Shulou(Shulou.com)06/01 Report--

SQLMAP, which is an automated SQL injection tool, its main function is to scan, discover and exploit SQL injection vulnerabilities in a given URL. Currently, the supported databases are MS-SQL,MYSQL,ORACLE and POSTGRESQL.

SQLMAP adopts four unique SQL injection techniques, namely blind reasoning SQL injection, UNION query SQL injection, heap query and time-based SQL blind injection. Its wide range of functions and options include database fingerprinting, enumeration, database extraction, access to the target file system, and arbitrary commands when obtaining full operation permissions.

Start Backtrack5 and enter the / pentest/database/sqlmap path in shell

Enter. / sqlmap.py to use the sqlmap tool

Let's take local testing as an example to briefly talk about the use of the sqlmap tool.

Start SQLMAP to make a preliminary judgment and detection of this injection point. Its detection mechanism is also explained at the beginning of the article. After startup, SQLMAP starts to work and starts to judge the given URL, as shown in the following figure.

We see that the type of the guessed database is MYSQL, and we also see the injection method of SQLMAP

Then we can judge the database of the current site and list it.

We saw that there were two databases, and we were experimenting with dvwa, so we guessed that the dvwa database was used.

Then we query the tables in the dvwa database.

We found two data sheets.

The users table, as its name implies, should store some information about the user, and we continue to query the data table

We see several fields in the users table, and these fields have the information we want

User,passqord is critical, usually storing account and password data, and we continue to use--

The dump parameter helps us enumerate and guess all the field information.

We can see that we have only removed the information of six accounts, with user names and passwords. We have cracked the database. If we copy all the information down, we will download the database, and we have all the information in our hands.

=

SQLMAP parameter interpretation

Options (option):

-- version displays the version number of the program and exits

-hmam Mutual help displays this help message and exits

-vVERBOSE detail level: 0-6 (default is 1)

Target (target):

Below, you need to set at least one of the options to set the target URL.

-dDIRECT connects directly to the database.

-uURL,--url=URL target URL.

-lLIST parses the target from the log of the Burp or WebScarab agent.

-rREQUESTFILE loads the HTTP request from a file.

-gGOOGLEDORK processes the result of Googledork as the target URL.

-cCONFIGFILE loads options from the INI configuration file.

Request (request):

These options can be used to specify how to connect to the target URL.

-- data string sent by data=DATA through POST

-- cookie= Cookie header

-- cookie injection generated by cookie-urlencodeURL coding

-- drop-set-cookie ignores Set-Cookie header information of the response

-- user-agent=AGENT specifies the HTTPUser-Agent header

-- random-agent uses randomly selected HTTPUser-Agent headers

-- referer=REFERER specifies the HTTP reference header

-- headers=HEADERS newline separation, adding other HTTP headers

-- auth-type=ATYPEHTTP authentication type (basic, digest or NTLM) (Basic,DigestorNTLM)

-- auth-cred=ACREDHTTP authentication credentials (username: password)

-- auth-cert=ACERTHTTP Certification Certificate (key_file,cert_file)

-- proxy=PROXY uses the HTTP proxy to connect to the target URL

-- proxy-cred=PCREDHTTP agent authentication credentials (username: password)

-- ignore-proxy ignores the system's default HTTP agent

-- the latency of delay=DELAY between each HTTP request (in seconds)

-- time timeout=TIMEOUT waits for connection timeout (default is 30 seconds)

-- time to reconnect after the retries=RETRIES connection timed out (default 3)

Scope=SCOPE filters the regular expression of the target from the provided agent log

-- url address frequently accessed by safe-url=SAFURL during testing

-- safe-freq=SAFREQ tests the request between two visits, giving a secure URL

Optimization (Optimization):

These options can be used to optimize the performance of SqlMap.

-O turn on all optimization switches

-- predict-output predicts common query output

-- keep-alive uses persistent HTTP (S) connections

-- null-connection retrieves the page length from a body without an actual HTTP response

-- threads=THREADS 's maximum concurrency of HTTP (S) requests (default is 1)

Injection (injection):

These options can be used to specify which parameters to test, provide custom injection payloads and optional tampering scripts.

-pTESTPARAMETER testable parameters (S)

-- dbms=DBMS forces the backend DBMS to this value

-- os=OS forces the backend DBMS operating system to this value

-- prefix=PREFIX injection payload string prefix

-- suffix=SUFFIX injects payload string suffix

-- tamper=TAMPER tampers with the injected data using the given script (S)

Detection (Test):

These options can be used to specify how to parse and compare the contents of the HTTP response page when SQL is blinded.

