Comprehensive Guide to Sqlmap (Target Options)

Hello everyone. This article will focus on a category of sqlmap commands called the “target commands.” Many might not have tried these commands but they can be proved very useful in the corporate world.

In this article, we’ll be shifting our focus back on one of the finest tools for SQL penetration testing available called SQLMAP.

This tool comes inbuilt in Kali Linux however you can download its python script from here too.

Since it is a crime to attack a live website, we are restricting our focus on the websites that are made for this testing purpose only. We have also used a local PC with SQL dhakkan installed in it. You can refer to the articles published earlier to get an idea on how to configure dhakkan in your machine too.

So, without further ado, let’s dive in.

First and foremost, I configured SQL dhakkan in a machine with IP address 192.168.1.132. I go to the lesson 1 tab for error based SQLi.

Target URL

One of the most basic commands ever. Every database has a webpage and every webpage has a URL. We will attack these URLs to get our hands on the database inside!

By adding   ‘-u <URL>’ in sqlmap command we can specify the URL we are targeting to check for SQL injection. It is the most basic and necessary operation.

Here, let’s fetch all the databases that IP address 192.168.1.132 might have by suffixing –dbs

 

Now, all the databases available in the given IP have been dumped!

Targeting Log File

Many tools save a log file to keep a record on the IP addresses communicating back and forth. We can feed one such log file to the sqlmap and it will automatically test all the URLs in that log file.

The log file can have a record of various targets in reality but here we’ll be capturing the request of a website in burp suite and then saving its log file for simplicity. Let’s turn on the intercept then.

Go to the website “leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1” and capture the request in a burp. It has an SQL injection lab installed over public IP for penetration testers.

The captured request will be something like:

 

 

Now right click->save item and save this request as “logfile” on the desktop. No need to provide any extensions here.

 

Open the terminal and type in the following command to automate the attack from the log file itself.

Target Bulkfile

Bulkfile is a text file that has the URLs of all the target machines each in a single line with the exact URL of where the attack is applicable.

So, let’s create a bulkfile on the desktop called bulkfile.txt.

 

This will open up a command line text editor called ‘nano’. Let’s feed in some URLs.

To save the file: CTRL+O -> ENTER

To exit nano: CTRL+X

We are all set to attack both of these URLs together by the command:

 

We’ll get the list of databases and we can continue with our other URL.

Target Google Dorks

We can also automate the process of finding SQLi by adding in a Google dork target. What it does is that it will start searching for all the websites with given Google dork and automatically keep applying sqlmap on the websites that match the dork. Disclaimer: this attack will automatically be applied to any website that matches the dork, be it government or military, which is a serious criminal offense so it is advised that you play with it carefully.

As we know that error based SQL injections are often found in URLs having ‘.php?id=<num>’ in them, we can apply the inurl Google dork to find all the websites with this in its URL.

As you can see sqlmap has found a website with ‘?id=1’ in its URL.

I’ll be pressing n and canceling the sqlmap scan since it is a crime to do so.

We can also specify the specific page number on which we want to apply the Google dork at by the option “–gpage”

Target HTTP requests

An HTTP client sends an HTTP request to a server in the form of a request message which includes the following format:

  • A Request-line
  • Zero or more header (General|Request|Entity) fields followed by CRLF
  • An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
  • Optionally a message-body

The Request-Line begins with a method token, followed by the Request-URI and the protocol version, and ending with CRLF. The elements are separated by space SP characters.                       

Request-Line = Method SP Request-URI SP HTTP-Version CRLF

Hence, we can intercept these HTTP requests, save it in a text file and automate the attack with sqlmap.

I captured the request of the website “master.byethost18.com/Less-1/?id=1” in the burp and will save it in a text file called “httprequest.txt” and run the command:

 As you can see that sqlmap has detected the target in the text file. We can further apply –dbs to fetch all the databases.

I hope that this article was helpful and the readers have learned some new options that they might not have heard about before. Many more options will be coming in the next articles. Keep hacking!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

File System Access on Webserver using Sqlmap

Hello everyone and welcome to the par two of our sqlmap series. In this article, we’ll be exploiting an error based SQL injection to upload a shell on the web server and gain control over it! Now, how to do this, tools required, everything is discussed in as much detail as possible. So, let’s dive right in.

Since attacking a live website is a crime, we’ll be setting up a local host in a windows system using XAMPP server and we’ll use SQLi Dhakkan to create SQL vulnerabilities in a database.

You can download XAMPP and SQL dhakkan from here and here respectively.

Step one is to fire up the XAMPP control panel and put SQL dhakkan in C: /xampp/htdocs directory which is the default directory for the web pages. The IP address on which SQL dhakkan is hosted in my network is 192.168.1.124

So, let’s start by checking the ports open on the server using nmap.

