Monday, April 2, 2018

SQL Injection (V): Automation with SQLMAP


- Layout for this exercise:


- SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers:

- It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

- Let's explore somo SQLMAP options with -h (help):

- Option -u provides the URL target:

- Option --cookie specifies a cookie for connecting to the target:

- By default, let's use 1 for level and risks of the test:

- Enumeration is an ongoing process that can be run over databases, tables, columns, users, schemas, passwords, etc ...:

2 - Preparing the attack environment

- For this exercise let's use the vulnerable DVWA web application over XAMPP web server running on a Windows 10 machine.

- Taking the SQL Injection as vulnerability:

- Configuring the proxy:

- Using Burp to intercept the submission of the User ID=1:

- These two lines will be useful later, when launching the attack:

3 - Launching the attack

- Enumerating the databases with paramenter --dbs:

- Enumerating tables (--tables) at database dvwa (-D):

- Enumerating columns (--columns):

- Enumerating users, user identifiers and passwords, and giving default answers:

- The INFO notification indicates the file where the output  is dumped: