Introduction to SQL Injection SQLMAP

Http://www.freebuf.com/articles/web/29942.html

Brief introduction

Many of the real-world attacks on websites are often due to the fact that the site is not updated or the user's input is not checked. From the buffer overflow point of view, such a threat to the vulnerability of the system, the most fundamental problem is that the user's input is not checked. SQL injection, one of the main threats, brings people's concerns about their applications and databases. The problem has been around for ten years, but it still appears on many websites. SQL injection is like many of the current major Web application security attack issues that are also categorized as user input checks.

Body

Many web developers do not know that SQL statements can be customized (handle) and assume that SQL statements are a trusted command. This allows the SQL statement to bypass the access control mechanism, bypassing the standard authorization and authentication checks. There are even times when SQL statements allow permission to use the command line on the server operating system.

The direct SQL injection command is a method that the attacker constructs or modifies out-of-the-box SQL commands to expose hidden data or to overwrite valuable data, or even execute dangerous system instructions on the server

Entry

A structured language is a standard declarative language for a database. This makes (language) more concise and easier to use. SQL originated in IBM labs in the 70 's. SQL is used to communicate between the application and the database.

SQL uses the following 4 languages to manipulate the database

SELECT-Get a record from the database

insert-inserting a record into the database

delete-Delete a record from the database

update-Update or change the current record from the database

SQL can occur when a user-submitted statement is used as a query statement for a database. For example, when the user is authorized by the website authentication, the user sends a message with "User name" and "password", and the user name/password is checked with the content stored in the database. The user is allowed to log in if the same is true, otherwise the user logon fails. The following is an example of a login in the background.

Code

SELECT * from user WHERE username= ' $username ' and password= ' $password '

This statement simply indicates that querying the user name and username is equal from the table of the user, and that the password and password are equal. So, if the user sends the user name "admin" and the password is "12345", then the SQL statement is created as follows:

SELECT * from user WHERE username= ' admin ' and password = ' 12345 '

Injection

Then, if the user enters ' or ' 1 ' = ' 1, the first quotation mark terminates the input string, the remainder is treated as an SQL statement, and the 1=1 is true in the SQL statement, which allows us to bypass the registration mechanism

SELECT * from user WHERE username= ' admin ' and password = ' or ' 1 ' = ' 1 '-true

The above is a simple example of SQL injection, but in practice, SQL injection is much more complex than this. In our penetration testing, most of the time we have a very compact schedule, so this time we need an automated attack to inject us with an attack.

Sqlmap is a tool that can exploit (System) vulnerability. It is open source and is often used to conduct intrusion testing on fragile DBMS written by Python. It detects and exploits SQL vulnerabilities, allowing us to use sqlmap.py for example on operating systems and databases.

One step at a pace

I will show it in the most concise way possible.

The most common way to detect SQL injection is by adding a single quotation mark at the input (& #039;) and expecting (the system) to return an error, and some applications will not return an error. At this point we will use the True/false statement to check if the application is under attack by SQL injection.

In order to randomly find a website with SQL injection vulnerability, can you use a statement in the following format to take advantage of Google dork:inurl:news.php ID =1? A bunch of Google Dork data will appear and can be used to filter your search results. So let's start with that.

First enter the directory on the backtrack:

Cd/pentest/database/sqlmap

We will not start immediately, view sqlmap.py's menu using commands:

./sqlmap.py-h

Let's run sqlmap.py, the parameter is [--dbs], to discover all the databases in the DBMS

Or use the parameter –current-db to discover the database used by the current target.

Parameter-D represents the target database, –table displays the table column

We will check whether the information contains the content of interest (admin_users) and display them as columns, with the parameters-columns

It is important to specify the target database (using the-D parameter) every time before you list the table, because if you do not have the-d parameter, the program lists all the tables in the database

-T = target parameter

-c= destination column (can specify more than one column, such as: User name (column), Password (column))

–dump= GET, extract data

Using the –proxy parameter to use the proxy

For example:./sqlmap.py–url "Http://testphp.vulnweb.com/listproducts.php?cat=1" –dbs–proxy=http://183.223.10.108:80

I think the above is a basic order for beginners. Sqlmap also offers many interesting features, and I recommend using the –prefix=prefix,–postfix=postfix and takeover options. More about the use of the tool can be accessed on the official website.

