What is sqlmap?

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

https://github.com/sqlmapproject/sqlmap 

Features

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, Raima Database Manager, YugabyteDB and Virtuoso database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain strings like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
• Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command

Functionalities of SQLmap :- 

To view all the options available in sqlmap use the following:

     sqlmap -h, --help            Show basic help message and exit

     sqlmap -hh                       Show advanced help message and exit

Lets understand various functionalities by taking a sample hosted website and try finding its username and password.

https://redtiger.labs.overthewire.org/level1.php?cat=1 

• Testing the website:

To check if a site is vulnerable run the most basic and important command of sqlmap.

sqlmap -u https://redtiger.labs.overthewire.org/level1.php?cat=1 

If you use more threads, results will be obtained fast but it also means sending more number of request so there is a possibility of firewall blocking you.

Threads

The threads option allows the user to define the number of concurrent requests to be sent by the SQLMap tool. This would reduce the overall testing time. This should not be kept to a higher value, as it may impact the accuracy of the result.

Here sqlmap has detected that the database is ‘MySQL’. And it's asking if we want to skip tests for other DBMS. We select yes now so it will only run tests assuming MySQL database. This would make the process faster.

What this will do is send some types of queries like “AND error-based”, ”OR error-based”, ”inline queries”, “time based queries”

Now what it is saying is the first parameter of the url is vulnerable i.e we can use it to exploit data. Further it is asking if we want it to check for further parameters but in our case we have taken the url with a single parameter “cat”. 

https://redtiger.labs.overthewire.org/level1.php?cat=1

In case our url was https://redtiger.labs.overthewire.org/level1.php?cat=1&id=2 and we wish to also check if id is vulnerable too or not then we would say “Yes” to the above command. It would do the same as done in the case of the first parameter.

So this is the result of testing. It has listed the “injection point”, number of requests it made and the type,title and payload of injection points.

Lets understand what it means:

Consider first result:

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: cat=1 AND 8204=8204

The important thing is the payload “cat=1 AND 8204=8204”. What it means that the url + payload is the injection point. We can see that category is displayed - “The hackit is cool...”

1. The payload 8204=8204 evaluates to true thus request shows result as:

https://redtiger.labs.overthewire.org/level1.php?cat=1%20AND%208204=8204 

2. Incase we use payload 8204=8203 then it will evaluate to false and thus category is not displayed as shown:

https://redtiger.labs.overthewire.org/level1.php?cat=1%20AND%208204=8203 

Practical DEMO

Target: https://redtiger.labs.overthewire.org/level1.php?cat=1

1.  Retrieve DBMS current user

--current-user      Retrieve DBMS current user

2.  Retrieve DBMS current database

--current-db      Retrieve DBMS current database

3. Enumerate DBMS database tables

--tables            Enumerate DBMS database tables

Now that we have figured out the database name, let's try to get the table name inside it.

sqlmap -u https://redtiger.labs.overthewire.org/level1.php?cat=1 -D hackit --tables 

But as we can see that it could not get the table names. But a work around in this situation is that sqlmap will check from its list of common table names (common-tables.txt) and see if any such table with name matching with list in common-tables.txt exists in the hackit database.

Output:

As we can see that operation was successful and we have obtained the table name as “level1_users”

4.  Retrieving columns in a specific table

sqlmap -u https://redtiger.labs.overthewire.org/level1.php?cat=1 -D hackit -T level1_users --columns

5. Now let's dump the data from hackit’s “level1_users” table.

sqlmap -u https://redtiger.labs.overthewire.org/level1.php?cat=1 -D hackit -T level1_users --dump

1. First it will retrieve the column names

2. Next it will dump the contents of the table.

6) We have the username and password lets try logging into the website

https://redtiger.labs.overthewire.org/level1.php?cat=1 

1. Giving input

2. Output: LOGIN SUCCESSFUL

CRAWL

Crawl is an important option which allows the SQLMap tool to crawl the website, starting from the root location. The depth to crawl can be defined in the command.

sqlmap -u http://192.168.202.160/ –crawl=1

–crawl: Define a depth to crawl. (Example: Defining 2 will allow the tool to crawl up to two directories)

  If we want to exclude any page from the crawler’s scope we can define by –crawl-exclude. This is a useful option when we are crawling a post login page. 

sqlmap -u http://192.168.202.163/ –crawl=3 –cookie=”cookie value” –crawl-exclude=”logout”

This command will crawl the website up to three directories and exclude any URL where “logout” keyword is present.As you can see below, SQLMap has crawled the website but excluded the logout URL.

Let’s run the same command without the –crawl-exclude option:

As seen below when –crawl-exclude is not defined, SQLMap has crawled the logout URL. This would allow the existing session to be invalidated (due to logout) and not complete the scan.

Batch

The batch command is used for non-interactive sessions. When we are trying to scan something, SQLMap may ask us to provide input during the scan: for example, while using the crawl feature, the tool asks the user if the user want to scan the identified URL. When –batch is defined in the command, the tool uses a default value to proceed without asking the user.

Form                                                                         

A page URL with a form field (say login page) can be provided along with the –form option to parse the page and guide the user to test the identified fields.

Now pages with large number of form fields can be tested effectively using –form and –batch option together. This will parse the page and check for form fields and automatically provide the input on behalf on the user.

If the entire application has to be scanned, the crawl option along with form and switch can be used.

Verbose

In case we want to see the payload being sent by the tool, we can use the verbose option. The values range from 1 to 6.

Running System Commands

We can run the OS/system level commands if the current database user has DBA rights. We can use the following options:

For a Linux server:

sqlmap -u http://192.168.202.162/cat.php?id=1 –os-shell

For a Windows server:

sqlmap -u http://192.168.202.162/cat.php?id=1 –os-cmd <cmd>

Running SQL Queries

We can run the SQL statement on the database by running the following commands:

sqlmap -u 192.168.202.164/cat.php?id=2 –sql-shell