-- the level at which the test is executed by level=LEVEL (1-5, default is 1)

-- risk of risk=RISK performing tests (0-3, default is 1)

Match the string on the page when the string=STRING query is valid

-- matching regular expressions on the page when regexp=REGEXP queries are valid

-- text-only compares web pages only based on text content

Techniques (skill):

These options can be used to adjust specific SQL injection tests.

-technique=TECHSQL injection technology test (default BEUST)

-- delay time of time-sec=TIMESECDBMS response (default is 5 seconds)

-- union-cols=UCOLS column range is used to test UNION query injection

-- characters used by union-char=UCHAR to violently guess the number of columns

Fingerprint (fingerprint):

-fmaine Melissa performs a wide range of DBMS version fingerprints

Enumeration (enumeration):

These options can be used to enumerate the information of the back-end database management system, the structure of the table, and data. In addition, you can run yourself

The SQL statement of the

The logo of the database management system for retrieving bmam Murray banner

-- current-user retrieves the current user of the database management system

-- current-db searches the current database of the database management system

-- is-dba checks whether the current user of DBMS is DBA

-- users enumerates database management system users

-- passwords enumerates the user password hash of the database management system

-- privileges enumerates the permissions of database management system users

-- roles enumerates the roles of database management system users

-- dbs enumerates database management system databases

Tables in the DBMS database enumerated by tables

-- columns enumerates DBMS database table columns

-- dump dumps table items in the database of the database management system

-- dump-all dumps entries in all DBMS database tables

-- search search column (S), table (S) and / or database name (S)

-the name of the database to be enumerated by DDB

-TTBL database tables to enumerate

-CCOL the database columns to enumerate

-the database user used by UUSER to enumerate

-- excluding system databases when exclude-sysdbs enumerates tables

-- the first query output of start=LIMITSTART enters the retrieval

-- the output of the last query of stop=LIMITSTOP enters the retrieval

-- character retrieval of the output word of the first query in first=FIRSTCHAR

-- output word character retrieval of the last query in last=LASTCHAR

-- SQL statement to be executed by sql-query=QUERY

-- sql-shell prompts the shell of interactive SQL

Bruteforce (brute force):

These options can be used to run brute force checks.

-- there is a common table for common-tables inspection

-- there is a common column for common-columns check

User-definedfunctioninjection (user-defined function injection):

These options can be used to create user-defined functions.

-- udf-inject injects user-defined functions

-- Local path of shared-lib=SHLIB shared library

Filesystemaccess (accessing the file system):

These options can be used to access the underlying file system of the back-end database management system.

-- file-read=RFILE reads files from the back-end database management system file system

-- file-write=WFILE edits local files on the backend database management system file system

-- the absolute path to the file written by the database management system at the file-dest=DFILE backend

Operatingsystemaccess (operating system access):

These options can be used to access the underlying operating system of the back-end database management system.

-- os-cmd=OSCMD executes operating system commands

-- shell of os-shell interactive operating system

-- os-pwn gets an OOBshell,meterpreter or VNC

-- os-smbrelay gets an OOBshell,meterpreter or VNC with one click

-- buffer overflow utilization of os-bof stored procedure

-- upgrade of user privileges in priv-esc database process

-- the local installation path of msf-path=MSFPATHMetasploitFramework

-- absolute path to the tmp-path=TMPPATH remote temporary file directory

Windows registry access:

These options can be used to access the back-end database management system Windows registry.

-- reg-read reads a Windows registry key value

Reg-add writes a Windows registry key value data

-- reg-del deletes the Windows registry key value

-- reg-key=REGKEYWindows registry key

-- reg-value=REGVALWindows registry key value

-- reg-data=REGDATAWindows registry key value data

-- reg-type=REGTYPEWindows registry key value type

General (General):

These options can be used to set some general working parameters.

-tTRAFFICFILE records all HTTP traffic into one text file

-sSESSIONFILE saves and restores all data that retrieves session files

-- flush-session refreshes the session file of the current destination

-- fresh-queries ignores query results stored in the session file

-- eta displays the estimated time of arrival for each output

-- update updates SqlMap

-- savefile save options to INI configuration file

-- batch never asks the user for input and uses all default configurations.

Miscellaneous (Miscellaneous):

-- reminder when beep discovers SQL injection

-- check-payloadIDS detection and testing of injected payloads

-- cleanupSqlMap specific UDF and table cleanup DBMS

-- forms's parsing and testing form of the target URL

-- gpage=GOOGLEPAGE uses Google dork results from specified page numbers

-- page-rankGoogledork results show page ranking (PR)

-- parse-errors parses error messages from the database management system from the response page

-- replicate replicates the dumped data to a sqlite3 database

-- tor uses the default Tor (Vidalia/Privoxy/Polipo) proxy address

Wizard's simple wizard interface for beginners

=

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.