[COURSE_PTHE] 14. SQL注入
1. 简介:SQL注入(SQL Injection)
This Web Application lecture video introduces you to SQL Injection, a hacking technique using malicious SQL statements.
This module explores SQL Injection in detail, and the SQL Injection lab series demonstrates how malicious SQL statements work and discusses how to defend against them. The module also explores the different types of SQL Injections and how to configure this penetration testing tool to work effectively for you.
You’ll also learn the ins/outs of evasion database administrative techniques and how to avoid getting caught during your penetration testing.
The topics explored in the SQL Injection module include:
- Whiteboard, which shows the interrelationship of all the basic components you’ll utilize for this module
- And the following simulation labs:
- BlindElephant Lab
- pHp ID Lab
- SQL Map Lab
- SQL Injection
2. 框架
This whiteboard lecture video covers SQL Injection in detail. SQL injection is one of the more popular web application hacking methods. When this attack is used, an unauthorized person can access the database of a website and extract the data from that source.
Welcome to the SQL injection module lot of exciting stuff here. This is another module at work it would take years and years and years for us to really master this stuff and get it to the point where you can just do it. So I don’t expect a new person to be able to just go out there and SQL inject the world but a little bit of practice we will get better. So this is another one of those modules where you can have Cheat Sheet. There is lots of different database languages and so if you are going to go from mySQL to SQL to Oracle etc. Use the cheat sheets it will help you remember how it works in one particular language or the other also most database people. They know mySQL inside and out buy they may know Oracle or they know MSSQL but they may not know mySQL realistically. It is just databases and different databases speak derivatives of the same language. It is kind of like if you learn Spanish it is not too hard to pick up Portuguese or Italian for that matter. So concepts here, ultimately you have to be able to analyze between the client and the server and then all starts with something as simple as http post request this is where we can sniff traffic and analyze that request it could be a network sniffer like a wire shark or tcp dump. But it also could be like a tool burt suite to basically dissect this client to server traffic. If you look at the clients talking to the server – normal conversation. This is what we call normal conversation – normal code analysis. The pen tester needs to understand what normal analysis looks like then they start deviating from the norms to get the computer program to basically do what they want. Ultimately in database language this is what it is going to come down to there are certain parameters like the update parameter. This when the client sensor services have like the update something in the database or select something from the database where the values are equal to whatever they are or get something from my table. Just a generic table name in that sense. Or just drop the whole field, the record, the row, the column, the database to the table. Okay so it is everything about the client or server once you get to the table once you are in the particular database then the table in which – then it is the columns and then it is the rows. So you can kind of think this hierarchically let us talk of the some of the attacks. Ultimately what you can do if you can get skilled SQl injection is remove code execution. Also you can knock that database offline therefore nobody else can access it that is an attack on availability. You can use tricks like bypassing authentication maybe send the admin credentials followed by single tick and dash dash which is a common field and then comment on the requirement for the password. Maybe just get directly into it as admin little bit of a dated technique but nonetheless older days of SQL injection it was just that simple – just comment on the password field and the server would just follow the programming logic. Okay no password that was me. information disclosure whatever is in the database. Ultimately could get disclosed. There are advanced SQL injection techniques at least I will show the theory in which you can start enumerating database names, table names, column rows and then field names. Field characters – you can change the integrity of the database in the tables you could do things like password grabbing. You can transfer the whole database from the server to the client one of my favorite techniques. One technique you have the whole database or allow the database to interact with the operating system – this is where you can start doing things like pinging and trace routing or any sort of operating system commands that you would be typically able to do at the command prompt. So let us talk about some of the tools. Okay. Does the database exist? Where is it? Ultimately you need to enumerate that. Once you find out what database it is then we must start listing the fields inside the database. We can do some basic injection tests – tested with what sort of input validation is actually present. Start doing things like the Union Command then dissect our error messages to see if we can get anymore information. Some of the traditional attack characters here or is the single tick or a double tick basically this is what we call string indicators. You can do common fields like either dash, dash or a pound sign. You can do multiple inline comments this is also great for obfuscating techniques. You can add the plus sign in addition to you can do pipes like a solid bar – you can do wild cards with the percent characters. You can add things like and equals one dash dash or you can start adding additional parameters into the database query like order by and then you can start sorting it ascending or descending etc. But while those are some of the basic attack characteristics let us talk about the basic types. You have blind SQL injection this is where you are trying to poke and prod the database but you are not getting any information back. So you really don’t know if it is erring or not because the error messages are not coming back to you the penetration testers. You are kind of counter measure that with the weight for command and see if the application actually waits or not. But the trick to the wait for command is you don’t want to make your time out so long that you are sitting there waiting. They don’t want it to be so short that you can’t figure a different way or not. You have simple SQL injection like the single tick or the one equals one tac, tac and things like that – you have your union command. This is a great technique because what you are doing is you are sending a query from the client to the server and you are saying this out of the table and by the way give me something else from other table. Union meaning combining from some other table name or error based injection. Before we go into the advanced stuff let us hit