This article transferred from: https://blog.werner.wiki/sqlmap-study-notes-0/
Thank the author of the collation, if there is infringement, the legislative deletion
0. Preface
This article is the note I made when I learned how to use sqlmap, documenting the common and basic uses of Sqlmap. The main way to learn is to read the Official Handbook (sqlmap/doc/readme.pdf).
First, what is Sqlmap?
Sqlmap is an open source automated SQL injection tool written by Python with the following features:
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, A variety of database management systems such as HSQLDB and Informix.
- Full support for Boolean blind, time-type blind, error-based injection, joint query injection, and heap query injection.
- Supports direct connection to a database without a SQL injection point, such as database certificates, IP addresses, ports, and database names, if such conditions permit.
- Supports enumeration of users, passwords, hashes, permissions, roles, databases, data tables, and columns.
- Supports automatic identification of password hashed format and decoding password hashes through a dictionary.
- Support for completely downloading a table in a database, or downloading only a few columns from a table, or even downloading only some of the data in a column, depends entirely on the user's choice.
- Support for searching the database management system for the specified database name, table name, or column name
- Support for downloading or uploading files when the database management system is MySQL, PostgreSQL, or Microsoft SQL Server.
- Support execution of arbitrary commands and return to standard output when the database management system is MySQL, PostgreSQL, or Microsoft SQL Server.
Second, installation Sqlmap
Sqlmap Open Source project, hosted on GitHub, the simplest way to install is to use Git and execute the following command:
git clone https://github.com/sqlmapproject/sqlmap.git
After a few moments the command finishes, you can see that there is a directory named "Sqlmap" in the current directory, which holds sqlmap python source code, configuration files, and documents. Since Python is the language that interprets execution, it is not compiled, so the latest version of Sqlmap is already installed. CD to the "Sqlmap" directory, start sqlmap with the command "Python Sqlmap" as shown in:
When you want to update Sqlmap, go to the "Sqlmap" directory and execute the command "git pull".
Third, output level (outputs verbosity)
Parameter:-V
The output information of Sqlmap is divided into 7 levels from simple to complex (as many as the gourd), followed by 0, 1, 2, 3, 4, 5 and 6. Use the parameter "-V < level >" To specify a level, such as using the parameter "-V 6" to specify an output level of 6. The default output level is 1. The individual output levels are described below:
- 0: Displays only Python's tracebacks information, error message, and key information [CRITICAL];
- 1: Display common information [INFO] and warning message [WARNING];
- 2: Simultaneous display of debug information [debug];
- 3: Simultaneous display of attack loads for injection use;
- 4: Simultaneous display of HTTP requests;
- 5: HTTP response header is displayed at the same time;
- 6: The HTTP response body is displayed at the same time.
The details of the output at each level are detailed to what extent, and you need to try it yourself and see for yourself before you have a clear understanding.
IV. Designation of objectives
The SQLMAP runtime must specify at least one target to support specifying multiple targets at a time. There are several ways to specify goals:
1. Connect directly to the database
Parameter:-D
Connect directly to the database using the parameter "-D" followed by a string representing the database, which has the following two formats:
(1). When the database management system is MySQL, Oracle, Microsoft SQL Server, or PostgreSQL, the format is:
DBMS://USER:[email protected]_IP:DBMS_PORT/DATABASE_NAME
(2). When the database management system is SQLite, Microsoft access, or Firebird, the format is:
DBMS://DATABASE_FILEPATH
I use the following command to connect the MySQL installed on this computer:
python sqlmap.py -d "mysql://root:[email protected]:3306/DISSchool"
There was an error, the error is:
[CRITICAL] sqlmap requires ‘python-pymysql‘ third-party library in order to directly connect to the DBMS ‘MySQL‘. You can download it from ‘https://github.com/petehunt/PyMySQL/‘. Alternative is to use a package ‘python-sqlalchemy‘ with support for dialect ‘mysql‘ installed
It means I don't have a third-party library python-pymysql to install python for MySQL. Although I installed PYTHON-MYSQLDB to enable Python to connect to MySQL, it is clear that Sqlmap uses python-pymysql instead of PYTHON-MYSQLDB. Install python-pymysql using the following command:
git clone https://github.com/petehunt/PyMySQL/ cd PyMySQL/ sudo python setup.py install
Install the Python-pymysql and then execute the command:
python sqlmap.py -d "mysql://root:[email protected]:3306/DISSchool"
This time no error, successfully connected to the database. Except that the test database is indeed a MySQL version number greater than or equal to 5.0.0 and nothing is done. Let Sqlmap do something that needs to be specified with other parameters, which we'll learn later.
