Archives

All posts for the month February, 2014

Hi Friends. Today we will see how to perform sql injection with  sqlmap. Sqlmap  is an “open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers “. It is pre-installed in Kali Linux. For this tutorial I am using vulnerawa as target and it is necessary to setup a webapp pentest lab with it. See how to set up a webapp pentest lab.

If the webapp pentest lab is all ready. Open the browser in Kali linux and type the address as shown below.( the ip address may differ for you ). You should see the vulnerawa web page as shown below. Click on “About”.

sqlmap1

The below webpage will open. It shows about the founders of Vulnerawa.

sqlmap2

Click on “founder 1”. It will show brief details about him as shown below.

sqlmap3

Similarly go back and click on “Founder 2” and “Founder 3”. The result will be as below.  Now if you have observed, the “id” parameter in the url changes as we click on different users. For founder 1, it is 1 and sequentially.

sqlmap4

sqlmap5

Now introduce a single quote( ‘ ) character in the url. after the number as shown below.

sqlmap6

Click on “Enter” and the page will show an error as shown below. “You have an error as shown below……..”. This is a clear sign that the webpage is vulnerable to SQL injection.

sqlmap7

Now open SQLmap from the path as shown below.

sqlmap8

Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

sqlmap9

The result will be as shown below. It will reveal the website technology and the scripting language used.

sqlmap10

Now let’s grab the banner of the website. Type the following command and hit “Enter”.

sqlmap11

You can see the banner as shown below.

sqlmap12

To see the current user of the website, type the following command.

sqlmap13

The current user  can be seen as below.

sqlmap14

Now let us see the current database used by the website. Type the following command.

sqlmap15

We can see that the current database is “Vulneraw”.

sqlmap16

Now let us see all the tables present in the database “Vulneraw” by using following command.

sqlmap17

We see that we have only one table in the current database. The table is “users”.

sqlmap18

Now lets see the number of columns in the table “users”. Type the following command.

sqlmap19

We see there are four columns in table “users”.

sqlmap20

Now let’s dump the values of two columns username and password by typing the following command.

sqlmap21

The result is as below. we got the username and passwords.

sqlmap22\

If we want to dump all the entries of the table, type the following command.

sqlmap23

Here are the entries.

sqlmap24

Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

sqlmap25

It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for wamp server. Hit on “Enter”.

sqlmap26

I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents  of the root directory. It works as shown below.

sqlmap27

 

sqlmap28

Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

sqlmap28

To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or simlar dorks.