Web application Penetration Testing SQL Injection with SQLMAP
For this Penetration testing tutorial it is recommended that you set up your Kali Linux Machine . We will be using one of the most popular SQL Injection exploiting tool / Penetration Testing Tool .i.e SQLMAP .
SQLMAP
SQLMAP is a tool that ships in with KALI Linux and makes the task of SQL Injection easier for a penetration tester . Here is a Link to the Official Website of SQLMAP . The Good News is that SQLMAP is Open Source . SQLMAP is ment to Automate the process of detecting and exploiting rge SQL injection flaws and to some extent helps to take over the Database Server . SQL MAP comes with a powerful engine that enables it to fingerprint the Database server , fetch the data from the database server , access the underlying file system and execute commands on the Server operating system .
Feature support of SQLMAP include : Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
These are practically all the DBMS . Most common one is MySQL
These are practically all the DBMS . Most common one is MySQL
Penetration Testing Using SQL MAP
For this Tutorial we will be using http://testphp.vulnweb.com/ as our test web application for penetration testing with SQLMAP . You can visit the website and it is a vulnerable test application by Accunetix .
Starting SQLMAP : Nothing needs to be done to start SQLMAP , just open the terminal and type :
for the help options . This will basically provide you with a List of all the Commands available with SQL Map .
To start with we will begin with a Basic command : sqlmap -u <URL to inject>
Sometimes, using the –time-sec helps to speed up the process, especially when the server responses are slow.
Either ways, when sqlmap is done, it will tell you the Mysql version and some other useful information about the database.
Depending on a lot of factors, sqlmap my sometimes ask you questions which have to be answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might come across-
- Some message saying that the database is probably Mysql, so should sqlmap skip all other tests and conduct mysql tests only. Your answer should be yes (y).
- Some message asking you whether or not to use the payloads for specific versions of Mysql. The answer depends on the situation. If you are unsure, then its usually better to say yes.
Enumeration of Database
In this step, we will obtain database name, column names and other useful data from the database. So first we will get the names of available databases. For this we will add –dbs to our previous command. The final result will look like
In this step, we will obtain database name, column names and other useful data from the database. So first we will get the names of available databases. For this we will add –dbs to our previous command. The final result will look like
So the two databases are acuart and information schema.
Table
Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using –tables command. The final sqlmap command will be
Table
Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using –tables command. The final sqlmap command will be
The result should be something like this –
Database: acuart
[8 tables]
+———–+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+———–+
Now we have a list of tables. Following the same pattern, we will now get a list of columns.
Database: acuart
[8 tables]
+———–+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+———–+
Now we have a list of tables. Following the same pattern, we will now get a list of columns.
Columns
Now we will specify the database using -D, the table using -T, and then request the columns using –columns. This is where we will start to get the Valuable Information .
Now we will specify the database using -D, the table using -T, and then request the columns using –columns. This is where we will start to get the Valuable Information .
Data
Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using –dump. We will enter multiple columns and separate them with commas. The final command will look like this.
Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using –dump. We will enter multiple columns and separate them with commas. The final command will look like this.
Here as you can see we have successfully exploited the Database sever and extracted the username and password from the server . Please post your valuable comments in case you need further (more advanced) guide to SQL injection . This will keep us motivated to write more and more tutorials for you .