the tools – SQL injection has got really easy in the last couple of years because of tools like SQL hacker, SQL power injector or hally or variety of the other tools are on the back track of calli operating systems. So let us start taking apart some of the basic of advanced SQL injection. There are certain parameters that you can add to a URL string and then you can start guessing things like the user fields and its database names and it is basically and attack where you basically say. If the ASCII lower and substrings for the user are equal to and 1 and your parenthesis and then 97, 98, 99, 100 you can start mapping out and so this would translate to the character A, B, C, D, E, F etc. So you could keep doing this and start gaining what character and what order that character is in. And then you can start enumerating the database table, columns, rows, names etc. If you want go after user accounts you just go after the user. If you want to go after the database name they have slightly different syntax but it all comes from the basic account strike here and then you can combine this with the way forward delay and especially if you are doing this and see if it actually waits for ten seconds or not. Or you can go into the invasion techniques well if you are going to poke and prod the database you don’t want to do it in a way that is going to set off the alarm systems. So the basic way in which we do this is we try to encode or obfuscate or hide or our characters. Remember the security admin or the database programmer should be doing some sort of input validation. So we just need to find that with the rows that they put in place are and then start bypassing those rules. Some of the ways in which we can do that is we can take our regular SQL expression and we can encode that in hex. So the input validation may have been done in ASCII but not in hex. We just encode it in a different encoding language like hex or base64 or something like that or UTF. In a way that the server side component is not looking for it. Well then you just defeated their rules also you can put things like inline comments or multiple line comments in between things to help obfuscate the one equals one. So it will be like the number one – start comment end comment one. So you got a bunch of comments in between that so. Realistically you know the person writing the code there would probably think while anybody can construct a statement like that where you are just obfuscating and then trying to bypass their input validation filters or you can use character encoding which is one of my favorite techniques so a little bit lengthy to that and it does require you think in character language. Up in after a while you can start thinking in 47, 32, 117 etc. and then you can start writing these – it is kind of like the matrix after a while you just see the code after a while. After a while you just see the characters but it is a great evasion technique because realistically the person that wrote the employee validation filter on the other side. They had a really better thought all of the possible ways to try to prevent me from doing something like this. So if you get really, really good with SQL injection you can try to stop me but good luck. If you were to try and stop me here is the types of things I would hope you would do. I would hope you that you set minimal privileges on the database. Because of your database is tied to a super user account and I get access to it and I am now going to be executing things as a super user – so hopefully you have the concept of privilege in place and I do get access to it and I get very, very little as a result. Hopefully I am going to interact with the (indiscernible 0:11:06) that cuts off half of the things I can do in terms of interacting with the operating system. Doing things like pinging and trace routing and IP configuration and things like that. Hopefully you are suppressing error messages. The more information I get in terms of error messages. Hey table so and so not found – well now I know your table name. So if you suppress those error messages or use custom error messages that is much better. Actually monitor your database see who is accessing it. How many things are getting put into it? Are you even backing it up? These are all really, really good ideas in terms of counter measures to prevent me the penetration tester from getting access to your stuff. Hopefully you are filtering content – hopefully you have rules that flag for base 64 encoding because at least if you are going that well then I would have a hard time avoiding the alarm system from going off. Also test your code in a secure environment. I would hope that you would be doing this by now but it still ceases – it never ceases to amaze me that people just don’t test their code. The developers write their stuff, they make changes to live databases and then someone comes across and exploits your stuff. One of the best examples to do is go to Google and search for vulnerable SQL injection sites and then whatever the year you are looking for and somebody has already compiled a list of all of the web sites that have found that are basically vulnerable. Ethically don’t go penetration testing on a live site or somebody else’s stuff. We have got an ethical – nothing is worth your own integrity. You should also be using URL scan. Scan the URL see what goes back and forth and use the tools and use things like URL scan and then intrusion detection rules as well. The reason why chose – is because they do a phenomenal job and then two learning how to regular intrusion detection rules is good because if basically you know exactly what you are looking for. You can write own rule for that update your smart rules – you do have to kind of have some sort of intrusion detection or intrusion mindset but notice the problem here. Defensively you have to have intrusion detection mindset you have to have code developing mindset. You have to have programming mindset – these qualities in one single person are very, very rare. So now you defensively you have to have a team of people just stop a person like myself. So you in the world of SQL injection since we are all connected with database these days – it is not that hard for me to start poking and prodding websites. It is actually relatively easy plus there is a lot of tools that are out there that basically are pointing script stuff. So with a little bit of script mentality plus an insight to how databases work and combine that even more insight with the different types of databases that are out there. I mean the penetration tester is virtually unstoppable at this point. Especially when you get into the advanced SQL injection techniques. So you want to add value to your stuff – you want to add value to your career – you are going to have to be able to dissect this stuff – and the rules of making money are you got to deposit into the bank before you can withdraw into the bank. Here the same thing you have to secure your code to prevent someone else from getting access to your code. So keep that in mind and let us look at some examples.