As we can see that MySQL is up and running on the host so we are good to apply SQLMAP.

Hence, we can see numerous databases loaded, so our sqlmap attack was successful.

Checking privileges of the users in the database

Now, to read a file it is very much important to see whether the user has FILE privileges or not. If we have file privileges we will be able to read files on the server and moreover, write the files on the server!!

As we can see that [email protected] has the FILE privilege.

Let’s see who the current user of this server is.

As we can see that the current user has the FILE privileges so we can apply –file-read to read a file from the server and –file-write to write a file on the server!

Reading a file from the web server

Let’s try reading a file in the public directory, let’s say, index.php.

 

We have read a file from a known directory successfully! We can apply directory buster to find other folders and files and read them too if we have the privileges!

Uploading a shell on the web server

Now, let’s try and upload a file on the web server. To do this we are using the “–file-write” command and “–file-dest” to put it in the desired destination.

For the sake of uploading a shell on the server, we’ll be choosing a simple command injection php shell that is already available in Kali in the /usr/share/webshells directory and has the name simple-backdoor.php

Now, we have moved the shell on the desktop. Let’s try to upload this on the web server.

It has been uploaded successfully.

Let’s check whether it was uploaded or not!

It indeed did get uploaded. Now, we’ll try and access the shell from the browser.

192.168.1.124/shell.php

 

It is a command line shell, hence, we can execute any windows command on the browser itself remotely!

The usage is: …..php?cmd=< windows command >

Let’s try and run ipconfig on the browser

Hence, we have successfully uploaded a shell and created a command injection vulnerability! Thanks for giving it a read!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Detect SQL Injection Attack using Snort IDS

Hello friends!! Today we are going to discuss how to “Detect SQL injection attack” using Snort but before moving ahead kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Basically In this tutorial we are using snort to capture the network traffic which would analysis the SQL Injection quotes when injected in any web page to obtain information of database system of any web server. Snort will generate the alert for malicious traffic when caught those traffic in its network and network administers will immediately get attentive against suspicious traffic and could take effective action against the attacking IP.

Requirement

IDS: Snort (Ubuntu)

Web application: Dhakkan

You can configure your own web server by taking help of our article “Configure Web server for penetration testing

Let’s Begin!!

Identify Error Based SQL Injection

As we know in Error based SQL injections the attacker use single quotes () or double quotes () to break down SQL query for identify its vulnerability. Therefore be smart and add a rule in snort which will analyst Error based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

Now add given below line which will capture the incoming traffic coming on any network IP via port 80.

If you read above rule you can notice that I had applied filter for content “%27” and %22 are URL encoded format use in browser for single quotes(‘) and double quotes ()  respectively at the time of execution of URL.

Turn on IDS mode of snort by executing given below command in terminal:

Now test your above rule by making Error based sql injection attack on web application “Dhakkan”, therefore open the server IP in web browser and use single quotes (‘) for identify SQL injection vulnerability as shown below.

For more detail on Error Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Error Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Testing Double Quotes Injection

Now again open the server IP in web browser and use double quotes (“) for identify SQL injection vulnerability as shown below.

Now when attacker will execute malicious quotes in browser for testing Double quotes SQL injection then the IDS of the network should also capture this content and will generate the alert.

From given image you can observe the snort has generated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming from 192.168.1.21 on port 80.

Boolean Based SQL Injection

As we know in Boolean based SQL injections the attacker use AND /OR  operators  where attacker will try to confirm if the database is vulnerable to Boolean SQL Injection by evaluating the results of various queries which return either TRUE or FALSE.

Now add a rule in snort which will analyse Boolean based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here I had applied filter for content “and” & “or” to be captured. Here nocase denotes not case sensitive it can be as AND/and, OR/or.

Turn on IDS mode of snort by executing given below command in terminal:

Again open the server IP in web browser and use AND operator for identify Boolean SQL injection vulnerability as shown below.

For more detail on Boolean Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

Testing OR Operator

As per our calculation from given image you can observe the snort has generated alert for Boolean Based sql injection when captured content AND.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Again open the server IP in web browser and use OR operator to identify Boolean SQL injection vulnerability as shown below.

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has generated alert for Boolean Based sql injection when captured content OR.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Encoded AND/OR

Similarly in given below rule I had applied filter for content “%26%26” and “%7c%7c” are URL encoded format use in browser for && and || respectively at the time of execution of URL.

Turn on IDS mode of snort by executing given below command in terminal:

Again open the server IP in web browser and use && operator for identify Boolean SQL injection vulnerability as shown below.

For more details read our previous article

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has generated alert for Boolean Based sql injection when captured content %26%26.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Testing Encoded OR Operator

Again open the server IP in web browser and use || operator for identify Boolean SQL injection vulnerability as shown below.

