SQLMAP
Sqlmap
is an automatic SQL injection tool entirely developed in Python. Its
goal is to detect and take advantage of SQL injection vulnerabilities
on web applications. Once it detects one or more SQL injections on
the target host, the user can choose among a variety of options to
perform an extensive back-end database management system fingerprint,
retrieve DBMS session user and database, enumerate users, password
hashes, privileges, databases, dump entire or user's specific DBMS
tables/columns, run his own SQL SELECT statement, read specific files
on the file system and much more
Blind
SQL Injection for
Forms
Here we vulnerable application Mutillidae that is vulnerable to sql injection. And the attacker system is Kali Linux. As sqlmap already installed in the operation system. To check all the options available in sqlmap you can use command
sqlmap
-h
if
there is login page that contain a form that have two parameters
user-name and password.
Then
command for sql map will be
sqlmap
-u https://172.16.221.129/mutillidae/index.php?page=login.php
--forms --dbs
Here 172.16.221.129 is my virtual box ip where mutillidae is hosted.
Here --form option is used for form based
authentication it will automatically identify how many parameter are there and
try to exploit them.
--dbs is used for databases.
After hitting the enter it will automatically identify
parameters and ask attacker what type of attack he want to perform.
Enter y here to continue the sql injection.
After hitting enter sqlmap will ask to continue.
Hit enter
again sqlmap will ask what type of data you want to set as
payload. By default it will set random values (payload for sql injection). Hit
y and enter.
After sending requests using payloads to find sql injection. If its vulnerable sqlmap ask do you want to exploit. Hit y and hit Enter.
If sqlmap prompt user for input like if there is any other type of response from server like 302, then sqlmap ask user do you want to follow that stream. Then hit n and enter
After finish the scanning sqlmap will show the list of
databases.
As we can see there is a database name Mutillidae. Now we
have to fatch all the data from this database. By using the option -D
databasename and --tables we can fatch the tables names in mutillidae
database. Now the sqlmap command will be like.
sqlmap -u
https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D
mutillidae --tables
and follow the same process as of now. The result will be
all the tables in database mutillidae
Now we got all the tables in database mutillidae. Now we have to fetch all the values inside
table accounts. To fetch all the detail the query will be.
sqlmap -u
https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D
mutillidae -T accounts --dump
-T options is to set table as table name is accounts here
and --dump will get all the data inside the table
accounts.
The result will be
Now try to login with user-name and password. Like I am
trying username – patches and password
tortoise.
Login
is successfully done.
Use can also set threads and risk and level by default value
for these parameters is 1. But if we set
values more than 1 then sqlmap create complex query to exploit sql injection
vulnerability. It will increase the chances to find vulnerabilities and exploit
that vulnerability.