2. Specify the destination URL
Parameters:-U or--url
Use the parameter "-U" or "--url" to specify a URL to target, followed by a string that represents the URL, either the HTTP protocol or the HTTPS protocol, or you can specify a port, such as:
python sqlmap.py -u "http://192.168.56.102:8080/user.php?id=0"
3. Resolve the target from the agent log in burp or WebScarab
Parameter:-L
Using the parameter "-L" to specify a burp or webscarab agent log file, Sqlmap will parse out the possible attack target from the log file and attempt to inject one at a. This parameter is followed by a path that represents the log file.
WebScarab I have not used, burp is often used. Burp The log is not logged by default and you want to log it manually, set the method as shown:
Just check the request data in the agent is enough, the log file path can be set arbitrarily, here I set the log file name Proxy.log, placed in the user home directory.
Set the browser agent for Burp, browse a few web pages and found that Proxy.log unexpectedly already has more than 70 k large, to view its contents, some of the output is as follows:
[email protected]:~$ more Proxy.log ====================================================== 7:22:52 PM http://oc sp.digicert.com:80 [117.18.237.29] ====================================================== post/http/1.1 HOST:OCSP. Digicert.com user-agent:mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) gecko/20100101 firefox/55.0 accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-language:zh-sg,en-us;q=0.7,en;q=0.3 accept-encoding:gzip, deflate content-length:83 content-type:applicatio N/ocsp-request dnt:1 connection:close 0q0o0m0k0i0 +???? Pr? Tz? ====================================================== ====================================================== 7:23:00 PM http://blog.csdn.net:80 [47.95.49.160] ====================================================== get/pyufftj/ article/details/21469201 http/1.1 Host:blog.csdn.net user-agent:mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) gecko/20100101 firefox/55.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ...
You can see that the log file not only records the get parameters, but also the cookie and post parameters. Now use the following command to let Sqlmap parse the log file, automatically find the target, detect the injection vulnerability:
python sqlmap.py -l ../proxy.log
Note the path to the log file is written correctly. When the command is executed, Sqlmap will ask whether to detect the target each time a possible attack target is found. , the default answer is "Y", you want to test the target, press the ENTER key directly on the line.
When the log is large there will be many possible targets, although there is a question mechanism but still trouble, because you can not go all the way to the decision to press ENTER. If you can filter the log is good! Yes, the parameter is "--scope", see "five. 18" for details.
4. Resolve the target from the site map file
Parameter:-X
For the convenience of search engine collection, many websites specifically for the search engine generated an XML format of the site map, such as Baidu Sitemap support XML format. Sqlmap can directly parse the XML format of the site map, from which to extract the attack target, a site full of no dead-end to inject detection, the parameters used is "-X", such as:
python sqlmap.py -x http://www.6eat.com/sitemap.xml
But the result of executing the command is:
[WARNING] no usable links found (with GET parameters)
No available links were found with get parameters. As far as my limited experience is concerned, URLs in the Sitemap rarely contain get parameters, not to mention the post parameters. So sqlmap this function seems to be a bit of a chicken.
5. Parse the target from a text file
Parameter:-M
Parameter "-U" can only specify a URL at a time, if there are more than one URL to test is very inconvenient, we can use a number of URLs in one-line format in a text file, and then using the parameter "-M" followed by the text file path, let Sqlmap read the URL in the file as the attack target.
