SQLMAP – Enumeration of Databases & Users from Vulnerable Web Forms

Sqlmap is a database assessment tool which pentesters & security researchers can use to enumerate databases of various types. Sqlmap automates a normal & advanced sql injection techniques and performs them on a regular form. Refer to the article on Introduction to SQLMAP for getting started.

The following lab sessions are a continuation of the previous one on sqlmap. So I recommend you to go through that post before you proceed with this one unless you know what you are doing. Click Here for the 1st post.

Lab 1: Database Enumeration

In this lab, we enumerate & dump an entire database from a vulnerable web application. For this, we need the URL or copied request to the form we are trying sql injection. In this lab, I am using a request which was saved in a file. Refer here to see how to take this. Here the scenario is same as described in the referred link.

Step 1: Get All Databases

After the request is taken & saved as a file, we can proceed with sqlmap. If you find the page is not vulnerable, the banner grabbing wouldn’t have given exact results. So since the page is vulnerable, let us perform some attacks using sqlmap.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req <replace this with your filename> --dbs

Performing DB Enumeration

The output comes up with the list of databases in the remote server.

Databases in the remote server

 

Now that we have a list of databases, we can focus into one of them. For this, I am focusing on a database named Mutillidae.

Step 2: Get tables from the selected database.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> --tables

 

Enumerating Tables

Now we can see tables populating

Tables Populating
Tables Populating

 

Now that we have a list of tables residing inside the remote server, we can dump any one of them to our system. All details of the operations performed are automatically stored by sqlmap. For now, let’s concentrate on the table named credit_cards.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> -T credit_cards <replace with your table> --dump
Dumping the target table

Now we can see the table on screen and a file will be automatically generated containing the contents of the table.

Table Contents

Lab 2: User Enumeration

In this lab, we use the same request file to enumerate the database users. Sqlmap can detect users in the database server, their roles & privileges also.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req --users
Enumerating Users
A list of users present on the Database server

Now we have to select a target user from the list dumped on the screen. For this tutorial, I am selecting the root user. Let’s now see what are the roles assigned to the user root. Of course, root user would have all roles & privileges but you can substitute the commands for other users.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --roles
Enumerating Roles
Roles of root user being displayed

Okay, Now let’s see the user’s privileges

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --privileges
Enumerating Privileges
List of Privileges for root user

Now for the best part, let’s see if we can get the password for the user. Yes, sqlmap also does this for you, here is how:

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --passwords
Enumerating Passwords

In this operation, sqlmap ask a couple of new questions. One is whether you want to store the hashes in a temporary file. Another one is whether you want to do a dictionary-based attack right away. You can answer according to your wish.

Sqlmap Prompts

And finally what you came for, the password hashes. With this recovered, we can try it against any password cracker like JTR or online tools etc.

Password hashes being dumped to screen

 

So now you got an idea on how sqlmap helps you to automate SQL injection, it’s capabilities and functionalities. All these can be put into practice extensively while performing Web Application Security Testing.

As SQLi is the most widely found vulnerability in web applications, you can definitely use sqlmap to check out a no of various kinds of security issues & perform a variety of tests swiftly. As I said earlier, I would like to repeat those words “Virtually, there is no Web application testing without sqlmap”.

Ravi Sankar

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

16 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

16 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

17 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

20 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

20 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago