Python full stack Web security attack and Defense 2. Information collection and sqlmap introduction

Article directory

1, Real IP address collection

1.CDN introduction

The full name of CDN is Content Delivery Network, that is, content distribution network.
The basic idea is to avoid the bottleneck and link that may affect the speed and stability of data transmission on the Internet as much as possible, so as to make the content transmission faster and more stable. Through a layer of intelligent virtual network based on the existing Internet, which is composed of node servers placed everywhere in the network, CDN system can redirect the user's request to the nearest service node according to the network traffic, the connection of each node, the load condition, the distance to the user and the response time and other comprehensive information in real time.
Its purpose is to enable users to get the required content nearby, solve the situation of Internet network congestion, and improve the response speed of users visiting the website.
Advantages of CDN:

  • CDN node solves the problem of cross operator and cross region access, and the access delay is greatly reduced;
  • Most requests are completed at the edge nodes of CDN, which plays a role of shunting and reduces the load of the source station.

Inferiority:
Unable to access the real IP.
For further introduction, please refer to https://www.cnblogs.com/xinxiucan/p/7832368.html.

2. Judge whether there is CDN (i.e. whether it is a real IP)

  • Method 1: judge by ping
ping www.baidu.com

Printing

Ping www.a.shifen.com [14.215.177.38] with 32 bytes of data:
Reply from 14.215.177.38: byte = 32 time = 49ms TTL=54
 Reply from 14.215.177.38: byte = 32 time = 49ms TTL=54
 Reply from 14.215.177.38: byte = 32 time = 48ms TTL=54
 Reply from 14.215.177.38: byte = 32 time = 49ms TTL=54

Ping statistics of 14.215.177.38:
    Packet: sent = 4, received = 4, lost = 0 (0% lost),
Estimated time of round trip in milliseconds:
    Minimum = 48ms, maximum = 49ms, average = 48ms

Obviously, Ping www.a.shifen.com, not Baidu's address, indicates that CDN is used, and the returned address is also the address of CDN server.

  • Method 2: test the target by setting up a proxy or using online ping websites to use ping servers in different regions

Many websites use CDN.
Expansion - load balancing
Load balancing is a kind of computer technology, which is used to distribute load among multiple computers (computer clusters), network connections, CPU s, disk drives or other resources, so as to optimize resource use, maximize throughput, minimize response time and avoid overload at the same time..
Load (work task, access request) is balanced and allocated to multiple operation units (servers, components) for execution. It is the ultimate solution for high performance, single point of failure (high availability), scalability (horizontal scaling).
For more information, please refer to https://www.cnblogs.com/fanBlog/p/10936190.html.
The IP obtained when visiting the website may return the status code:

403 - no access
301 - permanent redirection
307 - temporary redirection

3. bypass CDN

If the target does not use CDN, you can directly use ping to obtain the IP address.
Or use the online website to verify the IP address, and use the IP address to visit the web site. If it is the real IP address normally, otherwise it is not true.

2, shodan introduction and search

1. Information collection method

  • Active information collection:
    Directly interact with the target, and collect the information in the interaction process, such as through nmap.
  • Passive information collection:
    Through the third-party engine to interact with the target, or not to query the database, get the target information, such as Google Hacking.

2. Introduction to Shodan search engine

Although people think Google is the strongest search engine at present, shodan is the most terrible search engine on the Internet. Unlike Google, shodan does not search for web addresses, but directly enters the back channel of the Internet. shodan is a "dark" Google, looking for all the servers, cameras, printers, routers, etc. associated with the Internet.

3.shodan registration, login and search

shodan website: https://www.shodan.io/.
The API KEY generated by registration will be used for initialization in command line operations and language programming such as Python.
Search by:
(1) Enter webcam in the explorer search box to search:
Example:

Click any one to get

There are three open ports: 80, 81 and 8081. The middleware is apache. There are many other information available.
(2) Specify the specific port number through the keyword port:
Example:

port:3306

Show:

Click any one to enter

In addition to the exposed port 3306, many other information can be obtained.
(3) Specify the specific IP address through the keyword host:
Example:

(4) Specify the content of specific city to search through the keyword City:
Example:

3, Introduction to the use of shodan command line

shodan install command line:

pip install shodan

To view help:

shodan -h

Printing

Usage: shodan [OPTIONS] COMMAND [ARGS]...                     
                                                              
Options:                                                      
  -h, --help  Show this message and exit.                     
                                                              
Commands:                                                     
  alert       Manage the network alerts for your account      
  convert     Convert the given input data file into a...     
  count       Returns the number of results for a search      
  data        Bulk data access to Shodan                      
  domain      View all available information for a domain     
  download    Download search results and save them in a...   
  honeyscore  Check whether the IP is a honeypot or not.      
  host        View all available information for an IP...     
  info        Shows general information about your account    
  init        Initialize the Shodan command-line              
  myip        Print your external IP address                  
  org         Manage your organization's access to Shodan     
  parse       Extract information out of compressed JSON...   
  radar       Real-Time Map of some results as Shodan finds...
  scan        Scan an IP/ netblock using Shodan.              
  search      Search the Shodan database                      
  stats       Provide summary information about a search...   
  stream      Stream data in real-time.                       
  version     Print version of this tool.                     

Initialization:

shodan init MJJxEpAgEZBSX2W3gf0Dtuo6d9cfx2Xp

Printing

Successfully initialized                    

Use:
Query the number of apache servers:

shodan count apache

Printing

26271967                   

Contains only the number in the database.
Search the shodan database:

shodan search apache

Printing

23.225.88.249   9017            HTTP/1.1 404 Not Found\r\nDate: Wed, 12 Feb 2020 02:02:05 GMT\r\nServer: Apache/2.4.18 (Ubuntu)\r\nstatus: 404 Not Found\r\n
Content-Length: 0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n                                                                                         
139.129.167.215 80              HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 02:05:38 GMT\r\nServer: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.15\r\nLast-Mo
dified: Fri, 26 Aug 2016 02:32:44 GMT\r\nETag: "2a43-53af0545360e3"\r\nAccept-Ranges: bytes\r\nContent-Length: 10819\r\nContent-Type: text/html\r\n\r\n     
185.15.252.124  80      mail.domovpetra.cz      HTTP/1.0 401 Unauthorized\r\nDate: Wed, 12 Feb 2020 02:09:06 GMT\r\nServer: Apache/2.2.16 (Debian)\r\nX-Powe
red-By: PHP/5.3.3-7+squeeze15\r\nWWW-Authenticate: Basic realm="Administrace 185.15.252.124"\r\nVary: Accept-Encoding\r\nContent-Length: 74\r\nConnection: c
lose\r\nContent-Type: text/html\r\n\r\n                                                                                                                     
198.204.254.59  3092    raik.popepic.net        HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 01:59:17 GMT\r\nServer: Apache/2.4.29 (Ubuntu)\r\nContent-Length: 
18\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n                                                                                                        
154.194.65.196  80              HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 02:06:30 GMT\r\nServer: Apache\r\nUpgrade: h2\r\nConnection: Upgrade, close\r\nLas
t-Modified: Tue, 23 Oct 2018 07:08:31 GMT\r\nETag: "52e-578e00980d9c0"\r\nAccept-Ranges: bytes\r\nContent-Length: 1326\r\nVary: Accept-Encoding\r\nContent-T
ype: text/html\r\n\r\n                                                                                                                                      
103.6.244.220   80      eggfruit.icorehosting.com       HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 02:06:27 GMT\r\nServer: Apache\r\nUpgrade: h2,h2c\r\nConne
ction: Upgrade\r\nLast-Modified: Sun, 13 Nov 2016 07:49:43 GMT\r\nETag: "c2-54129f75bb3c0"\r\nAccept-Ranges: bytes\r\nVary: Accept-Encoding,User-Agent\r\nCo
ntent-Length: 194\r\nContent-Type: text/html\r\n\r\n                                                                                                        
35.130.70.227   80      035-130-070-227.biz.spectrum.com        HTTP/1.1 302 Found\r\nDate: Wed, 12 Feb 2020 02:06:18 GMT\r\nServer: Apache\r\nX-Frame-Optio
ns: SAMEORIGIN\r\nLocation: https://35.130.70.227/server-manager/\r\nContent-Length: 221\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n             
107.148.199.115 7003    107.148.199.115.news10.shoesusoutlet.com        HTTP/1.1 404 Not Found\r\nDate: Wed, 12 Feb 2020 02:04:51 GMT\r\nServer: Apache/2.4.
29 (Ubuntu)\r\nstatus: 404 Not Found\r\nContent-Length: 0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n                                                 
92.118.239.180  9500            HTTP/1.1 404 Not Found\r\nDate: Wed, 12 Feb 2020 02:05:38 GMT\r\nServer: Apache/2.4.18 (Ubuntu)\r\nstatus: 404 Not Found\r\n
Content-Length: 0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n                                                                                         
38.72.78.36     80              HTTP/1.1 302 Found\r\nServer: Apache-Coyote/1.1\r\nCache-Control: private\r\nExpires: Wed, 31 Dec 1969 17:00:00 MST\r\nLocat
ion: https://38.72.78.36/\r\nContent-Length: 0\r\nDate: Wed, 12 Feb 2020 02:05:01 GMT\r\n\r\n                                                               
81.146.24.25    8085    host81-146-24-25.range81-146.btcentralplus.com  HTTP/1.1 401 Unauthorized\r\nServer: Apache\r\nConnection: Close\r\nContent-type: te
xt/html\r\nWWW-Authenticate: Digest realm="DSLForum CPE Management", algorithm=MD5, qop=auth, stale=FALSE, nonce="7ab612def3d537d4f3bea0af684dfb0e", opaque=
"5ccc069c403ebaf9f0171e9517f40e41"\r\n\r\n                                                                                                                  
-- More  --                                                                                                                                                                  

Because there are many returned results, click enter to continue browsing down.
This process is relatively slow.
Search the iis service:

shodan search microsoft iis 6.0

Printing

Specify search criteria to search:

shodan search --fields ip_str,port,hostname tomcat

Printing

121.41.11.14    8089
42.101.46.78    8081
66.35.73.105    8081
121.78.79.82    8081
213.175.217.202 8080
185.42.238.41   80
117.78.8.169    8081
64.82.245.252   8080
80.91.88.130    49153
15.185.130.138  3117
47.93.22.104    8081
90.147.33.88    8080
167.179.3.31    80
120.24.193.235  8081
139.196.198.125 80
39.105.222.63   8083
39.96.23.184    8083
58.64.130.35    8181
34.196.124.24   80
54.252.212.190  9944
54.252.212.190  8043
52.66.245.176   5357
18.144.80.167   2021
67.43.25.97     80
202.115.162.45  8081
-- More  --                                                                                                                                                             

Get the specified IP address information:

shodan host 213.136.73.36

Printing

213.136.73.36
Hostnames:               -
City:                    Nürnberg
Country:                 Germany
Organization:            Contabo GmbH
Updated:                 2020-02-06T20:35:42.365722
Number of open ports:    3

Ports:
     22/tcp OpenSSH (7.6p1 Ubuntu-4ubuntu0.3)
     25/tcp Exim smtpd (4.90_1)
     80/tcp                                                                                                                                                            

Get user account information:

shodan info

Printing

Query credits available: 0
Scan credits available: 0                                                                                                                                                        

Get your own external IP address:

shodan myip

Printing

139.202.xx.xxx                                                                                                                                                      

Check for honeypot protection:
Honeypot technology:
In essence, it is a kind of deception technology for the attacker. By arranging some hosts, network services or information as decoys, the attacker can be induced to attack them, so that the attack behavior can be captured and analyzed, the tools and methods used by the attacker can be understood, the intention and motivation of the attack can be inferred, and the defender can clearly understand the security threat they are facing And through technology and management means to enhance the security protection ability of the actual system.

shodan honeyscore 213.136.73.36

Printing

Score: 0.3                                                                                                                                                      

4, Using shodan in Python

import shodan

# Constant, uppercase
SHODAN_API_KEY = 'MJJxEpAgEZBSX2W3gf0Dtuo6d9cfx2Xp'

# Initialization
api = shodan.Shodan(SHODAN_API_KEY)
result = api.search('tomcat', page=1)
print(result['total'])

Printing

85435

Retest:

import shodan

# Constant, uppercase
SHODAN_API_KEY = 'MJJxEpAgEZBSX2W3gf0Dtuo6d9cfx2Xp'

# Initialization
api = shodan.Shodan(SHODAN_API_KEY)
result = api.host('213.136.73.36')
print(result)
print(result['country_name'])

Print:

{'region_code': '02', 'ip': 3582478628, 'postal_code': '90475', 'country_code': 'DE', 'city': 'Nürnberg', 'dma_code': None, 'last_update': '2020-02-06T20:35:42.365722', 'latitude': 49.4075, 'tags': [], 'area_code': None, 'country_name': 'Germany', 'hostnames': ['-'], 'org': 'Contabo GmbH', 'data': [{'_shodan': {'id': '944a19e4-6c9b-4488-8146-125c332e4558', 'options': {}, 'ptr': True, 'module': 'smtp', 'crawler': 'd264629436af1b777b3b513ca6ed1404d7395d80'}, 'product': 'Exim smtpd', 'hash': 238085194, 'version': '4.90_1', 'opts': {}, 'ip': 3582478628, 'isp': 'Contabo GmbH', 'os': None, 'cpe': ['cpe:/a:exim:exim:4.90_1'], 'port': 25, 'hostnames': ['-'], 'location': {'city': 'Nürnberg', 'region_code': '02', 'area_code': None, 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'country_name': 'Germany', 'postal_code': '90475', 'dma_code': None, 'country_code': 'DE', 'latitude': 49.4075}, 'timestamp': '2020-02-06T20:35:42.365722', 'domains': ['-.'], 'org': 'Contabo GmbH', 'data': '220 port22.eu ESMTP Exim 4.90_1 Ubuntu Thu, 06 Feb 2020 21:35:38 +0100\r\n250-port22.eu Hello 228.224.176.180 [228.224.176.180]\r\n250-SIZE 52428800\r\n250-8BITMIME\r\n250-PIPELINING\r\n250-CHUNKING\r\n250-PRDR\r\n250 HELP\r\n', 'asn': 'AS51167', 'transport': 'tcp', 'ip_str': '213.136.73.36'}, {'info': 'protocol 2.0', '_shodan': {'id': None, 'options': {}, 'ptr': True, 'module': 'ssh', 'crawler': '5faf2928ceb560cb4276cc1b4660b2d763cc6397'}, 'product': 'OpenSSH', 'hash': 885925491, 'version': '7.6p1 Ubuntu-4ubuntu0.3', 'location': {'city': 'Nürnberg', 'region_code': '02', 'area_code': None, 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'country_name': 'Germany', 'postal_code': '90475', 'dma_code': None, 'country_code': 'DE', 'latitude': 49.4075}, 'opts': {}, 'ip': 3582478628, 'isp': 'Contabo GmbH', 'os': None, 'cpe': ['cpe:/a:openbsd:openssh:7.6p1 Ubuntu-4ubuntu0.3'], 'port': 22, 'hostnames': ['-'], 'ssh': {'hassh': 'b12d2871a1189eff20364cf5333619ee', 'fingerprint': '6f:71:c5:39:d8:34:55:01:fc:e3:41:67:02:81:fc:71', 'mac': 'hmac-sha2-256', 'cipher': 'aes128-ctr', 'key': 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDBehzX1E+RxyPeN17W8k7NjGct/X+cT0UakEkpG8pCtXq2\nc1yD7m5fkLbu2V0ELS2ip0ldvNF8IZnoEndWPxcyvaz1nMEugtUqOVOEj93EtXXXOqmid7QdulQZ\n6xSAFeFE4D65VmScQi7eI9iM/OhmlGFOgAyFH1ELJjwic1nX2aX2YOwJrxmsebkSKd1vzBP1zYcE\ngiegwllez196hbcn/FkcWvcKcyo27pGtVmH8TheepnyRk2M2vSTyNcG8o1VNhUCFRsKEfzMWd92i\nM5+5U8SzfhA+F9hxvOJ7XfRbYZd9V/2UwFgia6llAj0n1eSrLN0u3HqLhnI4f9uUl3H9\n', 'kex': {'languages': [''], 'server_host_key_algorithms': ['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ecdsa-sha2-nistp256', 'ssh-ed25519'], 'encryption_algorithms': ['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'], 'kex_follows': False, 'unused': 0, 'kex_algorithms': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group14-sha256', 'diffie-hellman-group14-sha1'], 'compression_algorithms': ['none', 'zlib@openssh.com'], 'mac_algorithms': ['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1']}, 'type': 'ssh-rsa'}, 'timestamp': '2020-01-27T19:13:34.325121', 'domains': ['-.'], 'org': 'Contabo GmbH', 'data': 'SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\nKey