In a previous post, we demonstrated how to access user passwords in DVWA by exploiting its SQL Injection vulnerability. This time, we will introduce sqlmap, a powerful and user-friendly tool that automates the SQL injection exploitation process, allowing us to dump entire databases easily.
n the previous post, we guessed that the column in the “users” table containing passwords was called “password”. However, if our guess had been incorrect, we would have needed to inject a UNION SQL query on the information schema database of the DBMS to retrieve the tables and columns of the targeted database. This process differs for each DBMS and can be time-consuming. Fortunately, sqlmap automates this process and more.
With sqlmap, we can automatically detect injectable parameters in a web application and dump whole databases, tables, or columns. It also has built-in exploitation and password cracking automation features, though we won’t be exploring those in this post as we will be using Metasploit and Hashcat for these purposes. Instead, we will focus on exploiting the same SQL injection vulnerability as in the previous post, performing information gathering on the server, and dumping all its databases.
By using sqlmap, we can easily automate the entire SQL injection exploitation process and save a significant amount of time. Let’s get started!
First, we start by intercepting the HTTP request of the SQL injection form using Burp and saving it to a request file. We then pass this file to sqlmap, which detects the injectable parameters that it can inspect for SQL injections:
To start using sqlmap, we need to provide it with the request file we saved earlier. Sqlmap can automatically parse the file and detect parameters that may be vulnerable to SQL injection:
sqlmap -r request
When sqlmap finds an injectable parameter, it prompts us to choose whether to skip payloads for the rest of the database management system (in this case, MySQL). Then, sqlmap proceeds to gather information about the system, such as the version, current database, and current user.
If sqlmap successfully identifies an injectable parameter, it will ask if we want to continue searching for more. However, if we’ve found what we need, we can stop and move on to the next step.
Even after sqlmap exits, it will have saved information about the request for future use. Let’s use sqlmap to gather more information, such as the database management system version, the current database, and the current user:
sqlmap -r request --banner --current-user --current-db
Now, let’s list the tables in the dvwa database:
sqlmap -r request -D dvwa --tables
Next, let’s list the columns in the
sqlmap -r request -D dvwa -T users --columns
We can also dump the contents of the
password columns in the “users” table:
sqlmap -r request -D dvwa -T users -C user,password --dump
However, if we want to dump the entire dvwa database (which is small in our case), we can use the following command:
sqlmap -r request -D dvwa --dump
As a bonus, we can also list all databases on the server:
sqlmap -r request -D dvwa --dbs
And, if we want to dump all databases on the server, we can use the following command:
sqlmap -r request --dump-all
In case you didn’t notice, the stored XSS we discovered earlier, you can see it in the dumped data as well.