Shulou(Shulou.com)05/31 Report--

This article is to share with you about what sqlmap is. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Sqlmap is an automated SQL injection tool whose main function is to scan, discover and exploit SQL injection vulnerabilities in a given URL. Currently, the supported databases are MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access,IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. The following describes the use of the sqlmap plug-in in burpsuite and the introduction and use of sqlmap's tamper script.

In the process of previous testing, the packets captured by burpsuite are generally saved in the txt file, and then run sqlmap with parameters to scan and test. This time, it is found that you can add a CO2 plug-in in burpsuite to call sqlmap for scanning, which is more convenient.

Specific usage:

1. Open burpsuite-Extender-BAppStore (burp's App Store) and find CO2. There is "install" at the bottom of the right column, and click install. After the installation is complete, you will find that "CO2" appears on the right, as shown in the following figure.

2. After the installation is successful, enter the CO2 module and configure the path of sqlmap.

3. Send the intercepted data packet to sqlmapper. After entering this module, you can run it directly or set the parameters.

Sqlmap uses tamper scripts

At present, Waf is almost one of the necessary devices for the website, and in the process of infiltration, you will find that many times some operations will be blocked. When testing SQL injection, there are often times when the information returned by sqlmap is blocked by waf. Let's talk about sqlmap using tamper to bypass waf for injection.

First of all, in the process of testing the injection, it is necessary to determine whether there is waf and the type of waf. The parameter "--identify-waf" is used to determine that the relevant information of waf can be found in the output information.

Command: sqlmap.py-u "http://www.xxx.com"-- identify-waf

As shown in the following figure, when you build a security dog locally, you can find that WAF/IPS identified as' Safedog', is displayed in the message. You can confirm that the website uses waf and that waf is a security dog.

When determining that a waf exists on a Web site, you can use sqlmap's tamper script to bypass waf. To some extent, tamper scripts can avoid the filtering of sensitive characters in the application, bypass the blocking of WAF rules, and then carry out penetration attacks. Before using tamper, consider the version and type of the current database, and then choose a reasonable tamper. Some of the tamper scripts are listed in the figure below.

The path of tamper script under windows system:

The path of the tamper script under kali (/ usr/share/sqlmap/):

Use the command: sqlmap-u "http://xxx.com/xx.php?id=51"--tamper=xx.py,xx.py

Tamper script structure:

Figure 1

Figure 1: the priority of the script call. PROIORITY defines the priority of tamper. If you load multiple tamper, who has the highest priority and who is used first. (there are seven priorities: LOWEST, LOWER, LOW, NORMAL, HIGH, HIGHER, HIGHEST)

Figure 2: it mainly plays the role of prompting users which databases tamper supports, either writing or not. If writing, it is best to write according to the example document (as in figure 1, the contents in parentheses can be modified, and displayed as shown in figure 2).

Figure 2

Figure 3: the payload parameter is the sql statement when sqlmap is automatically injected, and the payload is replaced to complete the desired bypass (as shown in figure 3, modify payload to replace the keywords that need to be replaced with double writes, which belongs to simple tamper scripting). Kwargs is a function that modifies the contents of the http header (shown in figure 4).

Figure 3

Figure 4.

Green word in the figure: it will introduce the role of the script (the part that needs to be replaced), the applicable database type, version, and the content to be replaced with the example demonstration. Of course, the script is different, the content will be different, but the replacement part will be shown by example at the end.

When using the tamper script, some people will choose to write it themselves, and after writing it, they will put it in the tamper path to make the call.

Thank you for reading! This is the end of this article on "what is sqlmap?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.