As seen in the previous recipe, exploiting SQL Injections may be an industrious process. SQLMap is a command-line tool, included in Kali Linux, which can help us in the automation of detecting and exploiting SQL Injections with multiple techniques and in a wide variety of databases.
In this recipe, we will use SQLMap to detect and exploit an SQL Injection vulnerability and will obtain usernames and passwords of an application with it.
http://192.168.56.102/mutillidae
.user
and password
and then click on View Account Details.sqlmap -u "http://192.168.56.102/mutillidae/index.php?page=user-info.php&username=user&password=password&user-info-php-submit-button=View+Account+Details" -p username --current-user --current-db
You can notice that the -u
parameter has the copied URL as a value. With -p
we are telling SQLMap that we want to look for SQL Injections in the username parameter and the fact that we want it to retrieve the current database username and database's name once the vulnerability is exploited. We want to retrieve only these two values because we want to only tell if there is an SQL Injection in that URL in the username parameter.
Yes
to skip other systems and No
to include all tests.sqlmap -u "http://192.168.56.102/mutillidae/index.php?page=user-info.php&username=test&password=test&user-info-php-submit-button=View+Account+Details" -p username -D nowasp --tables
SQLMap saves a log of the injections it performs, so this second attack will take less time than the first one. As you can see, we are specifying the database from which we will extract this information (nowasp) and telling SQLMap that we want a list of tables in such database.
accounts
table is the one that has the information we want. Let's dump its contents:sqlmap -u "http://192.168.56.102/mutillidae/index.php?page=user-info.php&username=test&password=test&user-info-php-submit-button=View+Account+Details" -p username -D nowasp -T accounts --dump
We now have the full users' table and we can see that in this case passwords aren't encrypted, so we can use them right as we see them.
SQLMap fuzzes all the inputs in the given URL and data, or only the specified one in the -p
option with SQL Injection strings and interprets the response to discover if there is a vulnerability or not. It's a good practice not to fuzz all inputs, it's better to use SQLMap to exploit an injection that we already know exists and always try to narrow the search process by providing all the information available to us, such as vulnerable parameters, DBMS type, and others. Looking for an injection with all the possibilities open could take a lot of time and generate a very suspicious traffic in the network.
In this recipe, we already knew that the username parameter was vulnerable to SQL Injection (since we used the SQL Injection test page from Mutillidae). In the first attack, we only wanted to be sure that there was an injection there and asked for some very basic information: user name (--curent-user
) and database name (--current-db
).
In the second attack, we specified the database we wanted to query with the -D
option and the name obtained from the previous attack, and we also asked for the list of tables it contains with --tables
.
After knowing what table we wanted to get (-T accounts), we told SQLMap to dump its contents with --dump
.
SQLMap can also inject input variables in POST requests, to do that we only need to add the option --data
followed by the POST data inside quotes, for example:
--data "username=test&password=test"
Sometimes, we need to be authenticated in some application in order to have access to the vulnerable URL of an application; if this happens, we can pass a valid session's cookie to SQLMap using the --cookie
option:
--cookie "PHPSESSID=ckleiuvrv60fs012hlj72eeh37"
This is also useful to test for injections in cookie values.
Another interesting feature of this tool is that it can bring us an SQL shell where we can issue SQL queries, as if we were connected directly to the database using the --sql-shell
; option or, more interesting, we could gain command execution in the database server using --os-shell
(this is especially useful when injecting Microsoft SQL Server).
To know all the options and features that SQLMap has, you can run:
sqlmap --help
Kali Linux includes other tools that are capable of detecting and exploiting SQL Injection vulnerabilities that might be useful to use instead of or in conjunction with SQLMap:
18.117.99.71