Embed Size (px)
Citation preview
8/13/2019 Automatic SQL Injection Tool - Sqlmap _ Linux Blog
http://slidepdf.com/reader/full/automatic-sql-injection-tool-sqlmap-linux-blog 1/3
Linux Blog
home posts rss about forum
Automatic SQL injection tool - sqlmapPosted by Nikesh Jauhari
Whatever you do with this tool is uniquely your responsibility. If you are not authorized to punch
holes in the network you are attacking be aware that such action might get you in trouble with a
lot of law enforcement agencies.
sqlmap goal is to detect and take advantage of SQL injection vulnerabilities in web applications.
Once it detects one or more SQL injections on the target host, the user can choose among a
variety of options to perform an extensive back-end database management system fingerprint,
retrieve DBMS session user and database, enumerate users, password hashes, privileges,
databases, dump entire or user's specific DBMS tables/columns, run his own SQL statement, read
specific files on the file system and more.
sqlmap has support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end
database management systems. Besides these four database management systems software,sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase
sqlmap Installation:
Download the sqlmap .deb package from here, double click on this downloaded file to install
sqlmap along with all the required dependency.
Using sqlmap:
Let's say that you are auditing a web application and found a web page that accepts dynamic
user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent
header value. You now want to test if these are affected by a SQL injection vulnerability, and if so,
exploit them to retrieve as much information as possible out of the web application's back-end
database management system or even be able to access the underlying operating system.
Consider that the target url is:
http://<server ip>/sqlmap/mysql/get_int.php?id=1
Now pass the original address to sql map using command:
sqlmap -u "http://<server ip>/sqlmap/mysql/get_int.php?id=1" -v 1
L
Ho
Ho
po
Ho
Ord
Ho
Con
Use
Lin
Ho
Acc
Get
Ho
►
►
▼
omatic SQL injection tool - sqlmap | Linux Blog
3
8/13/2019 Automatic SQL Injection Tool - Sqlmap _ Linux Blog
http://slidepdf.com/reader/full/automatic-sql-injection-tool-sqlmap-linux-blog 2/3
0 6
Sqlmap will automatically:
* Identify the vulnerable parameter(s) (id in this scenario);
* Depending on the user's options, fingerprint, enumerate, takeover the database server.
sqlmap demo:
You can watch more demo videos, they are hosted on YouTube.
You might also like:
SQL injection Tool - Havij
SQL Injection Tool - sqlninjaDetection & Exploitation Of SQL Injection Flaws - Safe3 SQL Injector Tool to Detect SQL Injection - SQLInject-Finder Protect MySQL Database from SQL injection attacks - GreenSQL
►
►
►
►
0
omatic SQL injection tool - sqlmap | Linux Blog
3
8/13/2019 Automatic SQL Injection Tool - Sqlmap _ Linux Blog
http://slidepdf.com/reader/full/automatic-sql-injection-tool-sqlmap-linux-blog 3/3
Linkwithin
0 comments:
Post a Comment
Comment as:
Publish
omatic SQL injection tool - sqlmap | Linux Blog
3
![[In]Seguridad Informática_ [SQLMAP] SQL Injection utilizando método POST](https://img.pdfslide.net/doc/110x75/55cf9c00550346d033a83470/inseguridad-informatica-sqlmap-sql-injection-utilizando-metodo-post.jpg)
![[In]Seguridad Informática_ SQL Injection to Shell with SQLMap](https://img.pdfslide.net/doc/110x75/55cf9c00550346d033a83478/inseguridad-informatica-sql-injection-to-shell-with-sqlmap.jpg)
