SQL Injection can be found anywhere in the application, for example, on the login page, GET
,POST
parameters, behind authentication, and sometimes even on cookies themselves. Using sqlmap is not very different from how we have used it in the previous recipe, but the intention of this recipe is to help you understand how sqlmap can also be used to exploit SQL Injections on pages accessible only after authentication.
In this recipe, we will look at how we can use sqlmap to exploit SQL Injections on authenticated pages. Using the -r
switch allows sqlmap to use cookies within the request while checking for URL, whether they are accessible or not. Since sqlmap can process cookies from the saved request, it allows sqlmap to be successfully able to identify and exploit SQL Injections.
To step through this recipe, you will need Kali Linux running in Oracle Virtualbox and an Internet connection. No other prerequisites are required.
For this recipe, you need to perform the following steps:
http://172.17.0.2
. Log in using the default DVWA credentials and click on SQL Injection present at the left-hand side menu. Enter 1
as user ID in the input box, and it will show you the details of the user with error messages on the top, as shown in the following screenshot:
sqlmap --url="http://172.17.0.2/dvwa/vulnerabilities/sqli/?id=1& Submit=Submit#" --cookie=" security=low; PHPSESSID=eu7s6d4urudkbq8gdlgvj4jba2"
sqlmap --url="http://172.17.0.2/dvwa/vulnerabilities/sqli/?id=1& Submit=Submit#" --cookie=" security=low; PHPSESSID=k5c4em2sqm6j4btlm0gbs25v26" --current-db --current-user --hostname
In this recipe, we have used sqlmap to exploit the ID parameter on the authenticated page and extracted the information regarding databases, users, current users, current database and hostname, and so on. In the above steps we have used the following new switches:
--cookie
: This switch uses a HTTP cookie header to access authenticated resources--dbs
: This switch enumerates DBMS databases--users
: This switch enumerates DBMS users--current-user
: This switch retrieves DBMS current user--current-db
: This switch retrieves DBMS current DB--hostname
: This switch retrieves DBMS server hostnameUsing commix for automated OS command injection
In the first recipe of this chapter, we used Burp Scanner to find out the various vulnerabilities in web applications. As you can see, we have had the OS command injection vulnerability being detected by the Burp scanner.
Now in this recipe, we will learn how to use the commix tool, which is short for [comm]and [i]njection e[x]ploiter, and as the name suggests, it is an automated tool for command injection and exploitation. We will use commix to exploit the entry point identified by the burp scanner.
To step through this recipe, you will need the following:
For this recipe, you need to perform the following steps:
commix
; it will display the default help in the window, as shown in the following screenshot:
commix --url "http://172.17.0.2/dvwa/vulnerabilities/exec/" --cookie='security=low; PHPSESSID=b69r7n5b2m7mj0vhps39s4db64' --data='ip=INJECT_HERE&Submit=Submit' -all
If you look closely in the output before the pseudo random shell, you will notice that commix and gather the hostname, current user, current user privilege, and operating system and password file, as shown here:
pwd
for a present working directory and id
for current user privileges, as shown in the following screenshot:
In this recipe, we saw how to use commix for command injection and exploitation. Since we have already identified one possible parameter where command injection could be possible, we used INJECT_HERE in order to help commix identify the vulnerable parameter to execute queries and show the output. In addition, we used the following switches in the tool, whose purpose and description is mentioned as follows:
--url
: This switch is used to provide the target URL--cookie
: This switch is used to provide the cookies to commix if the target URL is behind the authentication; commix can use the cookies to be able reach the target URL--data
: This switch is used to provide any POST
body parameters that need to be sent to the target URL to be able to make a valid request--all
: This switch is used to enumerate as much information as possible from the target OS X command injection, using which we can further decide which way to get the stable shell on the server using netcat
3.21.103.209