Search

vulnerablelife

Vulnerable Life by Vulneraman | Cyber Security Blog

Testing for SQL Injection with sqlmap

 1. Introduction

This article introduces sqlmap and shows how it can be used to detect and exploit SQL injection vulnerabilities.

2. SQL injection

This vulnerability allows the attacker to modify an SQL query. Improper validation of data sent by the user causes the data to be interpreted as a part of an SQL query.

SQL injection can lead to:

– reading data from the database (confidentiality affected)

– changing data in the database (integrity affected)

– deleting the database (availability affected)

It is presented below how SQL injection can be used to learn credentials of registered users. When this is the case, the attacker can easily impersonate an arbitrary user of the vulnerable system. Sqlmap is used as detection and exploitation tool [1].

3. Target

Let’s attack the website used for viewing account details in OWASP Mutillidae II (web application, that is intentionally vulnerable – OWASP Top 10 vulnerabilities [2]). This website is vulnerable to SQL injection and is available at 192.168.56.101/mutillidae/index.php?page=user-info.php when OWASP Mutillidae II is used on Metasploitable (Linux based virtual machine, that is intentionally vulnerable [3]; 192.168.56.101 is IP address of Metasploitable).

Remark: edit /var/www/mutillidae/config.inc on Metasploitable and set $dbname = ‘owasp10′; to make OWASP Mutillidae II working.

The website requires username and password to view the details of the account. These parameters will be tested for SQL injection by sqlmap.

4. Request interception

Parameters of the request can by entered manually in sqlmap. However, it’s more convenient to intercept the request, save it and deliver to sqlmap as one of the parameters. Then there is no need to enter the parameters of the request manually (time-consuming process for requests with many parameters).

Let’s set the Security Level to 0 (can be changed using Toggle Security) in OWASP Mutillidae II. Then intercept the request with Burp Suite (an integrated platform for web site security testing [4]) and save it. The attacker is not registered in the system (username and password can be arbitrary – abc and def respectively in the intercepted request).

5. Launching sqlmap

Sqlmap is included in Kali Linux (penetration testing distribution [5]). Use the following command in Kali Linux to launch sqlmap.

1
root@lab:~# sqlmap -r /root/recorded_request --tables

The previously saved request is loaded from file when -r is used. One should use –tables to enumerate database tables when SQL injection is detected.

6. Vulnerabilities and payloads

Let’s see the vulnerabilities found by sqlmap. This tool detected that parameters username and password are vulnerable to SQL injection. The user is asked to specify the injection point that will be used to extract database tables (the output presented in Exploitation section of the article).

The user can also read the payloads used to identify the injection points (presented for username parameter).

7. Exploitation

Sqlmap was asked to extract database tables. The attacker wants to read the credentials of registered users. He expects that the table accounts in database owasp10 stores these credentials.

Let’s use the following command in Kali Linux to dump the entries from accounts table:

1
root@lab:~# sqlmap -r /root/recorded_request --dump -D owasp10 -T accounts

The output is presented below. SQL injection vulnerability was used to learn the credentials of the registered users.

8. Summary

An SQL injection vulnerability was introduced. It allows us to modify SQL query as a result of improper validation of data sent by the user. As a consequence, confidentiality, integrity and availability of data in the database can be affected. Sqlmap was used to detect and exploit SQL injection vulnerability.

References:

[1] Sqlmap

http://sqlmap.org/ (access date: 10 September 2014)

[2] OWASP Mutillidae II

http://sourceforge.net/projects/mutillidae/ (access date: 10 September 2014)

[3] Metasploitable

http://www.offensive-security.com/metasploit-unleashed/Metasploitable (access date: 10 September 2014)

[4] Burp Suite

http://portswigger.net/burp/ (access date: 10 September 2014)

[5] Kali Linux

http://www.kali.org/ (access date: 10 September 2014)

http://resources.infosecinstitute.com/testing-sql-injection-sqlmap/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Up ↑

%d bloggers like this: