Blind SQL Injection for Forms fields using SqlMap

SQLMAP

Sqlmap is an automatic SQL injection tool entirely developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more

Blind SQL Injection for Forms 

Here we vulnerable application Mutillidae that is vulnerable to sql injection. And the attacker system is Kali Linux. As sqlmap already installed in the operation system. To check all the options available in sqlmap you can use command

sqlmap -h

if there is login page that contain a form that have two parameters user-name and password.

Then command for sql map will be  

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms --dbs

Here  172.16.221.129 is my virtual box ip where mutillidae is hosted.

Here --form option is used for form based authentication it will automatically identify how many parameter are there and try to exploit them.

--dbs is used for databases.

After hitting the enter it will automatically identify parameters and ask attacker what type of attack he want to perform.

Enter y here to continue the sql injection.

After hitting enter sqlmap will ask to continue.

Hit enter

again sqlmap will ask what type of data you want to set as payload. By default it will set random values (payload for sql injection). Hit y and enter.

After sending requests using payloads to find sql injection. If its vulnerable sqlmap ask do you want to exploit. Hit y and hit Enter.

If sqlmap prompt user for input like if there is any other type of response from server like 302, then sqlmap ask user do you want to follow that stream. Then hit n and enter

After finish the scanning sqlmap will show the list of databases.

As we can see there is a database name Mutillidae. Now we have to fatch all the data from this database. By using the option -D databasename and --tables we can fatch the tables names in mutillidae database. Now the sqlmap command will be like.

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D mutillidae --tables

and follow the same process as of now. The result will be all the tables in database  mutillidae

Now we got all the tables in database mutillidae.  Now we have to fetch all the values inside table accounts. To fetch all the detail the query will be.

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D mutillidae -T accounts --dump

-T options is to set table as table name is accounts here and --dump will get all the data inside the table accounts.

The result will be

Now try to login with user-name and password. Like I am trying username – patches and password  tortoise.

Login is successfully done.

Use can also set threads and risk and level by default value for these parameters is 1.  But if we set values more than 1 then sqlmap create complex query to exploit sql injection vulnerability. It will increase the chances to find vulnerabilities and exploit that vulnerability.