at the request of the Security URL