If we have file Url.txt, the content is:
www.target1.com/vuln1.php?q=foobar www.target2.com/vuln2.asp?id=1 www.target3.com/vuln3/id/1*
You can then use the following command to have SQLMAP test these URLs for injection vulnerabilities:
python sqlmap.py -m url.txt
Similarly, when executing the command, Sqlmap will be very thoughtful to ask each of the following: "Does you want to test the this URL?"
6. Loading HTTP requests from a file
Parameter:-r
You can save an HTTP request in a file and then use the parameter "-r" to load the file, Sqlmap will parse the file, parse the target from the file, and test it.
The HTTP request, as shown below, is saved in the file Get.txt:
GET /user.php?id=1 HTTP/1.1 Host: 192.168.56.101:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-SG,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
Use the following command to have Sqlmap parse the file and test it with the HTTP request target in the file for the attack target:
python sqlmap.py -r get.txt
7. Use Google search results as an attack target
Parameter:-G
Sqlmap can automatically get the top 100 results of Google search, and inject tests for URLs with get parameters. Of course, the network environment to be able to access Google. The following is an example of the "-G" parameter in the SQLMAP manual:
python sqlmap.py -g "inurl:\".php?id=1\""
8. Load the attack target from the configuration file
Parameters:-C
Using the parameter "-C" to specify a configuration file (for example: sqlmap.conf), sqlmap resolves the configuration file and performs the action according to the configuration file's configuration. The target can be specified in the configuration file, and in fact the configuration file can specify values for various parameters in addition to the target of the attack.
Sqlmap according to the directory has a file named sqlmap.conf, the file is a profile template, look at the contents of the file, you can understand what the configuration file means.
V. Requests
HTTP is a complex protocol. There are many methods of HTTP requests that can carry different parameters in different locations (GET, POST, Cookie, user-agent, and so on). Often only requests that are made in a specific way with specific parameters in a particular location are valid requests. In addition to specifying a target, the Sqlmap runtime sometimes needs to specify some details of the HTTP request. The following parameters are used to specify the HTTP request details.
1.HTTP method
Parameter:--method
In general, Sqlmap can automatically determine whether to use the Get method or the Post method, but in some cases, it may be a very rare method of put, you need to use the parameter "--method" to specify the method. such as: "--method=put".
2.POST data
Parameter:--data
The data specified by this parameter is submitted as post data, and Sqlmap also detects that the parameter specifies whether the data has an injection vulnerability. Such as:
python sqlmap.py -u "http://192.168.56.102:8080/user.php" --data="id=0&name=werner"
3. Specifying separators
Parameter:--param-del
In the previous example, the "--data" Data "Id=0&name=werner" is actually composed of two parts: "Id=0" and "Name=werner", by default, "&" as the delimiter. We can use "--param-del" to specify delimiters, such as:
python sqlmap.py -u "http://192.168.56.102:8080/user.php" --data="id=0;name=werner" --param-del=";"
4.cookie
Parameters:--cookie 、--cookie-del 、--Drop-set-cookie and--load-cookies
There are two scenarios where these parameters are used:
- The page to be tested can only be accessed when logged in, and the login status is identified with a cookie
- Want to detect if there is a cookie injection
When "--level" is set to 2 or higher, Sqlmap detects the presence of an injection vulnerability in the cookie, and more information about "--level" is shown below.
(1). " --cookie "and"--cookie-del "
After you log in to the target website in your browser, copy the cookie that maintains the login status, and use the parameter "--cookie" to specify these cookies, such as:
python sqlmap.py -u "http://192.168.56.102:8080/user.php" --cookie "JSESSIONID=E5D6C8C81;NAME=werner;"
Unlike the post parameter, the cookie default delimiter is ";", you want to specify the delimiter in the cookie, use the parameter "--cookie-del".
