[sqlmap-users] New feature: direct connection to the database (-d switch)
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] New feature: direct connection to the database (-d switch)
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-11-24 15:12:22
|
Hi,
As we announced last week, let's kick off with the posts about sqlmap
shiny new features that will culminate with the release of version 0.9
in early 2011!
Feature: direct connection to a database management system
Switch involved: -d
Generic syntax: DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
Samples syntax: python sqlmap.py -d
mysql://root:testpass@192.168.136.131:3306/mysql -v 2
This feature has been around since May or so, I have even presented it
during my speech at AthCon[1] back in June.
So far sqlmap has been yet another sql injection tool, used by web
application penetration testers/newbies/curious teens/computer
addicted/punks and so on. Things move on and as they evolve, we do as
well. Now it supports this new switch, -d, that allows you to connect
from your machine to the database server's TCP port where the DBMS
instance is listening on given valid credentials, IP address, TCP port
and database name.
All in all, now it can also be handy at first sight during
infrastructure assessments: You can use sqlmap to attack database
servers either by leveraging SQL injections vulnerabilities in web
application or by connecting directly to the database given valid
credentials. All of the fingerprint, enumeration and takeover
functionalities stand and work in both scenarios. If they don't,
there's a bug and you're gently encouraged to report.
It relies on Python bindings for MySQL protocol, PostgreSQL protocol
and so on and the code has been implemented in
plugins/dbms/*/connector.py files. Other modifications have been
applied here and there in lib/ subfolders to make the switch work too.
Let's make an example:
--8<--
$ python sqlmap.py -d mysql://root:testpass@192.168.136.131:3306/mysql
-v 2 --dbs
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 15:11:38
[15:11:38] [DEBUG] cleaning up configuration parameters
[15:11:38] [INFO] using
'/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/192.168.136.131/session'
as session file
[15:11:38] [DEBUG] forcing timeout to 10 seconds
[15:11:38] [INFO] connection to mysql server 192.168.136.131:3306 established
[15:11:38] [INFO] testing MySQL
[15:11:38] [DEBUG] query: SELECT CONNECTION_ID()=CONNECTION_ID()
[15:11:38] [INFO] confirming MySQL
[15:11:38] [DEBUG] query: SELECT ISNULL(1/0)
[15:11:38] [DEBUG] query: SELECT 0 FROM information_schema.TABLES LIMIT 0, 1
[15:11:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[15:11:38] [INFO] fetching database names
[15:11:38] [DEBUG] query: SELECT schema_name FROM
information_schema.SCHEMATA ORDER BY 1
available databases [3]:
[*] mysql
[*] testdb
[*] information_schema
[15:11:38] [INFO] connection to mysql server 192.168.136.131:3306 closed
[*] shutting down at: 15:11:38
--8<--
And another one:
--8<--
$ python sqlmap.py -d
oracle://SYS:testpass@192.168.136.131:1521/testdb -v 1 --users
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 15:06:08
[15:06:08] [INFO] using
'/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/192.168.136.131/session'
as session file
[15:06:08] [INFO] successfully connected as SYSDBA
[15:06:08] [INFO] connection to oracle server 192.168.136.131:1521 established
[15:06:08] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[15:06:08] [INFO] fetching database users
database management system users [21]:
[*] MDDATA
[*] MGMT_VIEW
[*] ANONYMOUS
[*] DIP
[*] SYS
[*] SI_INFORMTN_SCHEMA
[*] CTXSYS
[*] OUTLN
[*] TSMSYS
[*] DBSNMP
[*] WMSYS
[*] SYSMAN
[*] OLAPSYS
[*] XDB
[*] EXFSYS
[*] ORDPLUGINS
[*] DMSYS
[*] SCOTT
[*] MDSYS
[*] SYSTEM
[*] ORDSYS
[15:06:09] [INFO] connection to oracle server 192.168.136.131:1521 closed
[*] shutting down at: 15:06:09
--8<--
[1] http://bernardodamele.blogspot.com/2010/06/got-database-access-own-network.html
Cheers,
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
