sqlmap Lab

[toggle_content title="Transcript"] Hi Leo Dregier here. I want to talk about SQL map in terms of an application in one of the previous videos we did a phpid= and try to find vulnerable SQL injection sites but in this case I want to take that one step further and start SQL mapping some databases and some applications. Now the fundamental problem that I have here with a video like this is we going to be the easiest thing to do. We are going to find something vulnerable out of the internet and go poke and prod somebody else's stuff. But from the confidentiality point of view you are really not taking advantage of anything that somebody purposely hasn't put out there. I don't want to say purposely. Let us say - because it certainly could be accidental because they don't know that the other sites are vulnerable. The SQL injections but nonetheless t they are putting it up there and because it is out there what do you with that? Anybody could do anything with it and therefore maybe just the disclosure in itself is a problem. Especially when you start digging down into the databases, tables, columns and then you start pulling users like admin and then their passwords and then getting their hashes. Technically that is all disclosed but the problem is legally or ethically how far are you willing to push the envelope in poking and prodding on somebody else's system. So I don't particularly like that approach now there are plenty of videos out there where people are getting all the way down and showing you SQL map all the way to usernames and passwords and commitment and frankly even cracking passwords. We are not going to take that approach - we are going to try to operate more on the ethical side or legal side of ethical. However, you want to look at that. So let us go ahead and start looking at SQL map and if we just type SQL map you will get basically the syntax but just for the record it is under Kali Linux, web applications, database exploitation and then somewhere in here. It is a SQL map - here it is under web vulnerability scanner SQL map here. So truly is a visible vulnerability as opposed to database exploitation which is like SQL engine and things like that which will probably cover another videos. Alright it is python, SQL map and then your option. So python, SQL map and then the options - so in this case it tells hey we are missing a bunch of stuff. No wonder you could do a SQL map -h and that would get you the help and it is not that bad. The absolute key takeaway here is to understand that databases in this case are hierarchal. So what you are ultimately doing is you are trying to put a puzzle together. You are trying to go from the biggest picture and drill down to the smallest picture of the hierarchy but in the smallest part of the hierarchy you want the most valuable resources like usernames and passwords. So it is a big puzzle – big game that you are always trying to play here and approach it just like that - big game. And so what you can see here is just some of the basics overview of the command you have got -h or taq help. This is what you are looking at right now. You have got advanced help which we can cover that later. You can have verbose mode 0 to 6 is a range there. The target you are always going to use the -u or realistically you are going to --url and = whatever url is I personally prefer just a -u and then you can actually use Google dorking. Google dorking is a term that has been coined for some time now but what it actually does is when you click on a Google link. If you notice the URL when are you going this. Google will in itself will send the link to Google then process it internally and then redirect you to the actual search results that you want. So Google dorking is taking the Google search results and basically processing these queries as Google search results as opposed to the actually targeted URL. So my point is that you can actually take Google search results put them in SQL map and process them that way. That is called Google dorking and then the request which you want to try to find data, cookie, random proxy, tour, things like that - injection basically test for SQL injection by far the most popular component that I ever use is the --dbms or database management system and then the particular database management system. Like for example php, asp, aspx or just test a bunch of parameters to try to guess that. You can have detect levels you can setup the risk levels, default both set to 1. Then you have got the specific techniques if you want to get a little bit more advanced. Then you can try to enumerate a bunch of stuff, now you will use a handful of these enumeration options here as you dig down in the hierarchy. Now let us review the hierarchy just so that it is there, first it is the database then once you understand the database then it is the tables in the database. Once you get to a particular table then it is the columns, once you get to a particular table and you know what columns you want like username, password, admin, web, e-commerce whatever it is then you can actually go down to --dump or actually dump the entries in that entry. Now so you get all the way down to the --stump or you actually start pulling usernames and passwords - and then the other things that you will use here by far the most popular is once you find the database then you want to use the -p and specify it once you find specific table then you want to add in the -t. So what you end up doing in the big picture is that you start building this command structure out. So I am going to show you the basics of how to start building out a SQL map statement and I will show you what it looks like on a website that basically have very, very little vulnerability. Also that I own and control and then further things that you do if you really want to throw the spaghetti against the wall and see what sticks. You can do an OS shell to see if you can get prompted for interactive shell or OS --ospwn - So those are others - lastly there is a wizard you can try that - this is nice again - this is over here for beginners. So you could start there but once you kind of know how to build this like I am showing you to build this - the wizard almost becomes irrelevant right way. So that is the overview of the SQL map help and how