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has generated alert for Boolean Based sql injection when captured content %7C %7C.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Identify Form Based SQL Injection

The Form Based SQL injection also known as “Post Error based SQL injection” because the attacker executes malicious quotes inside Login form of a web page that contains text field for username and password to login inside web server.

Therefore now add a rule in snort which will analyst Form based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

If you read above rule you can notice that I had applied filter for content “%27” to be captured; turn on IDS mode of snort by executing given below command in terminal:

I had used single quotes () to break the query inside the text field of username then click on submit.

Username:      ’

From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection.

For more detail on Form Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Form Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has generated alert for Form Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Identify Order by SQL Injection

In order to identify number of column in database the un-trusted user may use order by clause which will arrange the result set in ascending or descending order of the columns used in the query.

Now add a rule in snort which will analyst order by SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “order” to be captured.

Turn on IDS mode of snort by executing given below command in terminal:

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

Now when attacker will execute malicious string in browser for testing order by SQL injection then the IDS of the network should also capture this content and will generate the alert

As per our prediction from given image you can observe the snort has generated alert for order by sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Identify Union Based SQL Injection

We all know in Error base SQL injection attacker may use the UNION operator to combine the result-set of two or more SELECT statements. Therefore add a rule in snort which will analyst Union select SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “union” to be captured.

Turn on IDS mode of snort by executing given below command in terminal:

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

Now when attacker will execute malicious string in browser for testing Union select SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has generated alert for union select sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Penetration Testing on MYSQL (Port 3306)

In this article, we will learn to make MySQL port vulnerable and then secure it for the penetration testing on the port 3306. In order to completely learn and understand how to secure service on a port, you have to understand how to make it vulnerable and then perform penetration testing. Because if you don’t understand what can be exploited and how then you will always fail to secure it.

Table of Content

  • Introduction to MySQL-Server
  • Installation of MySQL-Server
  • Pen testing MySQL-Server

Introduction to MySQL-Server

The base of MySQL will be MySQL server, which handles the majority of the database guidelines (or directions). MySQL server is accessible as a different program for use in a customer server organized condition and as a library that can be implanted (or connected) into separate applications. MySQL works alongside a few utility projects which bolster the organization of MySQL databases. Directions are sent to MySQL-Server by means of the MySQL customer, which is introduced on a PC. It runs port 3306 by default.

Installation of MySQL-server

The first thing to do is to install MySQL server and to do so use the following command :

Further, use the following command to check whether the server is up and running or not.

Pentesting MySQL-Server

Scanning Mysql & Connecting to Mysql

Now, as you can see the MySQL server is properly working. But if you will scan the port, it will show you that it’s closed.

This port is closed because as it is running on the local address when scanned with any other IP then it will show you that the port is closed when this is not the case. This happens because of the default setting in the configuration’s files of MySQL, the bind address is 127.0.0.1 i.e. the port will be shown open only if you scan from this IP just like shown in the image below. And to make this change open the configuration file using the following command:

To change this setting, just add ‘#’ in front of the ‘bind-address’ as shown in the image below :

Now if you scan it, it will show you that the port is open.

But further if you try to login through this port, it will give you an error. This happens because the MySQL server does not grant privileges to other IP’s to do their bidding.

This error can be removed when you login into the MySQL server and run the following commands which will grant all permission to the root user at when login from different IP :

Now, when you try and login, you will be successful as shown in the image below:

Let’s scan the port again to grab as many details as we can such as its banner. Mac address, etc.

Mysql Brute-Force Attack

One can also brute force the port by using Metasploit. This module simply queries the MySQL instance for a specific user/pass for this, go to the terminal in kali and type ‘msfconsole’ and then use the following commands to commence the brute force login:

Running SQL queries without Login into Mysql

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials. For this, type :

Extract Mysql-Schemadump Information

Our next module extracts the schema information from a MySQL DB server. For this exploit, type :

Extracting Login from Mysql-server

And to extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking; use the following exploit :

Once the above module is completed, you see it result in the file it creates as shown in the image below:

Checking Writable Directories

Another attack that can be executed on Mysql port is to check the directories that are writable. But by default, this attack cannot be performed. So, admin, the has done following the configuration then an attacker can check for directories that are writable.

Then add ‘secure_file_priv=”” at the end of the file.

Now if you run the following exploit through Metasploit, it will allow you to Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature.

Enumerating File

For further pentesting MySQL port, you can use the following exploit for Enumerate files and directories using the MySQL load_file feature.

Port Transferring

Next comes port forwarding. This method is used in order to secure the port from the attacks. For port forwarding, just open the configuration by using the following command:

And then change the port number to whichever you desire. For instance, we have given here in 4033.

After changing the port, when you scan it, it will show you the SQL service is running on the new port instead of the default one.

So, this way to learn how to exploit and secure MySQL-Server.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here