Sqlmap is an open source automated SQL injection tool written by Python with the following features:
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, A variety of database management systems such as HSQLDB and Informix.
- Full support for Boolean blind, time-type blind, error-based injection, joint query injection, and heap query injection.
- Supports direct connection to a database without a SQL injection point, such as database certificates, IP addresses, ports, and database names, if such conditions permit.
- Supports enumeration of users, passwords, hashes, permissions, roles, databases, data tables, and columns.
- Supports automatic identification of password hashed format and decoding password hashes through a dictionary.
- Support for completely downloading a table in a database, or downloading only a few columns from a table, or even downloading only some of the data in a column, depends entirely on the user's choice.
- Support for searching the database management system for the specified database name, table name, or column name
- Support for downloading or uploading files when the database management system is MySQL, PostgreSQL, or Microsoft SQL Server.
- Support execution of arbitrary commands and return to standard output when the database management system is MySQL, PostgreSQL, or Microsoft SQL Server
When wandering around the Internet, find the homepage of a company in Inner Mongolia, click the News option to find the URL as shown:
Enter the classic and1=1 test, the page does not change
Then and1=2 test, the page shows blank
There is a suspicion of injection points. Drop to Sqlmap test, results show there is injection, background database access, Web site using JSP
Then look at the table, enter the--tables option, and continue the test
Prompt does not retrieve table, whether to test with default table (of course), y default carriage return
Then use your own table name to enter, and then type the thread. Enter 5 here
May be too fast, there is a connection is reset error, regardless of it, not a moment to slow down a bit
A bunch of error messages, wait a while, the results come out
Next look at the admin table what, 5 threads too fast, this time 3, continue to explode
There are no known security devices or server performance issues, and 3 threads still have a connection reset.
Burst 4 Columns with the following:
Now, let's see what's in these columns.
After a long wait, the data burst.
You can see that the password is encrypted, 32-bit, should be MD5 encryption, the MD5 decryption site to try luck, and then go to the next backstage or other way to continue the intrusion. No discussion is going on here.
Penetration Test NOTES: Testing an Access database using Sqlmap