Sqlmap methods used in penetration testing

Objective:

This article only learns how Sqlmap is used please do not test the attack on the Internet site. The system used for the environment is: CENTOS6.6,SQLMAP version 0.9, target drone environment for pre-set up the existence of loopholes in the site. Experimental environment simulation found that the test site has an injection vulnerability, using the Sqlmap tool to inject the last to try to remove the trousers operation.

Experiment Demo:

1. Test Site

   650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6F/C7/wKioL1WoeaCgrcaAAAMTDmMuQPU377.jpg "title=" Qq20150717-1.jpg "alt=" Wkiol1woeacgrcaaaamtdmmuqpu377.jpg "/>

Click on the classification found the change ID can be directly to the corresponding page jump, because after the domain name added "and 1=2" to test, the results are as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/CA/wKiom1WoeYrAlKfSAAGUtoUVOFU320.jpg "style=" float: none; "title=" qq20150717-2.jpg "alt=" Wkiom1woeyralkfsaagutouvofu320.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/C7/wKioL1Woe2aBsmyQAAFkydMo-Hc083.jpg "style=" float: none; "title=" qq20150717-3.jpg "alt=" Wkiol1woe2absmyqaafkydmo-hc083.jpg "/>

We found that because the program is not filtering, when the condition is false, you can control the results of the SQL command return, this time can prove that the SQL injection flaw can be exploited.

2.sqlmap Tools

Know the injection point next use the Sqlmap tool for testing.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/CB/wKiom1WogznCiLSqAAKMUm2sjC0719.jpg "style=" float: none; "title=" qq20150717-4.jpg "alt=" Wkiom1wogzncilsqaakmum2sjc0719.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/C8/wKioL1WohRaA-qQ8AAItg2ESA10953.jpg "style=" float: none; "title=" qq20150717-5.jpg "alt=" Wkiol1wohraa-qq8aaitg2esa10953.jpg "/>

Note: Using the two parameters of the Sqlmap parameter--batch and-u,--batch parameters can save us the interactive process by default. The-u parameter represents a scanned URL connection.

After the scan is complete, we can see that the injection vulnerability has been scanned, sqlmap the type of vulnerability and how to use the exploit code to tell us if it is necessary to manually verify the code executed by the copy.

After we have identified an injection vulnerability in the URL, we look at what the databases are:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/CB/wKiom1WohMjy9nf5AAC6NJthRmM839.jpg "style=" float: none; "title=" qq20150717-7.jpg "alt=" Wkiom1wohmjy9nf5aac6njthrmm839.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/C8/wKioL1WohqWTGRiLAAFKdTb0Dao953.jpg "style=" float: none; "title=" qq20150717-6.jpg "alt=" Wkiol1wohqwtgrilaafkdtb0dao953.jpg "/>

Note: The--CURRENT-DB parameter can get to what database, after execution we found a database called "lesson".

That knows the database name, we continue to see which tables are under the database:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/C8/wKioL1WoiCHzbFk1AAH4yS4vgFQ230.jpg "style=" float: none; "title=" qq20150717-8.jpg "alt=" Wkiol1woichzbfk1aah4ys4vgfq230.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/CB/wKiom1WohkWhNZr7AAIfqPzquqA606.jpg "style=" float: none; "title=" qq20150717-9.jpg "alt=" Wkiom1wohkwhnzr7aaifqpzquqa606.jpg "/>

Note: The parameter-d "database name"--tables indicates that the specified database will be listed in all tables. The tables in the lesson database are listed here.

With the table name you can continue to view the structure of the table

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/CB/wKiom1Woh0ajvaSkAADDffvofAc970.jpg "style=" float: none; "title=" qq20150717-11.jpg "alt=" Wkiom1woh0ajvaskaaddffvofac970.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/C8/wKioL1WoiSOQI8TdAAJ_Dj9h_40027.jpg "style=" float: none; "title=" qq20150717-10.jpg "alt=" Wkiol1woisoqi8tdaaj_dj9h_40027.jpg "/>

Note: Since the 51cto upload image has a watermark, here again the code to write again,

Sqlmap--batch-d "xxx"-t "xxx"--columns-u "xxxxxxxxxxx"

The parameters used here are-t and--columns,-t mean the same as-D, where the table name is written, the--columns parameter can get the structure information of the current table.

Now that I know the table structure and I need to look at the values of the Adm_name and Adm_pwd fields, do the following:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/CB/wKiom1WoiOKQNiv_AADQDmgjcP0892.jpg "style=" float: none; "title=" qq20150717-13.jpg "alt=" Wkiom1woiokqniv_aadqdmgjcp0892.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/C8/wKioL1Woir-iJlSSAAFSiuwLpsE907.jpg "style=" float: none; "title=" qq20150717-12.jpg "alt=" Wkiol1woir-ijlssaafsiuwlpse907.jpg "/>

Note: The parameter used here is the-C "field name"--dump, if there are multiple fields with "," separated can enter after the violent crack finally see cracked information, see here is through MD5 encrypted data, need to decrypt to get the last message, Online hack MD5 's website has many here not to introduce.

Now I want to take the whole library to the local how to do it, execute the following command:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6F/CB/wKiom1WojCiRr_UKAACtDmvg4h4096.jpg "title=" Qq20150717-14.jpg "alt=" Wkiom1wojcirr_ukaactdmvg4h4096.jpg "/>

Note: The--dump-all parameter means that all databases are dragged locally, and the last library you get is placed in the output folder.

Summary of Usage:

Sqlmap--batch-u "xxxxx" Sqlmap--current-db-u "xxxxxx" sqlmap-d "xx"--tablessqlmap-d "xx"-T "xx"--columnssqlmap--dump -all-u "xxxxx"

It is important to note that some sites have WAF devices, and batch parameters may cause the WAF to be alerted so use caution.

Personal view:

To now the Internet security has been more and more people pay attention to, such as the site of the experiment in the loopholes are less and more of the security of all the code has a certain degree of attention, filtering a lot of dangerous operations such as and 1=2, ' information, The password in the database has been added salt to improve security this is to a certain extent increased the difficulty of cracking.

Write this article knowledge in order to learn technology, know the attack to better defense, write the wrong place also ask you Daniel point out. Thank you ~

This article is from "a pig like Linux" blog, make sure to keep this source http://atiger77.blog.51cto.com/5258236/1675613

Sqlmap methods used in penetration testing