In Chapter 6, Exploitation – Low Hanging Fruits, we used SQLMap to extract information and the content of tables from a database. This is very useful but it is not the only advantage of this tool, nor the most interesting. In this recipe, we will use it to extract information about database users and passwords that may allow us access to the system, not only to the application.
sqlmap -u "http://192.168.56.103/bWAPP/sqli_6.php" --cookie="PHPSESSID=15bfb5b6a982d4c86ee9096adcfdb2e0; security_level=0" --data "title=test&action=search" -p title --is-dba
We can see a successful injection. That the current user is DBA which means that the user can perform administrative tasks on the database such as adding users and changing passwords.
sqlmap -u "http://192.168.56.103/bWAPP/sqli_6.php" --cookie="PHPSESSID=15bfb5b6a982d4c86ee9096adcfdb2e0; security_level=0" --data "title=test&action=search" -p title --is-dba --users --passwords
We now have a list of the users of the database and their hashed passwords.
sqlmap -u "http://192.168.56.103/bWAPP/sqli_6.php" --cookie="PHPSESSID=15bfb5b6a982d4c86ee9096adcfdb2e0; security_level=0" --data "title=test&action=search" -p title –sql-shell
Once we know there is an SQL Injection, we use SQLMap to exploit it, as shown:
sqlmap -u "http://192.168.56.103/bWAPP/sqli_6.php" --cookie="PHPSESSID=15bfb5b6a982d4c86ee9096adcfdb2e0; security_level=0" --data "title=test&action=search" -p title --is-dba
In this call to SQLMap, we use the --cookie
parameter to send the session cookie as the application requires us to be authenticated to reach the sqli_6.php
page. The --data
parameter contains the POST data sent to the server and -p
tells SQLMap to inject just the title
parameter while --is-dba
asks the database if the current user has administrative privileges.
DBA allows us to ask the database for other users' information and SQLMap makes our lives much easier with the --users
and --passwords
options. These options ask for usernames and passwords as all DBMS (Database Management Systems) store their users' passwords encrypted and what we obtained were hashes so we still have to use a password cracker to crack them. If you said yes when SQLMap asked to perform a dictionary attack, you may now know the password of at least one user.
We also used the --sql-shell
option to obtain a shell from which we could send SQL queries to the database. That was not a real shell, of course, just SQLMap sending the commands we wrote through SQL Injections and returning the results of those queries.
18.189.178.53