Ethical Hacking and Penetration Testing Guide


HTTP Header–Based SQL Injection



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə221/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   217   218   219   220   221   222   223   224   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

HTTP Header–Based SQL Injection
As we discussed in the beginning of this section, HTTP headers are also a form of user input, 
and HTTP cookie and headers like user-agent or referrer can be a common place to look for SQL 
injection; however, the problem with it is that most web application scanners are not good at 
detecting http header-based SQL injections. Luckily, sqlmap has an option to automatically test 
for all HTTP headers and http cookies for SQL injection vulnerabilities.
By default, sqlmap tests only for GET and POST inputs; however, we can tweak it a little bit 
by supplying an additional --level argument.
Sqlmap levels
GET/POST—
Default
HTTP Cookie—
Level 2 and above
HTTP Headers—
Level 3 and above


Web Hacking
◾ 
369
Operating System Takeover with Sqlmap
There are various commands in sqlmap that would allow you to execute system commands upon 
the underlying operating system. From the sqlmap help menu under the operating system section, 
we can find the following commands:
-- os-cmd=OSCMD
Execute an operating system command
-- os-shell
Prompt for an interactive operating system shell
-- os-pwn
Prompt for an out-of-band shell, meterpreter, or VNC
-- os-smbrelay
One-click prompt for an OOB shell, meterpreter, or VNC
-- os-bof
Stored procedure buffer overflow exploitation
-- priv-esc
Database process user privilege escalation
-- msf-path=
Path where Metasploit Framework 3 is installed
-- tmp-path=
Remote absolute path of temporary files directory
We will discuss about the first three commands next.
OS-CMD
The 
os-cmd
can be used to execute commands on the target operating system by using the 
LOAD_File function that we discussed earlier. Let’s try executing the ID command; we will issue 
the following command from the sqlmap:
./sqlmap.py –u http://localhost/?support=yes --os-cmd=id
id
command in Linux would display information about the particular user such as username, 
user id, and group id.
Here is the output of the successful execution of the command:
OS-SHELL
The next option is the 
os-shell
, which gives an interactive shell so we can easily execute 
commands.



Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   217   218   219   220   221   222   223   224   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin