Categories: Database AssessmentTutorialsWeb Application Security

SQLMAP – Introduction & Automation of SQLi

Basic Operation of SQLMAP & enumeration of Server through automatic SQL Injection.

SQLMAP is a database pentesting tool used to automate SQL Injection. Practically using sqlmap, we can dump a whole database from a vulnerable server. SQLMap is written in python and has got dynamic testing features. It can conduct tests for various database backends very efficiently. Sqlmap offers a highly flexible & modular operation for a web pentester. It can act as a basic fingerprinting tool and till upto a full database exploitation tool.Simply we can say that there will be no web application testing without sqlmap. All in all, fully loaded..!

Features of SQLMAP

Supports
- MySQL,
- Oracle,
- PostgreSQL,
- Microsoft SQL Server, Microsoft Access,
- IBM DB2,
- SQLite, Firebird,
- Sybase,
- SAP MaxDB
- HSQLDB
Supports 6 types of Injection Techniques
- boolean-based blind,
- time-based blind,
- error-based,
- UNION query-based,
- stacked queries
- out-of-band
Ability to perform operations on specific DBs,tables,columns or even dump whole database. Offers multiple database capabilities also.
Supports execution of arbitary queries and system commands
Ability to inject backdoors.
Specific attacker functions on databases.
Multicolored output indicating different messages.(Green=Info; Yellow=Warn; Red=Critical; BOLD Green=Interesting etc.)

Links:

Homepage

Source(Github)

Bit About SQLi

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution – Wikipedia

Sql injection is basically making the backend database server to execute unintended queries to gain information or to bypass authentication or to execute a command in the remote host and various other malicious purposes. These unintended queries are usually executed by inputting special operational characters(dependent on the backend DBMS) through input forms in web pages like login forms. By performing SQLi an attacker can perform various types of tasks on the remote machine. SQLi is the most widely found vulnerability among websites. Click here to view some statistics.

Scenario

Attacker Machine: Kali Linux 2.0 (VM)

Target: OWASPBWA (VM), IP Addr: 192.168.0.104, Application: Mutillidae

Target URL(Scope) : http://192.168.0.104/mutillidae/

Lab 1 : Banner Grabbing

In this lab, we are simply grabbing the banners from the remote machine. Details like backend DBMS, Web application technology, Server OS, Web server type & version etc are retrieved from this operation. For this we need to specify in the exact url or a file which contains the request to the url. In this tutorial, we are performing the operation with a file containing the request. We can take this request with the help of burpsuite. We can turn ON the intercept & forward the request from our browser to burpsuite. Seeing the request we can copy the request & paste it in a file. Refer to tutorial on burpsuite here to learn how to start with burpsuite.

Step 1 : Take Request

Open the login page of the Mutillidae(or which ever target you have).

Filling the form

Open Burpsuite & turn ON intercepting proxy. Also configure browser to send connections to burpsuite as a proxy. Refer here to see how to do this.

Burpsuite intercepting the request

Come back to browser & give some data in the text boxes & submit.

See request intercepted at burpsuite. Copy the entire request to a new file. Here I am using “mut-sqlmap-bypassauth-post.req”. Then save the file.

Copying the Request

Note: After turning ON Intercepting in Burp, select the POST request only. The request should be the one which you would do when performing a browser based manual SQL Injection.

Saving the file

Edit the file in any text editor to make the username & password blank. Give 2 single quotes.

Editing request file2

Step 2 : Run SQLMAP with the file

Command: sqlmap -r mut-sqlmap-bypassauth-post.req<replace with yours> --threads=10<optional> -b

Executing sqlmap

Sqlmap asks couple of questions during the execution. You can answer yes (‘y’) for all of them but do read them carefully.

Sqlmap prompts

You can get to see various messages & the actual operation done by sqlmap and finally the results are shown.

Operations displayed

Results

Here the webserver, backend database web technology & the system OS are displayed. All this information is stored in a local directory also. You can try reading them also.