3. BlindElephant使用
The first hands-on lab demonstration in the SQL Injection series introduces you to BlindElephant.
BlindElephant is a Python scripting tool for scanning specific web applications.
In this lab you’ll learn the intricacies of configuring BlindElephant so you blend in and observe how your traffic fingerprint is hidden among regular net application traffic.
As an effective penetration tester and ethical hacker, its critical that you know this intimately so that you can recognize its characteristics.
From the BlindElephant lab, you’ll also learn why tabbing through the tool is the most efficient way to navigate as you configure it.
Hi Leo Dregier here. I want to check out a little utility Blue Elephant. So what we are going to do is just start fresh here with the terminal or actually let us start with the applications menu. But on the counting linux go into web applications and then cms identification there is a python script that you can run blind elephant – it is ‘Blind Elephant’ don’t forget it is going to be case sensitive so if you start searching for lower case b and e in the blind elephant you are not going to find it clearly. The options that you want the URL and then particular app names which would be the versions of the applications or the plug ins that you want to finger print. So at the end of the day this is a web application scanner of sorts. Okay the first thing that you can do is a tech age or — help that will show whole messages on how to actually use it better syntax. You can have a dash p and then the plug in names like for example, WordPress or Joomla you can do a dash s which skips finger print. If you have already done that then you can skip it but if you are doing this for the first time. Don’t skip it or just leave the S off – so that way you can try to guess the finger print the number of probes that you want to try defaults fifteen which is okay. But the more you do the one larger your making your attacks seems to a hundred you are very, very obvious what you are doing. If you try to get down to two or three then you are just going to blend in with the crowd. The dash w for window – if more than one version is returned use windowing tool to attempt to narrow it down. So that try to poke and prod the applications in a couple of different ways to try to narrow it down. -l for list for list ported web apps and plugins then –u for basically to pull the latest update from Blind Elephant that is source forged dot net. So it is relatively easy to do – so you just start typing blind and I actually like to tab my way through this that way I don’t have to worry about typos – so please get used – if you haven’t done it by now. Get used to tabbing your way through things BlindElephant – eu for update and just let it run. So we will go ahead and let this run and we will get the latest and greatest files and then we will pick up as soon as it goes back. So that looks like that didn’t take too long back – tracked back most recently – call a filename by BlindElephant another file here – tarfile.py is open. So the file could not be opened successfully. So the reason is that I actually have another window open. So if I closed that out it should work just fine. So update it again here you go fetching the latest of this file. It is the same here at this point. So if we get back the same error sent messages back or not. Okay you can see it is actually puling files down, so you URL retrieved – open http and headers, and you can see that this has a web application field to it which is good. Some of these may time out just depends on realistically what is on the server. But it looks like they got most of them. So that is fine so let us go ahead and go a help again and get some syntax here. So it blind elephant then your option then the URL you want to test in particular app name. So the second thing that you want to do here is a -l for list and then you can see all of the different types of things that are look – it has got some Drupal plugins that I can try to guess, it has got Joomla, it has got Noodle which is a very popular learning management system. OS Commerce for ecommerce that is what we are looking for php myadmin which is databases and control panel database oriented stuff. Some wikis some WordPress 26 plugins for WordPress and again there is probably a hundred thousand WordPress plugins. It is not a lot in the total surface area but there is a couple of them here. Stats, time, mce which is a text editor. Twitter tools and things like that a couple of ecommerce things and some basic stuff. It is only 26 out of several hundred thousand. So that is the list – and then you can do the probes that has to deal with how aggressive you want to be – you can do plugin names etc. So what we are going to do is we are basically going to do – plugin and the specific plugin that we want to do is guess. Main guess is literally trying to just guess in as many possible ways as possible. What the content management system is on that backend! So today we are going to use a target that I created for another project some time ago called linux warrior ! So we are going to put in a URL http:// linuxwarrior.com and then what we can also do at the end of this is we can actually choose the app name if we want here. So you can either hit enter here or if you knew it was Joomla you can just put Joomla. If you know it was WordPress you can put WordPress or lower case and append it. So we are just going to hit enter here and then let it run and if it actually comes back and tells you – guess as an apple plugin name to attempt to discover what reported plugins are installed. So it is probably syntax or it is going to look for – WordPress here. And so there you go so let us go back and make some sense out of that now. So we put specifically WordPress because in this case I will just tell you that is a WordPress site. But if you didn’t know that is kind of do some comparison here – if we control out of that and just guess wrong. Joomla and you can see it will run and take some time. So that is running out really the WordPress and then we can compare what a false positive looks like to a not false positive. So you can see loaded some python packages starting BlindElephant by often fingerprint operations for WordPress destination and it found the hit. There is a readme.html file on the server and one thing we could do is just try to open this up right here and see if we can find what is in the readme file. So we discover till linuxwarrior and right there the version is 3.93 and I would want to document that. So this is classic readme file that is leftover from a default – it is pretty obvious now. WordPress installation – so no really help there other than the specific version but notice it doesn’t give us the version here in the output but it does in the actually readme file. So 1 point for us also got a hit wp_include the wp_ that is convention of WordPress so that is pretty indicative. That is an easy way you can see that – but it includes here, here, here etc. You can see I found the java scripts and we will go see what is in that java scripts. I have got auto save – I have got 27 this happens to be a theme. I could see if that theme is exploitable – you have got some compressed files here. But still the thing does not match the finger print. Tiny MCE here and failed to reach the server not found error or versions ruled out. So in this case we have got a not really what we needed directly from this tool, sometimes it will come back and tell you exactly what you wanted to see. Other times this tools comes back and says basically cannot find it for whatever reason. This works particularly well with old and outdated stuff but some of the latest and greatest this tool does tend to bounce off. So let us compare that to what we did when trying to guess to this was a Joomla site as opposed to WordPress site. So in this case it started and it found the language was English so there is an in file here. We could see what is in that ini but I can tell you it is just a generic ini file. So not too much we are going to learn from that – again more language files here and then all version ruled out. So in this case I wasn’t able to get too much on the Joomla piece of this but I was able to get a lot more from the WordPress especially directory structures and things like that. And while we are not supposed to do this the sites you don’t own or don’t control are not authorized in that relation to and in this case I actually do own linuxwarrior.com and this maybe available by the time you are watching this video and then again it may not figure out what I am going to do with it or if I am going to redirect it or take it down or let you guys have some fun with it – we will see. But that is basically it, that is blue elephant. It basically identifies the content management systems on particular websites pretty easy tool and script to use. So practice away on sites that you have authorization to do that you own or you control. But what I want the takeaway here to be I want you to be know how to do this. So that you can figure out what your results look like for your sites and the things that you have to administer. So my name is Leo Dregier thanks for checking me out and don’t forget to connect on Facebook, LinkedIn, YouTube and Twitter.
4. phplD使用
Our next lab in the SQL Injection series is the phpID lab.
The phpID lab demonstrates and discusses how to find generic SQL injection sites. It also teaches you the queries to quickly find them.
The phpID lab is the pre-cursor to the SQL map tool which follows this lab in our Penetration Testing and Ethical Hacking series.
5. sqlmap使用
SQL Map is the final segment of the SQL Injection labs.
SQL Map is a database application exploitation tool, another powerful go-to resource for successful Penetration Testing and Ethical Hacking.
In this lab, you’ll learn how to use SQL Map to map databases and applications. You’ll learn and discuss how to pull critical information from a database or application including user info and passwords.
