SQLMAP – Enumeration of Databases & Users from Vulnerable Web Forms

Sqlmap is a database assessment tool which pentesters & security researchers can use to enumerate databases of various types. Sqlmap automates a normal & advanced sql injection techniques and performs them on a regular form. Refer to the article on Introduction to SQLMAP for getting started.

The following lab sessions are a continuation of the previous one on sqlmap. So I recommend you to go through that post before you proceed with this one unless you know what you are doing. Click Here for the 1st post.

Lab 1: Database Enumeration

In this lab, we enumerate & dump an entire database from a vulnerable web application. For this, we need the URL or copied request to the form we are trying sql injection. In this lab, I am using a request which was saved in a file. Refer here to see how to take this. Here the scenario is same as described in the referred link.

Step 1: Get All Databases

After the request is taken & saved as a file, we can proceed with sqlmap. If you find the page is not vulnerable, the banner grabbing wouldn’t have given exact results. So since the page is vulnerable, let us perform some attacks using sqlmap.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req <replace this with your filename> --dbs

The output comes up with the list of databases in the remote server.

 

Now that we have a list of databases, we can focus into one of them. For this, I am focusing on a database named Mutillidae.

Step 2: Get tables from the selected database.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> --tables

 

Now we can see tables populating

 

Now that we have a list of tables residing inside the remote server, we can dump any one of them to our system. All details of the operations performed are automatically stored by sqlmap. For now, let’s concentrate on the table named credit_cards.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> -T credit_cards <replace with your table> --dump

Now we can see the table on screen and a file will be automatically generated containing the contents of the table.

Lab 2: User Enumeration

In this lab, we use the same request file to enumerate the database users. Sqlmap can detect users in the database server, their roles & privileges also.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req --users

Now we have to select a target user from the list dumped on the screen. For this tutorial, I am selecting the root user. Let’s now see what are the roles assigned to the user root. Of course, root user would have all roles & privileges but you can substitute the commands for other users.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --roles

Okay, Now let’s see the user’s privileges

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --privileges

Now for the best part, let’s see if we can get the password for the user. Yes, sqlmap also does this for you, here is how:

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --passwords

In this operation, sqlmap ask a couple of new questions. One is whether you want to store the hashes in a temporary file. Another one is whether you want to do a dictionary-based attack right away. You can answer according to your wish.

And finally what you came for, the password hashes. With this recovered, we can try it against any password cracker like JTR or online tools etc.

 

So now you got an idea on how sqlmap helps you to automate SQL injection, it’s capabilities and functionalities. All these can be put into practice extensively while performing Web Application Security Testing.

As SQLi is the most widely found vulnerability in web applications, you can definitely use sqlmap to check out a no of various kinds of security issues & perform a variety of tests swiftly. As I said earlier, I would like to repeat those words “Virtually, there is no Web application testing without sqlmap”.