type: ssh-rsa\nKey: AAAAB3NzaC1yc2EAAAADAQABAAABAQDBehzX1E+RxyPeN17W8k7NjGct/X+cT0UakEkpG8pCtXq2\nc1yD7m5fkLbu2V0ELS2ip0ldvNF8IZnoEndWPxcyvaz1nMEugtUqOVOEj93EtXXXOqmid7QdulQZ\n6xSAFeFE4D65VmScQi7eI9iM/OhmlGFOgAyFH1ELJjwic1nX2aX2YOwJrxmsebkSKd1vzBP1zYcE\ngiegwllez196hbcn/FkcWvcKcyo27pGtVmH8TheepnyRk2M2vSTyNcG8o1VNhUCFRsKEfzMWd92i\nM5+5U8SzfhA+F9hxvOJ7XfRbYZd9V/2UwFgia6llAj0n1eSrLN0u3HqLhnI4f9uUl3H9\nFingerprint: 6f:71:c5:39:d8:34:55:01:fc:e3:41:67:02:81:fc:71\n\nKex Algorithms:\n\tcurve25519-sha256\n\tcurve25519-sha256@libssh.org\n\tecdh-sha2-nistp256\n\tecdh-sha2-nistp384\n\tecdh-sha2-nistp521\n\tdiffie-hellman-group-exchange-sha256\n\tdiffie-hellman-group16-sha512\n\tdiffie-hellman-group18-sha512\n\tdiffie-hellman-group14-sha256\n\tdiffie-hellman-group14-sha1\n\nServer Host Key Algorithms:\n\tssh-rsa\n\trsa-sha2-512\n\trsa-sha2-256\n\tecdsa-sha2-nistp256\n\tssh-ed25519\n\nEncryption Algorithms:\n\tchacha20-poly1305@openssh.com\n\taes128-ctr\n\taes192-ctr\n\taes256-ctr\n\taes128-gcm@openssh.com\n\taes256-gcm@openssh.com\n\nMAC Algorithms:\n\tumac-64-etm@openssh.com\n\tumac-128-etm@openssh.com\n\thmac-sha2-256-etm@openssh.com\n\thmac-sha2-512-etm@openssh.com\n\thmac-sha1-etm@openssh.com\n\tumac-64@openssh.com\n\tumac-128@openssh.com\n\thmac-sha2-256\n\thmac-sha2-512\n\thmac-sha1\n\nCompression Algorithms:\n\tnone\n\tzlib@openssh.com\n\n', 'asn': 'AS51167', 'transport': 'tcp', 'ip_str': '213.136.73.36'}, {'_shodan': {'id': '4493ec63-9af0-46b3-af2d-1f6da2e3b33a', 'options': {}, 'ptr': True, 'module': 'http', 'crawler': '4aca62e44af31a464bdc72210b84546d570e9365'}, 'hash': -945966338, 'os': None, 'opts': {}, 'ip': 3582478628, 'isp': 'Contabo GmbH', 'http': {'html_hash': -1259818618, 'robots_hash': None, 'redirects': [], 'securitytxt': None, 'title': '404 Not Found', 'sitemap_hash': None, 'robots': None, 'favicon': None, 'host': '213.136.73.36', 'html': '<html>\n  <head>\n    <title>404 Not Found</title>\n    <link rel=\'stylesheet\' href=\'style/style.css\' type=\'text/css\'/>\n  </head>\n  <body bgcolor="#ffffff" text="#000000" link="#2020ff" vlink="#4040cc">\n    <h2>404 Not Found</h2>\n    <p>The requested URL was not found on this server.</p>\n\n  </body>\n\n</html>\n', 'location': '/', 'components': {}, 'server': 'xxx', 'sitemap': None, 'securitytxt_hash': None}, 'port': 80, 'hostnames': ['-'], 'location': {'city': 'Nürnberg', 'region_code': '02', 'area_code': None, 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'country_name': 'Germany', 'postal_code': '90475', 'dma_code': None, 'country_code': 'DE', 'latitude': 49.4075}, 'timestamp': '2020-01-26T07:14:55.014514', 'domains': ['-.'], 'org': 'Contabo GmbH', 'data': 'HTTP/1.1 404 Not Found\r\nServer: xxx\r\nContent-Type: text/html; charset=utf-8\r\nDate: Sun, 26 Jan 2020 07:32:11 GMT\r\nLast-Modified: Sun, 26 Jan 2020 07:32:11 GMT\r\nAccept-Ranges: bytes\r\nConnection: close\r\nCache-Control: no-cache,no-store\r\n\r\n', 'asn': 'AS51167', 'transport': 'tcp', 'ip_str': '213.136.73.36'}], 'asn': 'AS51167', 'isp': 'Contabo GmbH', 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'domains': ['-.'], 'ip_str': '213.136.73.36', 'os': None, 'ports': [80, 25, 22]}
Germany