(2). " --drop-set-cookie "
If there is "Set-cookie" in the HTTP response header, Sqlmap automatically sets the cookie set by "Set-cookie" and detects these cookies. If you do not want Sqlmap to do so, add the parameter "--drop-set-cookie", so that Sqlmap will ignore "Set-cookie".
(3). " --load-cookies "
This parameter is used to load a cookie in Netscape or wget format from a file.
Wget can save and load cookies in the following example:
# Log in to the server. This can be done only once. wget --save-cookies cookies.txt --post-data ‘user=foo&password=bar‘ http://server.com/auth.php # Now grab the page or pages we care about. wget --load-cookies cookies.txt -p http://server.com/interesting/article.php
5.user-agent
Parameters:--user-agent and--random-agent
By default, the User-agent value in the HTTP request sent by Sqlmap is:
sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)
Use the parameter "--user-agent" to specify a user-agent value. But the normal user-agent value is long what we may not remember, so with the parameter "--random-agent", using this parameter, Sqlmap will randomly take a user-agent from the file./txt/user-agents.txt. Note that in one session only the same user-agent is used, and not every HTTP request packet is sent randomly to a user-agent.
Use the following command to count the number of user-agents.txt rows:
cat sqlmap/txt/user-agents.txt | wc -l
The result is 4211, which includes empty lines, annotations, and so on, but in general there are more than 4,000 user-agent stored in the file.
When "--level" is set to 3 or higher, Sqlmap detects if there is an injection vulnerability in user-agent, and more information about "--level" is shown below.
6.Host
Parameter:--host
Use this parameter to manually specify the host value in the HTTP header.
When "--level" is set to 5 or higher, Sqlmap detects if the host has an injection vulnerability, and more information about "--level" is shown below.
7.Referer
Parameter:--referer
Use this parameter to specify the Referer value in the HTTP header. Sqlmap sends an HTTP request header with no referer field.
When "--level" is set to 3 or higher, Sqlmap detects if there is an injection vulnerability in referer, and more information about "--level" is shown below.
8. Additional HTTP Headers
Parameter:--headers
Use this parameter to add a field to the header of the HTTP request message sent by Sqlmap, separated by "\ n" If multiple fields are added. such as command:
python sqlmap.py -u "http://192.168.56.101:8080/" -v 5 --headers "X-A:A\nX-B: B"
The HTTP request packet sent is:
GET / HTTP/1.1 X-B: B Host: 192.168.56.101:8080 Accept-encoding: gzip,deflate X-A: A Accept: */* User-agent: sqlmap/1.1.10#stable (http://sqlmap.org) Connection: close
The parameter "-V 5" is for the HTTP request packet sent by the Sqlamp output, so we could observe it.
9. Identity Verification
Parameters:--auth-type and--auth-cred
These parameters are used for identity authentication. "--auth-type" is used to specify the authentication method and supports the following three types of authentication methods:
"--auth-cred" is used to give credentials for identity authentication, in the form of "Username:password".
Such as:
python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id=1" --auth-type Basic --auth-cred "testuser:testpass"
10. Certificate-based Identity authentication
Parameter:--auth-file
If the Web server requires the client to provide a certificate, you can use this parameter to specify a certificate file in PEM format. We know that the SSL protocol client authentication is optional, in practice generally only use the server side to provide their own certificates for client authentication, rarely require clients to provide their own certificates.
11. Ignore 401
Parameter:--ignore-401
Use this parameter to ignore the 401 error (not certified).
12.HTTP (S) proxy
Parameters:--proxy 、--proxy-cred 、--proxy-file and--ignore-proxy
Use the parameter "--proxy" to set an HTTP (s) proxy, in the format "HTTP (s)://url:port". If the agent needs authentication, use the parameter "--proxy-cred" to provide authentication credentials, the format is "Username:password".
Use the parameter "--proxy-file" to specify a file that stores the proxy list, SQLMAP will use the proxy in the file in turn, and when an agent has any connection problems, it will be discarded and replaced by an agent.