to build it. Now let us go into how I will want you to actually start building the stuff out. So what I want you to do is go to your desktop and create an empty document - you can call it whatever you want - I going to call it SQL map for the record and I am going to open it and it is going to hope for the kind of keep this off to the side because this is going to make cutting and pasting so,so much easier. So I am going to try to move my windows around a little bit so you can see what is what. So I am going to do 'attack you' and then we are going to do the website http://linuxwarrior.com now I will tell you - you have to watch your syntax here. If - that is why it is really, really hopeful to paste. Copy and paste that way you don't mess up your syntax. Because if I do something like SQL map and I go index.php?id=1 here notice the syntax error. There is no / between the .com and the index this command will run absolutely just fine. You will not get any results and you will go it didn't work - meanwhile what you have is a glaring syntax option that you just didn't catch. So just disclaimer watch your syntax - so we are going to do the URL and then we are going to do a --dbs. databases. Okay and it is going to go through and we get a little summary here. So dont forget that there is two -- here --databases and what we are trying to do is hey let us go to this linuxwarrior.com website which again I own and control and go see if we can pull down the database and get the maps. Everybody should know how to do this - if you have any public facing website. You need to know how to do this because the attacker know how to do this - so why shouldn't you know how to do this of yourself. So leave a disclaimer usage of SQL map for attacking targets without prior mutual consent is illegal right? It is the end user's responsibility meaning you go to jail not me to obey all application local state and federal laws for whatever country you are in. The developers assume no liability and are not responsible for any misuse or damage caused by this program in other words the SQL map folks are basically held on by us. It tells you what time your test started - and then you are basically looked for information on critical. Now it says testing connection to the target URL - great - testing if the target URL is stable. This can take a couple of seconds sometimes even minutes if you have ever spoken action. The target URL is stable so great. So that is always something you are going to look for and then we get a critical warning here. No parameters found for testing in the provided data - so you can use the get parameter id and for example this. So in other words this output is telling me that I didn't supply enough information. This is why it is helpful in your search results to grab something like your phpid and grab this whole string here. I am just using this as an example - I am not saying got to go and test this persons website but it it is this whole string here and I am just willing to show you google search results in the supply chain and it is actually telling you the exact syntax that it wants. So we are going to change our syntax just a little bit to see if we get any results. So we are going to add a fordindex.php?id=1 and then leave your --dbs and let it run again and you will notice right away - you get your legal disclaimer your start time. It is testing the connection and it says because I went to a php page this time. SQL map got a 301 redirect to basically a log in page. Do you want to follow this? In this case I don't because I don't want to try to log into the destination website. I just want to test for SQL injection. I am going to say no - so testing if the target is stable this can take a couple of seconds - warning the get parameter id does not appear dynamic. Heuristics basic test show that to get parameter id might be not be injectable and in this case mine is not. But let this run any way because all of this is documentable stuff that you can use for your penetration testing & reports. So even no results are good results because you are proving hey I am not vulnerable and then you get to learn about how these tests work. So we are basically just going to hang out here on auto pilot and read this like a novel. Try to do this relatively as it is going - it may take a couple of minutes because we are doing a heuristic test here. So it is going to try basically a whole bunch of stuff and we are going to even get some time outs. So heuristics basic test shows your parameter id might not be injectible who for me. However if this was a vulnerable site - you may very well start getting table results right away which I would then go ahead and then copy the table names and address write in here. So the first thing that I would like to document in here is - the URL that you test and then you can copy and paste that right here. So i am going to do http://linuxwarrior.com/index.php? id=1 so even though I wrote that out more than likely you are going to copy and paste that for simplicity. So now you have that and then if you really realistically want even do your whole SQL map statement –u http://linuxwarrior.com index.php?id=1 --dds or the databases and I am going to show you how to build this out. So you keep your documentation going and build this. This will definitely help you for your pen testing reports but also make your life your easy as you build out this tool and go from the top of the hierarchy down to the specifics of the hierarchy or stated differently generic to specific. So in this case it is testing for SQL injection and get parameters - lean based blind where using the where or having clause it is testing for mySQL anything greater than 5.0 error based SQL injection PostGresSQL, Microsoft SQL and again the where and havings I am not going to say that any more because it is pretty much at the end of all of them. It is testing for Oracle and then we get this critical warning here - connection time out to the target URL proxy SQL mac is going to retry. Okay fine. Then it goes and performs some additional tests performing the SQL inline queries and the same thing just different databases. Inline queries, inline queries, inline queries testing mySQL greater than 5.0 in line queries and then it times out again. There is considerable lagging in the connection to response. Please use a higher value for the --time seconds I generally leave this as is. I could add a -- time-sec like 30 seconds or 60 seconds or whatever you want. It really depends on how aggressive you want to be but you notice the command will just time out wait and then it will start new tests. Next that goes into stack queries - so you can see all of this end and stack queries for PostGRES Microsoft, mySQL, PostGRES or actually this switches to time based line for the rest of them. So it is constantly switching between the top databases and then the specific types of tests and it goes through and you can see I am timing out again. So this is good even though I am timing out here. This is good another thing that you could do here while this is running is I could go ahead and try to redirect my output to basically a file. So if you really want good documentation for your pen testing reports. Just go ahead and do --SQL map maybe the dates that you want --month --day. year.txt or something like that - way all of this output automatically get dumped into a file and then you don't have to copy or paste anything. So it is actually done. Again right now we are just doing a quick sand beach check to see if there is a actual databases that we can actually find on our target. So the first thing is the databases. Then it is the tables once you get to the table then it is specific columns. Once it is the columns then you start looking for good columns like users, passwords anything that you would consider a 'of interest' and then you go ahead and dump that out. So in this case it just going to keep timing out here and it is pretty much running to the end of the life of this command and you can see I was not able to pull any public databases down from this site. So I know everybody wants to see - I want you to see the tables. You want to see it I know but it is just as important to see what a secure website looks like versus what an insecure website if you start poking and prodding and doing things that you are not supposed to be doing. I assure you eventually you will find a vulnerability but it is important to understand why – secure looks like before you start exploiting insecure. Some of the other videos that you will find out on the internet. They go right to a secure – insecure database because they have already found it and they would just go right to it and they show you how they can pull usernames and passwords off of a database. In a couple of seconds - what I will end with is that - if this was able to pull down the databases. You would get a big section of white text here - what we actually say here is the databases that we found and then I would copy all of that to my databases. So in this case I will actually just tell what the database is. So if this was one of the – vulnerable you put a section for tables then columns. Then users which we will use the --dump command etc. You can even do that here. So in this case I will actually tell you the table and the table is linux_wp it just happens to be the specific table where all of the stuff is going to be using so far. So nonetheless that is basically the build up to our next command. But you can see - I have got a warning using a unescaped version of the text because zero knowledge of the back ended database. So in this case you can use the --dbms like I said that you are going to the help. This --dbms is helpful because we can do php or asp or aspx or whatever the back end database management system is. So we could have specified that does help speed up some of these tests. But what we are doing here is not necessarily going for speed. We are going for just testing all possibilities to see if we can guess them and therefore I specifically want to leave that off here. Especially when I am working at the highest, highest level here which is the -- dbs component. So you will let this run and eventually it is going to time out here and basically SQL map will shut down. You would have all of this documented copy your documentation and you look on and that is the absolute basics of starting the structure of the SQL map - sequence of queries that you are going to use. So again from the top you start with finding a vulnerability once you find a site that is vulnerable and in any way possible. Single tick is the easiest and then you go the databases. Once you get to the databases then you go to the tables. Once you find a good table then you find good columns. Once you find good columns then you can dump the information out of those columns and then start looking for users and passwords and things like that. And then of course document all of that. And luckily enough this finished -just in time - so it finished by saying hey shutting down. So that concludes the introduction basic how to go and attempts to grab databases from SQL mac. So my name is Leo Dregier thank you for watching and don't forget to check me out and Cybrary don't forget to use it as much as you can because it is designed for free resources. There is plenty of videos resources you can make connections. You can send messages you should be using this by now and making connections. Social network for basically IT security people and there has been a lot of really, really good discussions and dialogues and what that does is that it gives me the feedback to what you guys want to see. So please connect - send your messages either publicly or privately and get them over and let us start a dialogue. My name is Leo Dregier thanks for watching and the easiest way to maintain the connection is to through social networks and cybrary.it So don't forget to check us out on Facebook, LinkedIn, YouTube and Twitter and make sure you like, share and use the website and resources as much as you can. I will see you guys in the next video. [/toggle_content] SQL Map is the final segment of the SQL Injection labs. SQL Map is a database application exploitation tool, another powerful go-to resource for successful Penetration Testing and Ethical Hacking. In this lab, you’ll learn how to use SQL Map to map databases and applications. You’ll learn and discuss how to pull critical information from a database or application including user info and passwords.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?