You can also use the api to get relevant content through the browser, and process the returned JSON string to get relevant information.
To view parameters and return results, click https://developer.shodan.io/api.

5, Introduction to Sqlmap

1.sqlmap concept

Sqlmap is an open-source penetration tool, which can automatically detect and utilize SQL injection defects and take over the database server.
It has a powerful detection engine, many niche features and extensive switches suitable for the ultimate penetration test, from database fingerprints, data acquisition from the database to access to the underlying file system and command execution on the operating system through out of band connections.

2.sqlmap features

  • Fully support MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB, Informix and other database management systems;
  • It fully supports Boolean blind injection, temporal blind injection, error information based injection, joint query injection and heap query injection;
  • When the database certificate, IP address, port, database name and other conditions allow, it supports direct connection to the database without SQL injection point;
  • Support enumeration of users, passwords, hashes, permissions, roles, databases, data tables and columns;
  • Support automatic recognition of password hash format and password hash cracking through dictionary;
  • It supports downloading a table in a database completely, or only a few columns in a table, or even only part of the data in a column, which depends on the user's choice;
  • Supports searching the database name, table name or column name specified in the database management system.

3. Download and use of sqlmap

Download official website http://sqlmap.org/.
As follows:

Windows can download the. zip file, and Linux can download the. tar.gz file.
Then decompress to obtain the following files (folders):

Execute the command in this directory:

  • To view help documents:
python sqlmap.py -h

Print:

        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

Usage: sqlmap.py [options]

Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be provided to define the
    target(s)

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -g GOOGLEDORK       Process Google dork results as target URLs

  Request:
    These options can be used to specify how to connect to the target URL

    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to provided value

  Detection:
    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)

  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques

    --technique=TECH..  SQL injection techniques to use (default "BEUSTQ")

  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables

    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --passwords         Enumerate DBMS users password hashes
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

  General:
    These options can be used to set some general working parameters

    --batch             Never ask for user input, use the default behavior
    --flush-session     Flush session files for current target

  Miscellaneous:
    These options do not fit into any other category

    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --wizard            Simple wizard interface for beginner users

[!] to see full list of options run with '-hh'

Press Enter to continue...
  • To view version information:
python sqlmap.py --version

Print:

1.4.2.31#dev

Press Enter to continue...

6, Build test environment

1. Download and install phpstudy and start the service

phpstudy can quickly build Web projects and start related services locally.
Can be in http://phpstudy.php.cn Select the appropriate version to download and install.
After installation, start apache and MySQL services as follows

After starting apache in phpstudy, visit 127.0.0.1 and you can see the following:

The service is started successfully.

2.sqli installation

Copy sqli directory to WWW directory under phpstudy installation directory, as follows

Visit 127.0.0.1/sqli-libs to get the following page

Click Setup/reset Database for labs as follows

Can't display properly. At this time, enter SQL connections under sqli LIBS, and edit the DB creds.inc file:

<?php

//give your mysql connection username n password
$dbuser ='root';
$dbpass ='root';
$dbname ="security";
$host = 'localhost';
$dbname1 = "challenges";



?>

Just change the pass. The default password is root. For example, make corresponding changes for other passwords.
Visit again at this time http://127.0.0.1/sqli-labs/sql-connections/setup-db.php , may still display the same interface as before, as follows:

Still can't display normally. This is due to the incompatibility of php version. The new version of PHPstudy no longer supports MySQL ﹣ XXX function, but supports mysqli ﹣ XXX function.
There are two solutions:

I'm using the second method, which is effective through personal test, and I'll visit it at last http://127.0.0.1/sqli-labs/sql-connections/setup-db.php Get the following page:

That is to say, sqli configuration is successful.

3.DVWA installation

Like sqli, copy the DVWA directory to the WWW directory under the phpstudy installation directory, and then access 127.0.0.1/dvwa Will show

Follow the prompts:
Modify the file config.inc.php.dist under the config directory to config.inc.php (that is, remove the. Dist suffix) and find the password line for editing:

$_DVWA[ 'db_password' ] = 'root';

Set the password to MySQL password root.
Then open the page to refresh, as shown below

Is successfully configured.
Click the Create / Reset Database button in the lower left corner to create the database. Wait for a few seconds and the login page will appear. The default user name and password are admin and password, and you can log in.

75 original articles published, 355 praised, 100000 visitors+
Private letter follow

Tags: Database openssh Apache network

Posted on Wed, 12 Feb 2020 07:54:56 -0800 by faheemhameed