|
|
Posted on 6/17/2023 11:10:55 AM
|
|
|
|
Requirements: Use the sqlmap open-source penetration testing tool to test website interfaces for injection risks. SQL injection means that the web application does not judge the legitimacy of the user's input data or the filtering is not strict, and the attacker can add additional SQL statements to the end of the query statement defined in advance in the web application, and implement illegal operations without the administrator's knowledge, so as to deceive the database server to execute unauthorized arbitrary queries, so as to further obtain the corresponding data information. In short, it isThe backend interface executes SQL statements by stitching together the requested parameters。
Review:
sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities and taking over database servers. It comes with a powerful detection engine, many niche features of the ultimate penetration tester, and a wide range of switches, including database fingerprinting, fetching data from databases, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
sqlmap works right out of the box and works on any platformPython versions 2.6, 2.7 and 3.x。
sqlmap environment construction
Python download:The hyperlink login is visible.
SQLMAP open source address:The hyperlink login is visible.
SQLMAP command documentation:The hyperlink login is visible.
First, the computer needs to install Python (omitted), and then use the git command to download the source code, as follows:
Options:
-h, --help Show basic help message and exit -----Show basic help message and exit
-hh Show advanced help message and exit-----
--version to see the version number----------- Show program's version number and exit
-v VERBOSE level of detail (0-6, default 1) --Verbosity level: 0-6 (default 1)
Target:
At least one of the following options needs to be set to determine the target URL, namely: At least one of the following options must be included in the SQLMap operation command to use it normally
-d DIRECT Connection string for direct database connection-------------------
-u URL, --url=URL Target URL --------------------- Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-l LOGFILE Parse target(s) from Burp or WebScarab proxy log file ---- the target from the log file of a Burp or other proxy
-x SITEMAPURL parses the target from the remote sitemap(.xml) file --Parse target(s) from remote sitemap(.xml) file
Scan multiple targets given in a textual file -------- BULKFILE
-r REQUESTFILE Load HTTP request from a file ---------------Load HTTP request from a file
-g GOOGLEDORK Process Google dork results as target URLs---
-c CONFIGFILE Load options from a configuration INI file -------------- Load options from a configuration INI file
Request:
The following options specify how to connect to the destination URL
--method=METHOD Force usage of given HTTP method (e.g. PUT------------------
--data=DATA Data string to be sent through POST using the POST method------------------
--param-del=PARA.. Set the symbol for separating parameter values--------------------Character used for splitting parameter values
--cookie=COOKIE specifies the HTTP cookie value ---------------------- HTTP cookie header value
--cookie-del=COO.. Character used for splitting cookie values------------------
When testing an injection point using SQLMAP, you can use the -v x parameter to specify the complexity of the echo information, which ranges from [0~6] to 7 levels, with a default of 1.
0: Only python errors are displayed along with critical information.
1: Display both basic information and warning information. (default)
2: Display the debug information at the same time.
3: Injected payload is displayed at the same time.
4: Display HTTP requests at the same time.
5: Display the HTTP response header at the same time.
6: Display the HTTP response page at the same time.
ASP.NET Core injection environment setup
Create a new web project using ASP.NET Core, write an interface with injection, and the source code is as follows:
Test interface:
Commonly used penetration tests
Enumerate DBMS databases
And use SQL Server Profile to capture the execution of the SQL, as shown in the following figure:
select * from [Users] where [Username] = 'itsvse' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT name FROM master.. sysdatabases FOR JSON AUTO, INCLUDE_NULL_VALUES)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(120)+CHAR(113)-- yHIm'
Enumerate the tables of the specified database
The command is as follows:
For complex HTTP requests, you canvia the -r parameter(Loading HTTP requests from files,Use the Burp Suite tool to capture packet HTTP requests) to load the original HTTP request from a text file. This allows you to skip the use of many other options (e.g. cookie settings, published data, etc.).
sqlmap is powerful, see the documentation for more advanced features. (End)
|
Previous:EF 6 executes native SQL statements, parameter injection problemsNext:[Transfer] to MySQL Advanced: optimize table command
|
Landlord|
Posted on 6/17/2023 11:21:41 AM
|