–dump is used to extract the data on the site, the column must be selected when called, and you must explicitly extract what from the column, where I extract the login and password information saved in the column.

In general, the "Password" field of the DBMS is encrypted. Commonly used cryptographic algorithms are SHA-1,MD5, which are used without adding "salt" (refers to the algorithm based on the user's input directly), which makes the crack easier. Then (after we get the encrypted data) we need to decrypt it and we can use many of the online decryption sites such as:

http://www.md5decrypt.org,https://crackstation.net/,http://www.onlinehashcrack.com/

Or try manual brute force cracking and rainbow tables. In addition, you can use your GPU to speed up (crack) The process, this is not the main discussion of this article.

Advanced

Fortunately, Sqlmap has some very good scripts that you can find in the address below. Using SVN to check

Https://svn.sqlmap.org/sqlmap/trunk/sqlmap Sqlmap-dev

In fact, the purpose of the script is to modify our request to prevent it from being intercepted by a WAF (Network application firewall). In some cases you may need to merge some scripts together to get past the WAF. The complete list of scripts is accessed as follows:

https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/

Many enterprises often overlook the fragility of current (DBMS) and rely on the network firewall. Unfortunately, you can bypass most firewalls by simply coding the code. So, gentlemen, I'd like to show you how to use some new features to bypass WAF/IDF (intrusion detection system).

I'll show some important scripts such as charencode.py and charcodeencode.py to work with MySQL, which can be in Backtrack5 's
/pentest/web/scanners/sqlmap found below.

Hands-on: When you use these scripts, use the –tamper parameter followed by the script name, in which we used the Charencode command

charencode.py Summary

Simply put, this script can bypass some of the more Simple Network firewalls (WAF). Other interesting features are that (WAF) decodes URLs before they match their rules.

Cases:

Another good script is charunicodeencode.py, which helped me bypass many of the firewall's limitations during my actual penetration testing.

Hey, I'm just showing a small subset of the scripts, and I highly recommend that you use them all over again because they tend to work in different environments.

Note: This is not a script kid's approach, it is very important to be responsible and skilled in mastering such a powerful tool.

Anonymous

I will want to show you how to use the Sqlmap and onion routers to protect your ip,dns and so on, in Linux, when the terminal command is $
sudo apt-get install Tor Tor-geoip

After entering the Sqlmap directory:./sqlmap.py-u "http://www.targetvuln.com/index/php?cata_id=1"-b-a-tor–check-tor–user-agent= " mozilla/5.0 (compatible; googlebot/2.1;+http://www.google.com/bot.html) "

Parameter –tor use Tor,–check-tor to check if Tor is being used correctly, and if it is not used correctly, the terminal will prompt for an error message. The user agent is Googlebot, and all your requests will be made to look like Googlebot.

With Sqlmap Tor, we can set up your Tor proxy to hide the address that the actual request generated.

-tor-port,-tor-type: These two parameters can help you set up Tor proxy manually, and the –check-tor parameter will check if your agent is properly installed and working properly.

Conclusion

When SQL injection was discovered a few years ago, many of the goals were flawed, and the injected format was the hardest part. Penetration testers often need to construct such SQL statements themselves.

The next development resulted in the automatic injection of tools. The most well-known tool at the moment may be sqlmap.py. Sqlmap is an open-source test framework written in Python that supports Mysql,oracle,postgresql,microsoft SQL server,microsoft ACCESS,IBM Db2,sqlite,firebird, Sybase,sap,maxdb and supports 6 of SQL injection methods.

Solution Solutions

1. Periodically check the SQL Server (processing request) 2. Restrict dynamic SQL statements 3. Avoid getting data directly from users 4. The permissions information for the database is stored separately in another file 5. Using the least privilege Principle 6. Using the pre-prepared (SQL) statement

Thank you very much for my brother Rafay Baloch and Rha's colleagues.

Introduction to SQL Injection SQLMAP