Lab - SQL Injection Attack Using SQLmap
Overview
In this lab, students will learn to perform an automated SQL injection attack using SQLmap.
SQLmap
Straight from the source….
SQLmap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the database, to
accessing the underlying file system and executing commands on the operating system via
out-of-band connections.
Lab Requirements
• One virtual install of Kali Linux with an Internet connection.
Begin the lab!
Open a terminal and at the prompt type sqlmap -h. This will list the commands
supported by SqlMap.
We begin by executing a simple query of a potential target running a web application using
SQL.
1
�At the terminal prompt, type:
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
Be sure to read everything in the output. There’s a lot of good information returned. Notice
the use of the union query use to combine two or more SQL statement. Also, take note of how
the null command was used to locate database information from the backend of the SQL
server.
What we hope to do is capture some information about the version of SQL running and
version information.
SQLmap may ask questions during the enumeration of the target when in doubt how best to
answer, type in a ‘y’ for yes.
In our next step, we gather information about the different databases that are present. To do
this, we will add --dbs to the end of our previous command.
Tip! Remember to use your up arrow to see your command history. Type in space, 2 single
dashes (--) followed by dbs.
2
�Two databases were identified.
We are now ready to obtain information about what the acuart database holds. To get this
information, we need to view the tables in the database. To do this, we will use the -D switch
telling Sqlmap to find the tables inside the acuart database.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D
acuart --tables
We are shown the tables present in the database.
3
�We next need to tell SQLmap to show use the columns present in the table named users inside
the acuart database. Use your up arrow and add the needed commands.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D
acuart -T users --columns
We are shown the columns present in the user table inside the acuart database.
Let’s have SQLmap show us the contents of the following columns of information using the
following command.
4
�sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D
acuart -T users -C email,name,pass --dump
We are given the email address, the name, and password for the account.
Summary
Using an automated tool such as SQLmap makes performing a SQL injection attack quite
painless. We can use what we have demonstrated here using a test site and replacing the URL
for the site with any web address running a vulnerable web application attached to a SQL
database.
The question that remains is how we locate these vulnerable web applications. The answer is
by using something called Google Dorks. Google is just a big search engine the information it
stores is data driven which means it uses a database of some type.
The Dork part is a reference to the SQL or website administrator that failed to secure their
database from SQL injection attacks.
Open a Google search engine and type the following:
inurl:"products.php?prodID="
You should be able to read the query and discern that we are looking for any URL that
contains the following information. When we wrap in quotes, we are telling Google exactly
what to search for.
My search results show 5,920 URL that contains this string.
5
�We can use SQLmap to conduct the search for us.
sqlmap -g "inurl:\"products.php?prodID=1\""
SQLmap is scanning the URL of the website that fit the criteria of our search.
This time the attack failed, but there are plenty more targets to choose from. As a Pentester,
this is another tool we can use to test for vulnerable web applications. Normally we would
conduct a vulnerability scan using a web application vulnerability scanner such as Vega. If the
results are positive for a SQL injection attack, we would ask for permission to proceed with
trying to exploit the target.
Type in the following Google Dorks one line at a time to search for more targets of
opportunities.
allinurl:*.php?txtCodiInfo=
inurl:read.php?=
inurl:”ViewerFrame?Mode=”
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
6
� inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
Locating the latest Google Dorks
Google Hacking Database (GHDB)
Summary
How can we protect our DB against SQLMap? One solution might be to use the POST method
instead of GET so sensitive data will not be visible in a browser. Also, use string escape against
SQL injection. Another might be turning off Search Engine Optimization (SEO) for all
vulnerable endpoints after the main domain, allow www.domain.com to be searched but
everything after / will not be searched.
End of the lab!
