SQLMAP – Enumeration of Databases & Users from Vulnerable Web Forms

Sqlmap is a database assessment tool which pentesters & security researchers can use to enumerate databases of various types. Sqlmap automates a normal & advanced sql injection techniques and performs them on a regular form. Refer to the article on Introduction to SQLMAP for getting started.

The following lab sessions are a continuation of the previous one on sqlmap. So I recommend you to go through that post before you proceed with this one unless you know what you are doing. Click Here for the 1st post.

Lab 1: Database Enumeration

In this lab, we enumerate & dump an entire database from a vulnerable web application. For this, we need the URL or copied request to the form we are trying sql injection. In this lab, I am using a request which was saved in a file. Refer here to see how to take this. Here the scenario is same as described in the referred link.

Step 1: Get All Databases

After the request is taken & saved as a file, we can proceed with sqlmap. If you find the page is not vulnerable, the banner grabbing wouldn’t have given exact results. So since the page is vulnerable, let us perform some attacks using sqlmap.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req <replace this with your filename> --dbs

Performing DB Enumeration

The output comes up with the list of databases in the remote server.

Databases in the remote server

 

Now that we have a list of databases, we can focus into one of them. For this, I am focusing on a database named Mutillidae.

Step 2: Get tables from the selected database.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> --tables

 

Enumerating Tables

Now we can see tables populating

Tables Populating
Tables Populating

 

Now that we have a list of tables residing inside the remote server, we can dump any one of them to our system. All details of the operations performed are automatically stored by sqlmap. For now, let’s concentrate on the table named credit_cards.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> -T credit_cards <replace with your table> --dump
Dumping the target table

Now we can see the table on screen and a file will be automatically generated containing the contents of the table.

Table Contents

Lab 2: User Enumeration

In this lab, we use the same request file to enumerate the database users. Sqlmap can detect users in the database server, their roles & privileges also.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req --users
Enumerating Users
A list of users present on the Database server

Now we have to select a target user from the list dumped on the screen. For this tutorial, I am selecting the root user. Let’s now see what are the roles assigned to the user root. Of course, root user would have all roles & privileges but you can substitute the commands for other users.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --roles
Enumerating Roles
Roles of root user being displayed

Okay, Now let’s see the user’s privileges

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --privileges
Enumerating Privileges
List of Privileges for root user

Now for the best part, let’s see if we can get the password for the user. Yes, sqlmap also does this for you, here is how:

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --passwords
Enumerating Passwords

In this operation, sqlmap ask a couple of new questions. One is whether you want to store the hashes in a temporary file. Another one is whether you want to do a dictionary-based attack right away. You can answer according to your wish.

Sqlmap Prompts

And finally what you came for, the password hashes. With this recovered, we can try it against any password cracker like JTR or online tools etc.

Password hashes being dumped to screen

 

So now you got an idea on how sqlmap helps you to automate SQL injection, it’s capabilities and functionalities. All these can be put into practice extensively while performing Web Application Security Testing.

As SQLi is the most widely found vulnerability in web applications, you can definitely use sqlmap to check out a no of various kinds of security issues & perform a variety of tests swiftly. As I said earlier, I would like to repeat those words “Virtually, there is no Web application testing without sqlmap”.

Ravi Sankar

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

8 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

8 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago