Published using Google Docs
SQLMAP_GUI_IST_402
Updated automatically every 5 minutes

Collaborative Virtual Computer Lab (CVCLAB)

Penn State Berks

Web Application and Database Vulnerability Analysis using SQLmap command builder.

Logon to the Windows 7 virtual machine for this activity. Open the link called SQM, which is available at C:\\sqlmap\sqm

In this activity, you will perform database enumeration and cracking via several automated sql injection techniques using a program called SQLMAP. In Part A, you will learn how to generate a query using SQLMAP and how to enable several options that the GUI offers. Any vulnerability analysis starts with target discovery and enumeration. In Part B, you will learn how to use the information gathered from Part A to further obtain usernames and passwords stored on the database.  

SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

At the end of the activity, you will return a lab report. The requirements of the lab report are specified within the instructions.

A.  Observing the target.

In order to exploit a vulnerability we must first have a vulnerable target. A target website named mutillidae, developed by irongeek.com has a mutiltude of attack based vulnerabilities already built in from css scripting to sql injection. We are going to focus on sql injection for now so let observe how something like this might happen.

You are going to paste or write the following into your internet browser:

http://192.168.1.230/mutillidae/

You should see the following website:

Mutillidae gives many options for web security to learn different attack methods so that they may later understand how to prevent these options.

For now we are going to choose the Login/Register link.

On this next page we can observe a few things;

The URL of the site: http://192.168.1.230/mutillidae/index.php?page=login.php

By looking at this we can tell that index.php (the top level page)  was told to redirect to the page login.php using a command called page=. This marks the first injection point as the function from index.php uses a GET parameter that can be vulnerable.

When we view the code we can already see the injection point located in the HTML link itself.  Because of this we have no security in place as there is no code to change the output in the URL.

Login forms are a major concern for web developers using sql databases as many injections can be inserted at this point due to sloppy coding.

We are going to save the tutorial on SQL injection for another time and just focus on letting SQLMAP do the hard stuff for us.

B. Getting Familiar with SQLMAP.

In order to start using SQLMAP you must first locate a program file named sqm which should be located on at:

C:\\sqlmap\sqm

Run the python script called sqm and you should see the following on your screen:

SQLmap Command Builder works by automating a command line injection for you using several options. You must familiarize yourself with the following areas in order to make the program run properly.

A. The URL Field should be checked if you are trying to attack a webpage.

B. The target field is where you would input the URL page you are trying to attack. For our purposes it would be:

http://192.168.1.230/mutillidae/index.php?page=login.php

C. Query to SQLMAP: This field should be left blank. This field will be generated when we click get query and it will be populated with all the options we want the SQLmap command builder to run.

D: get query should be chosen only after we populate the tool with options.

E: Start is chosen when we are ready to run the program.

Aside from the main GUI we also have several options fields to identify ourselves with. They are as follows:

1. Settings:

The settings section allows us several different options such as Verbosity level and other general options that will change the way sqlmap queries.

A lot of these settings are used to tell SQLmap how to speak to the user and also different ways on connection methods that should be used, such as using a proxy like the TOR network.

2.Injection|Detection|Technique

This section allows to choose specific tampers and injection methods based on pre-built python scripts. You should only choose this option if you need to set a specific payload.

Detection Options:

Risk: 1 ~ 4 (default 1) *Changes the type of injections to be include more injection types but increases the risk of being noticed.

Level: 1 ~ 5 (default 1) This switch requires an argument which specifies the level of tests to perform. There are five levels. The default value is 1 where limited number of tests (requests) are performed. Vice versa, level 5 will test verbosely for a much larger number of payloads and boundaries (as in pair of SQL payload prefix and suffix). The payloads used by sqlmap are specified in the textual file xml/payloads.xml. Following the instructions on top of the file, if sqlmap misses an injection, you should be able to add your own payload(s) to test for too!

3.Request

The request section is used depending if you want set certain parameters to change how SQLmap connects to the target URL. such as setting data would change the data string that is sent through _POST.

4. Enumeration

The Enumeration section is used to find out many useful things such as the current-db or tables within a database. You can even try to brute force output by selecting users and passwords.

5.Access

The access section is used for more advanced SQL injection methods that can be used to contain access control of an entire system, not just the SQL database.

C.  Enumerating with SQLmap command builder.

We are going to start the database enumeration project by inputting our attack information into the correct fields and finding the current database that the login.php form is using.

Do the following steps:

  1. Check the URL radio button in the upper left hand corner to make sure it's on.
  2. Insert http://192.168.1.230/mutillidae/index.php?page=login.php into the target field.
  3. Click the Enumeration tab and check mark the current-db field.
  4. Click get query at the bottom of the form.

How your screen should look:

After you chose get query you should notice how the SQLMAP query was generated:

Now that we have our completed query we can click start and see what happens.

SQLmap opens in its command window and starts to test the form login.php using different SQL injection techniques. Since we didn’t specify any certain types of attacks to use, it is launching every possible payload.

We can see here that at [03:24:42] SQLmap identified that the GET parameter we talked about earlier might be possible. As long as the other methods for testing are listed.

When the option “GET parameter ‘page’ is vulnerable. Do you want to keep testing the others <if any>? [y/N]” . In this case, we are going to select N and hit enter since we have a vulnerability that we want to inject into.

Here we see the vulnerability is indeed a get parameter and we can see what payload was used in the Payload section below. This shows that an “AND” clause was inserted after page=login.php part of our url address.

Finally, we can see that SQLmap found that the current database being used was entitled ‘nowasp’, as well as that it was a MySQL database running on an Apache 2.4.3 webserver with PHP version 5.4.7.

Review question (to be submitted):

 

D.  Dumping table contents using SQLmap

If you researched enough you should have been able to find that the database ‘nowasp’ contained several tables, some of which we will use the command dump to get all the columns in a related field.

Also I will give you some of the information we will be using from the end of the enumeration section:

Database: nowasp

Table: accounts

Columns: username,password

You are going to chose the following options:

  1. Check off the dump under the enumeration tab.
  2. Check off DB and input our database name, nowasp.
  3. Check off TBL and input our table name, accounts.
  4. Check off COL and input our column names separated with a comma, ie. username,password.
  5. Choose get query in the bottom left and notice how our query has changed up top in the query to sqlmap field.
  6. Click start

Here we can see SQLmap found 16 entries inside the password, username and begins to retrieve each one sequentially.

Lastly we arrive at our final output:

and we can see that SQLmap command builder has given us all the usernames and passwords located under the accounts table. SQLmap also checks for possible password hashes such as MD5 and gives you the option to crack them automatically.

Review questions (to be submitted):

How can we fix this?

There are many methods you can use to fix SQL injection errors such as;

One way of fixing these types of URL injections is to use PHP code to modify the URL’s output.

Here we can see the beginnings of SQL injection prevention by storing HTTP $_REQUEST[“page”] into a variable called $lPage. This helps to get rid of the vulnerable GET parameter was displayed in our previous URL and will only display *selectedpage.php.

A much more secure method of preventing URL injection would include the following code.

This code is grabbing the selected page using the “page” using the function $_GET and then storing it into a variable called $lPage. It then sets up a string named $lPageIsAllowed searches $lPage for arbitrary code execution, such as /, ^, \, +, “”, ‘ and so on and if such characters are entered it will redirect the hacker to page-not-found.php.

Review questions (to be submitted:

  1. Explain one of the methods above and how you would use them to fix this type of vulnerability.