Hi Leo Dregier here. I want to talk about SQL map in terms of an application in one of the previous videos we did a phpid= and try to find vulnerable SQL injection sites but in this case I want to take that one step further and start SQL mapping some databases and some applications. Now the fundamental problem that I have here with a video like this is we going to be the easiest thing to do. We are going to find something vulnerable out of the internet and go poke and prod somebody else’s stuff. But from the confidentiality point of view you are really not taking advantage of anything that somebody purposely hasn’t put out there. I don’t want to say purposely. Let us say – because it certainly could be accidental because they don’t know that the other sites are vulnerable. The SQL injections but nonetheless t they are putting it up there and because it is out there what do you with that? Anybody could do anything with it and therefore maybe just the disclosure in itself is a problem. Especially when you start digging down into the databases, tables, columns and then you start pulling users like admin and then their passwords and then getting their hashes. Technically that is all disclosed but the problem is legally or ethically how far are you willing to push the envelope in poking and prodding on somebody else’s system. So I don’t particularly like that approach now there are plenty of videos out there where people are getting all the way down and showing you SQL map all the way to usernames and passwords and commitment and frankly even cracking passwords. We are not going to take that approach – we are going to try to operate more on the ethical side or legal side of ethical. However, you want to look at that. So let us go ahead and start looking at SQL map and if we just type SQL map you will get basically the syntax but just for the record it is under Kali Linux, web applications, database exploitation and then somewhere in here. It is a SQL map – here it is under web vulnerability scanner SQL map here. So truly is a visible vulnerability as opposed to database exploitation which is like SQL engine and things like that which will probably cover another videos. Alright it is python, SQL map and then your option. So python, SQL map and then the options – so in this case it tells hey we are missing a bunch of stuff. No wonder you could do a SQL map -h and that would get you the help and it is not that bad. The absolute key takeaway here is to understand that databases in this case are hierarchal. So what you are ultimately doing is you are trying to put a puzzle together. You are trying to go from the biggest picture and drill down to the smallest picture of the hierarchy but in the smallest part of the hierarchy you want the most valuable resources like usernames and passwords. So it is a big puzzle – big game that you are always trying to play here and approach it just like that – big game. And so what you can see here is just some of the basics overview of the command you have got -h or taq help. This is what you are looking at right now. You have got advanced help which we can cover that later. You can have verbose mode 0 to 6 is a range there. The target you are always going to use the -u or realistically you are going to –url and = whatever url is I personally prefer just a -u and then you can actually use Google dorking. Google dorking is a term that has been coined for some time now but what it actually does is when you click on a Google link. If you notice the URL when are you going this. Google will in itself will send the link to Google then process it internally and then redirect you to the actual search results that you want. So Google dorking is taking the Google search results and basically processing these queries as Google search results as opposed to the actually targeted URL. So my point is that you can actually take Google search results put them in SQL map and process them that way. That is called Google dorking and then the request which you want to try to find data, cookie, random proxy, tour, things like that – injection basically test for SQL injection by far the most popular component that I ever use is the –dbms or database management system and then the particular database management system. Like for example php, asp, aspx or just test a bunch of parameters to try to guess that. You can have detect levels you can setup the risk levels, default both set to 1. Then you have got the specific techniques if you want to get a little bit more advanced. Then you can try to enumerate a bunch of stuff, now you will use a handful of these enumeration options here as you dig down in the hierarchy. Now let us review the hierarchy just so that it is there, first it is the database then once you understand the database then it is the tables in the database. Once you get to a particular table then it is the columns, once you get to a particular table and you know what columns you want like username, password, admin, web, e-commerce whatever it is then you can actually go down to –dump or actually dump the entries in that entry. Now so you get all the way down to the –stump or you actually start pulling usernames and passwords – and then the other things that you will use here by far the most popular is once you find the database then you want to use the -p and specify it once you find specific table then you want to add in the -t. So what you end up doing in the big picture is that you start building this command structure out. So I am going to show you the basics of how to start building out a SQL map statement and I will show you what it looks like on a website that basically have very, very little vulnerability. Also that I own and control and then further things that you do if you really want to throw the spaghetti against the wall and see what sticks. You can do an OS shell to see if you can get prompted for interactive shell or OS –ospwn – So those are others – lastly there is a wizard you can try that – this is nice again – this is over here for beginners. So you could start there but once you kind of know how to build this like I am