Use the parameter "--ignore-proxy" to ignore the local proxy settings.
13.Tor Anonymous Network
Parameters:--tor 、--tor-type 、--tor-port and--check-tor
For whatever reason, if you want to keep the anonymous state from using a single HTTP (S) proxy, you might as well install software like Privoxy to configure a Tor client as instructed by the Tor installation. When set, use the parameter "--tor" to let Sqlmap automatically set up to use Tor proxy.
If you want to manually specify the type and port of Tor you can use the parameters "--tor-type" and "--tor-port", such as:
--tor-type=SOCKS5 --tor-port 9050
If a high degree of anonymity is required, the parameter "--check-tor" can be used, and sqlmap will ensure that all traffic goes to the Tor agent, and if the Tor agent fails, Sqlmap warns and exits. The detection method is to access the is you using Tor?.
Add delay between 14.HTTP requests
Parameter:--delay
Sending requests too frequently may be perceived by the website or have other undesirable consequences. Use the parameter "--delay" to specify the delay between HTTP requests in seconds and the type is a floating-point number, such as "--delay 1.5" for a delay of 1.5 seconds. The default is no delay.
15. Timeout
Parameter:--timeout
The timeout period defaults to 30 seconds, and you can specify a time-out by using the parameter "--timeout", such as "--timeout 44.5", which indicates that the setting time-out is 44.5 seconds.
16. Maximum retry times after timeout
Parameter:--retries
Sqlmap retries After a timeout, the maximum number of retries defaults to 3, and the maximum number of retries can be specified with the parameter "--retries".
17. randomization of parameter values
Parameter:--randomize
With this parameter, Sqlmap randomly generates the value of the parameter in each HTTP request, the type and length of the value according to the original value.
18. Filtering agent logs with regular expressions
Parameter:--scope
Specifies a python regular expression to filter the agent log, testing only the targets that match the regular expression, such as:
python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
19. Avoid excessive error requests and be blocked
Parameters:--safe-url 、--safe-post 、--safe-req and--safe-freq
Sometimes the server detects that a client error request is too many to block it, and sqlmap test often generates a large number of error requests, in order to avoid being masked, can occasionally produce several normal requests to confuse the server. The following four parameters are related to this mechanism:
- --safe-url: A secure URL that is accessed every other minute
- --safe-post: Post data to be carried when accessing secure URLs
- --safe-req: Loading a secure HTTP request from a file
- --safe-freq: A secure URL that will be accessed after each test request
Here the so-called secure URL refers to a URL that returns 200 without any error. Accordingly, Sqlmap does not perform any injection testing of the secure URLs.
20. Turn off URL encoding
Parameter:--skip-urlencode
Sqlmap URLs are URL-encoded by default and can be used to turn off URL encoding.
21. Bypassing CSRF Protection
Parameters:--csrf-token and--csrf-url
There are now many websites that prevent csrf attacks by adding hidden fields with values of randomly generated tokens in the form, and Sqlmap automatically recognizes this protection and bypasses it. However, automatic recognition is likely to fail, and these two parameters are used at this time.
The "--csrf-token" is used to specify the name of the hidden field that contains the token, and if the field name is not a common field name that prevents CSRF attacks, sqlmap may not be recognized automatically and needs to be specified manually. The field named "Csrfmiddlewaretoken" in Django is obviously related to the CSRF attack.
"--csrf-url" is used to reclaim the token value from any URL. This parameter is useful if the original vulnerable target URL does not contain a token value and requires that the token value be extracted at a different address.
22. Enforcing the use of SSL
Parameter:--force-ssl
23. Execute a specific Python code before each request
Parameter:--eval
See examples directly:
python sqlmap.py -u "http://www.target.com/vuln.php?id=1&hash=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib;hash=hashlib.md5(id).hexdigest()"
Sqlmap will recalculate the hash value based on the ID value and update the hash value in the GET request before each return request
Safety test ===sqlmap (0) reprint