Tag Archive: Sql Injection


Part 1 of this post outlined the setup of sqlmap and finding the databases on a backend. We were able to discover that there were 2 databases lying on the backend namely information_schema and webscantest as shown below,

screen-shot-2017-01-11-at-22-58-21

Let’s try to find out what tables are present in the webscantest database. We will execute the following the command to do so,

screen-shot-2017-01-12-at-23-56-21

Once again, after spewing a lot of output, it presents us with the list of the following tables,

screen-shot-2017-01-12-at-23-56-48

Now, just stop here at a second and reflect on the fact that we started with a web app with sql storage and now we are seeing how the data in the app is structurally stored. Our next step should obviously be to find the data in the accounts table, guessing by the name of which, should be storing user account details, via the following command,

screen-shot-2017-01-13-at-00-04-38

And Voila, We have the keys to the castle :).

screen-shot-2017-01-13-at-00-05-10

We will not cover breaking the password hash in this writeup, but I’ll add a hint: Sqlmap can help you with that too.

This covers how sqlmap actually works and what is needed to break into a vulnerable sql storage. Of course, this was done on a test web app but all the techniques still hold good for all the vulnerable sql implementations out there.

A word of caution: Sqlmap is a powerful tool and with great power comes great responsibility. Sqlmap should be used with caution and for responsible disclosure only.

Advertisements

Sqlmap is a framework which is designed to expose vulnerabilities for an sql based storage, a common thing in various web apps. Sqlmap is available here: https://github.com/sqlmapproject/sqlmap. The wiki and the documentation itself still leave a learning curve for the newbie, so we decided that a writeup could be really helpful. This will be a long post and leaves nothing to imagination, hence it will be in 2 parts.

Numerous web based applications use Sql based storage(eg: MySql) for their backend. These web based applications usually use this storage/database as a part of something known as the LAMP stack which is an acronym for an open source platform on which these web based application are built on namely, L(Linux), A(Apache), M(MySql), P(Php/Perl/Python).

Sqlmap is designed to find flaws/expose vulnerabilities in web applications which interact and use database servers based on Sql(MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix). A quick and dirty way to to check whether a web application uses a Sql implementation(eg: MySql) or not is to pay close attention to the url itself. If the url looks/matches the ones below:

then there is very good chance that we can use sqlmap here.

For those familiar with google hacking/dorks, Vulnerable web apps can easily be found by running the following google dorks queries:

  • inurl:index.php?id=
  • inurl:gallery.php?id=
  • inurl:post.php?id=
  • inurl:article?id=

These queries can literally end up in millions of vulnerable findings.

For starters, On Mac, Sqlmap can simply be downloaded, extracted in to a separate directory and then executed just like any other python script. Finding will be the first step, exploiting and exposing is the second.

Finding the database supported by the backend:

For the purpose of demonstration we would be referring to this website: www.webscantest.com. To find the database being used, enter the full url as a parameter to the sqlmap script as shown below,

screen-shot-2017-01-11-at-22-49-16

The script will ask a few questions and will spew out a lot of output and just before it ends it will reveal the full implementation details/stack of the web application as shown below,

screen-shot-2017-01-11-at-22-49-41

This is a standard LAMP Stack. So far, we have been able to find the implementation information, it would be really nice if we were also able to find out what is in the database. For this, we will need to execute the script with –dbs command as shown below,

screen-shot-2017-01-11-at-22-57-55

Once again the script spews a lot of output and in the end it yields the name of the 2 databases contained in the backend,

screen-shot-2017-01-11-at-22-58-21

This completes the search phase, we have extracted the necessary information about the web app. Also, we now know that it is comprising of 2 databases, namely information_schema and webscantest. In the second part we will delve deeper into extracting the data from these databases.