Categories

Archives

Penetration Testing

Configure Sqlmap for WEB-GUI in Kali Linux

Hello everyone and welcome to this tutorial of setting up SQLMAP for Web-GUI. Web-GUI simply refers to an interface that a browser provides you over the http/https service.

SQLMAP is a popular tool for performing SQL injection attacks on sites affected by MySQL errors; be it an error based SQL injection or hidden SQL; sqlmap is the biggest tool there is for performing SQL injection attacks. But very few people know that sqlmap also provides an API for its service that is written in python that we can use to develop a front end for the same sqlmap which is on command line interface.

One such person is Hood3dRob1n(https://github.com/Hood3dRob1n/SQLMAP-Web-GUI) who has created a PHP based front end for sqlmap and today, we’ll be setting it up in Kali Linux. It is needless to say, it will be compatible with any Linux distro.

Let’s get started.

Table of Contents:

  1. Cloning the GitHub repository and giving necessary permissions
  2. Locating and hosting the API
  3. Launching the front end
  4. Attacking practice lab for SQLi

Cloning the GitHub repository

First, we need to clone the Hood3dRob1n repository. To clone, we’ll use the git clone command and put the folder named sqlmap inside “/var/www/html.”

git clone https://github.com/Hood3dRob1n/SQLMAP-Web-GUI
cd SQLMAP-Web-GUI
mv sqlmap ..
cd ..
chmod 777 * sqlmap

 

Locating and hosting the API

The next step is to host an apache server. If you don’t have apache pre-installed, you can install it with apt-get install apache2 command.

After we have hosted the Apache server, we need to run the sqlmapapi.

The default folder would vary with multiple Linux distros, so we used the locate command to locate the file named “sqlmapapi.py

We need to run this API using the command:

python /usr/share/sqlmap/sqlmapapi.py -s

Launching the front end

If you have followed this tutorial so far, you’ll see the following screen when you open localhost/sqlmap

And voila! Just like that, you are good to start injecting SQL queries.

Attacking practice lab for SQLi

There are 6 tabs essentially here.

  • BASIC: This tab allows you to set the URL to test SQL injections. You can set an HTTP method too. Given options are POST, PUT, HEAD etc.
  • REQUEST: Allows you to modify your request with optional parameters like time delay, timeout between requests, no. of retries to connect, user agent etc.
  • INJECTION & TECHNIQUE: Lets you choose which kind of injection and techniques you are applying– Boolean-based, error based, inline etc. as well as other options like use of DBMS hex functions for data retrieval, kind of database (MYSQL or MSSQL) and so on.
  • DETECTION: To set a custom string to match.
  • ENUMERATION: What data to retrieve. Eg: current user and current database dump. Or if you are feeling fancy, all users all data dump. You can play around with it.
  • ACCESS: Access parameters. Leave this at default if you don’t know your way around it.

We will set the parameters one by one as we proceed. But we never attack live websites, hence, we used another PC with an IP address of 192.168.1.105 to host a practice lab for SQL injection attacks called SQL-Dhakkan. Refer to this article to know how you can set it up yourself!

If you are successful to set up the lab, you’ll get a screen something like this:

I am on Lesson 1 currently and I know that id=1 has an error based SQLi vulnerability. So, let’s copy this URL to our web-GUI sqlmap.

It is highly recommended that you get yourself familiar with HTTP methods and read how to manually attack SQLi here because it will give you a profound idea of the options we will be selecting further in the tutorial. But if you wish to continue with the tutorial instead, who am I to stop you!

Go to the enumeration tab and select the methods that you want to test.

Once set, set the type of SQLi you want to perform.

Once you are satisfied with the choices you input, run the scan!

For the purpose of this tutorial, we have performed a really basic scan that tells us the current database and hostname, but you can play around with the parameters as you like.

Conclusion: Web-based GUI for sqlmap is definitely a plus point over the traditional sqlmap for many reasons, one of them being the ease of access. There is no need to remember such long commands. Drag, drop and done!

Plus, web-based GUI is nothing but a web app for you. A web app that runs sqlmap, isn’t it great?

Hope you enjoyed this little tutorial.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here