showing you to build this – the wizard almost becomes irrelevant right way. So that is the overview of the SQL map help and how to build it. Now let us go into how I will want you to actually start building the stuff out. So what I want you to do is go to your desktop and create an empty document – you can call it whatever you want – I going to call it SQL map for the record and I am going to open it and it is going to hope for the kind of keep this off to the side because this is going to make cutting and pasting so,so much easier. So I am going to try to move my windows around a little bit so you can see what is what. So I am going to do ‘attack you’ and then we are going to do the website http://linuxwarrior.com now I will tell you – you have to watch your syntax here. If – that is why it is really, really hopeful to paste. Copy and paste that way you don’t mess up your syntax. Because if I do something like SQL map and I go index.php?id=1 here notice the syntax error. There is no / between the .com and the index this command will run absolutely just fine. You will not get any results and you will go it didn’t work – meanwhile what you have is a glaring syntax option that you just didn’t catch. So just disclaimer watch your syntax – so we are going to do the URL and then we are going to do a –dbs. databases. Okay and it is going to go through and we get a little summary here. So dont forget that there is two — here –databases and what we are trying to do is hey let us go to this linuxwarrior.com website which again I own and control and go see if we can pull down the database and get the maps. Everybody should know how to do this – if you have any public facing website. You need to know how to do this because the attacker know how to do this – so why shouldn’t you know how to do this of yourself. So leave a disclaimer usage of SQL map for attacking targets without prior mutual consent is illegal right? It is the end user’s responsibility meaning you go to jail not me to obey all application local state and federal laws for whatever country you are in. The developers assume no liability and are not responsible for any misuse or damage caused by this program in other words the SQL map folks are basically held on by us. It tells you what time your test started – and then you are basically looked for information on critical. Now it says testing connection to the target URL – great – testing if the target URL is stable. This can take a couple of seconds sometimes even minutes if you have ever spoken action. The target URL is stable so great. So that is always something you are going to look for and then we get a critical warning here. No parameters found for testing in the provided data – so you can use the get parameter id and for example this. So in other words this output is telling me that I didn’t supply enough information. This is why it is helpful in your search results to grab something like your phpid and grab this whole string here. I am just using this as an example – I am not saying got to go and test this persons website but it it is this whole string here and I am just willing to show you google search results in the supply chain and it is actually telling you the exact syntax that it wants. So we are going to change our syntax just a little bit to see if we get any results. So we are going to add a fordindex.php?id=1 and then leave your –dbs and let it run again and you will notice right away – you get your legal disclaimer your start time. It is testing the connection and it says because I went to a php page this time. SQL map got a 301 redirect to basically a log in page. Do you want to follow this? In this case I don’t because I don’t want to try to log into the destination website. I just want to test for SQL injection. I am going to say no – so testing if the target is stable this can take a couple of seconds – warning the get parameter id does not appear dynamic. Heuristics basic test show that to get parameter id might be not be injectable and in this case mine is not. But let this run any way because all of this is documentable stuff that you can use for your penetration testing & reports. So even no results are good results because you are proving hey I am not vulnerable and then you get to learn about how these tests work. So we are basically just going to hang out here on auto pilot and read this like a novel. Try to do this relatively as it is going – it may take a couple of minutes because we are doing a heuristic test here. So it is going to try basically a whole bunch of stuff and we are going to even get some time outs. So heuristics basic test shows your parameter id might not be injectible who for me. However if this was a vulnerable site – you may very well start getting table results right away which I would then go ahead and then copy the table names and address write in here. So the first thing that I would like to document in here is – the URL that you test and then you can copy and paste that right here. So i am going to do http://linuxwarrior.com/index.php? id=1 so even though I wrote that out more than likely you are going to copy and paste that for simplicity. So now you have that and then if you really realistically want even do your whole SQL map statement –u http://linuxwarrior.com index.php?id=1 –dds or the databases and I am going to show you how to build this out. So you keep your documentation going and build this. This will definitely help you for your pen testing reports but also make your life your easy as you build out this tool and go from the top of the hierarchy down to the specifics of the hierarchy or stated differently generic to specific. So in this case it is testing for SQL injection and get parameters – lean based blind where using the where or having clause it is testing for mySQL anything greater than 5.0 error based SQL injection PostGresSQL, Microsoft SQL and again the where and havings I am not going to say that any more because it is pretty much at the end of all of them. It is testing for Oracle and then we get this critical warning here – connection time out to the target URL proxy SQL mac is going to retry. Okay fine. Then it goes and performs some additional tests performing the SQL inline queries and the same thing just different databases. Inline queries, inline queries, inline queries testing mySQL greater than 5.0 in line queries and then it times out again. There is considerable lagging in the connection to response. Please use a higher value for the –time seconds I generally leave this as is. I could add a — time-sec like 30 seconds or 60 seconds or whatever you want. It really depends on how aggressive you want to be but you notice the command will just time out wait and then it will start new tests. Next that goes into stack queries – so you can see all of this end and stack queries for PostGRES Microsoft, mySQL, PostGRES or actually this switches to time based line for the rest of them. So it is constantly switching between the top databases and then the specific types of tests and it goes through and you can see I am timing out again. So this is good even though I am timing out here. This is good another thing that you could do here while this is running is I could go ahead and try to redirect my output to basically a file. So if you really want good documentation for your pen testing reports. Just go ahead and do –SQL map maybe the dates that you want –month –day. year.txt or something like that – way all of this output automatically get dumped into a file and then you don’t have to copy or paste anything. So it is actually done. Again right now we are just doing a quick sand beach check to see if there is a actual databases that we can actually find on our target. So the first thing is the databases. Then it is the tables once you get to the table then it is specific columns. Once it is the columns then you start looking for good columns like users, passwords anything that you would consider a ‘of interest’ and then you go ahead and dump that out. So in this case it just going to keep timing out here and it is pretty much running to the end of the life of this command and you can see I was not able to pull any public databases down from this site. So I know everybody wants to see – I want you to see the tables. You want to see it I know but it is just as important to see what a secure website looks like versus what an insecure website if you start poking and prodding and doing things that you are not supposed to be doing. I assure you eventually you will find a vulnerability but it is important to understand why – secure looks like before you start exploiting insecure. Some of the other videos that you will find out on the internet. They go right to a secure – insecure database because they have already found it and they would just go right to it and they show you how they can pull usernames and passwords off of a database. In a couple of seconds – what I will end with is that – if this was able to pull down the databases. You would get a big section of white text here – what we actually say here is the databases that we found and then I would copy all of that to my databases. So in this case I will actually just tell what the database is. So if this was one of the – vulnerable you put a section for tables then columns. Then users which we will use the –dump command etc. You can even do that here. So in this case I will actually tell you the table and the table is linux_wp it just happens to be the specific table where all of the stuff is going to be using so far. So nonetheless that is basically the build up to our next command. But you can see – I have got a warning using a unescaped version of the text because zero knowledge of the back ended database. So in this case you can use the –dbms like I said that you are going to the help. This –dbms is helpful because we can do php or asp or aspx or whatever the back end database management system is. So we could have specified that does help speed up some of these tests. But what we are doing here is not necessarily going for speed. We are going for just testing all possibilities to see if we can guess them and therefore I specifically want to leave that off here. Especially when I am working at the highest, highest level here which is the — dbs component. So you will let this run and eventually it is going to time out here and basically SQL map will shut down. You would have all of this documented copy your documentation and you look on and that is the absolute basics of starting the structure of the SQL map – sequence of queries that you are going to use. So again from the top you start with finding a vulnerability once you find a site that is vulnerable and in any way possible. Single tick is the easiest and then you go the databases. Once you get to the databases then you go to the tables. Once you find a good table then you find good columns. Once you find good columns then you can dump the information out of those columns and then start looking for users and passwords and things like that. And then of course document all of that. And luckily enough this finished -just in time – so it finished by saying hey shutting down. So that concludes the introduction basic how to go and attempts to grab databases from SQL mac. So my name is Leo Dregier thank you for watching and don’t forget to check me out and Cybrary don’t forget to use it as much as you can because it is designed for free resources. There is plenty of videos resources you can make connections. You can send messages you should be using this by now and making connections. Social network for basically IT security people and there has been a lot of really, really good discussions and dialogues and what that does is that it gives me the feedback to what you guys want to see. So please connect – send your messages either publicly or privately and get them over and let us start a dialogue. My name is Leo Dregier thanks for watching and the easiest way to maintain the connection is to through social networks and cybrary.it So don’t forget to check us out on Facebook, LinkedIn, YouTube and Twitter and make sure you like, share and use the website and resources as much as you can. I will see you guys in the next video.
