Sqlmap is automated sql injection detection and exploitation tool written in python. It is very easy to use, straight forward tool to exploit sql injection in Relation Databases. Sqlmap supports variety of DBMS including the most popular ones: Mysql, Oracle, MSSql. The salient features of Sqlmap are:
- Detecting sql injection
- Dump data from databases
- running arbitrary sql commands through it sql shell feature
- running arbitrary OS commands through its OS shell feature
Requirements:
Sqlmap is simple to run. Before doing it practically lets see the most basic and important commands that are required for using sqlmap.- -r <REQUESTFILE>: Load HTTP request from a file(can be used for both GET and POST methods)
- -u <URL>, --url=<URL> Target URL (e.g. "http://www.site.com/vuln.php?id=1") (For POST request, this needs to used in combination with --data option)
- --level=<level>: Level of tests to perform (1-5, default 1)
- --risk=<risk>: Risk of tests to perform (1-3, default 1) (for detection keep it 1 and for exploitation, keep it 3)
- --dump: This option is used to dump data from a given database or table. (database is provided by -D <database> and table is provided by -T <table>
- --dump-all: This option is used to dump data of everything (database and table) Sqlmap finds.
- --dbs: To enumerate databases
- --tables: To enumerate tables for a given database(provided using -D). If '-D' option is not provided, current database is default.
For more options, you can refer the sqlmap help by typing:
Lets start using Sqlmap. For this demo, I have used a freely available, intentionally vulnerable web app called mutillidae which can be run locally using apache for learning purpose. Its code can be found here.
The page shown below takes username and password as input and shows the user details if both, username and password, are correct.
The request going to the server hosted on the localhost is shown below using burp proxy. Here the parameters username and password within the query string are vulnerable to sql injection. We'll use username parameter for sql injection detection and exploitation using sqlmap.
To run sqlmap, open command prompt or terminal, go to the folder where sqlmap code is extracted and the commands.
To check if username name parameter is vulnerable to sql injection, we need to specify the following things:
- -u: Full url of the web app page to test
- -p: Parameter in the query string or in the request body to be tested
- --data: If POST method is used, specify the request body data here
Sqlmap has determined that the parameter username is vulnerable to sql injection and also enumerated the backend database among other information. Here, Mysql of version 5.0.12 is being used.
Once we have identified that the parameter username is vulnerable, lets specify additionally the dbms as Mysql using option "--dbms=Mysql" and tell sqlmap to enumerate all the databases using option "--dbs". Specifying the dbms, if you know, speeds thing up by not trying payloads of other dbms.
Sqlmap has successfully enumerated the list of databases in the current dbms as shown below.
We'll enumerate the nowasp database and specify the same to Sqlmap using option "-D <database-name>". We'll tell Sqlmap to enumerate tables in nowasp database using option "--tables".
Below screenshot shows the tables from nowasp database.
Looking at the list of tables, it looks like the table accounts may contain sensitive data. We'll try to dump all the data of that table. To tell sqlmap which table's data to be extracted, use "-T <tablename>". Use "--dump" to dump data of the specified table(-T) from the specified database(-D).
As you can see, sqlmap has successfully dumped the data of the table accounts which contains the user credentials.
For POST method, a more feasible way of running sqlmap is using the "-r" option. Store the whole request containing vulnerable parameter inside a file, example shown below, and call the file. The request can be taken from the burpsuite history.
Example command for the same attack shown above is:
python sqlmap.py -r <request-file-name> -p username
Note: The post is only for learning purpose only. Do not perform testing where you are not authorized to.
Tags: sql injection using sqlmap, sqlmap basic, learn sqlmap.
Tags: sql injection using sqlmap, sqlmap basic, learn sqlmap.
No comments:
Post a Comment