Friday, June 14, 2013

SQL_MAP User manual

Introduction

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage
of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target
host, the user can choose among a variety of options to perform an extensive back-end database management
system _ngerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges,
databases, dump entire or user's speci_ed DBMS tables/columns, run his own SQL statement, read or write
either text or binary _les on the _le system, execute arbitrary commands on the operating system, establish
an out-of-band stateful connection between the attacker box and the database server via Metasploit payload
stager, database stored procedure bu_erover_ow exploitation or SMB relay attack and more.

1.1      Requirements

sqlmap is developed in Python , a dynamic object-oriented interpreted programming language. This makes
the tool independent from the operating system since it only requires the Python interpreter version equal
or above to 2.5. The interpreter is freely downloadable from its o_cialsite . To make it even easier,
many GNU/Linux distributions come out of the box with Python interpreter package installed and other
Unices and MacOS X too provide it packaged in their formats and ready to be installed. Windows users can
download and install the Python setup-ready installer for x86, AMD64 and Itanium too.
sqlmap relies on the Metasploit Framework for some of its post-exploitation takeover functionalities. You
need to grab a copy of it from the download page. The required version is 3.2 or above, recommended is
the latest 3.3 development version from Metasploit's subversion repository.
Optionally, if you are running sqlmap on Windows, you may wish to install PyReadlinelibrary to be able
to take advantage of the sqlmap TAB completion and history support functionalities in the SQL shell and
OS shell. Note that these functionalities are available natively by Python standard readlinelibrary on
other operating systems. You can also choose to install Psycolibrary to speed up the sqlmap algorithmic
operations.
1.2      Scenario

Let's say that you are auditing a web application and found a web page that accepts dynamic user-provided
values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value. You now
1. Introduction 4
want to test if these are a_ected by a SQL injection vulnerability, and if so, exploit them to retrieve as much
information as possible out of the web application's back-end database management system or even be able
to access the underlying operating system.
Consider that the target url is:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1

Assume that:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1

is the same page as the original one and:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2

differs from the original one, it means that you are in front of a SQL injection vulnerability in the id GET
parameter of the index.php web application page which means that no IDS/IPS, no web application _rewall,
no parameters' value sanitization is performed on the server-side.

This is a quite common _aw in dynamic content web applications and it does not depend upon the back-
end database management system nor on the web application programming language: it is a programmer
code's security _aw. The Open Web Application Security Project rated on 2007 in their OWASP Top Ten
survey this vulnerability as the most common and important web application vulnerability, second only to
Cross-Site Scripting .

Back to the scenario, probably the SQL SELECT statemenet into get_int.php has a syntax similar to the
following SQL query, in pseudo PHP code:
$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];
As you can see, appending any other syntatically valid SQL condition after a value for id such condition
will take place when the web application passes the query to the back-end database management system
that executes it, that is why the condition id=1 AND 1=1 is valid (True) and returns the same page as the
original one, with the same content and without showing any SQL error message.

Moreover, in this simple and easy to inject scenario it would be also possible to append, not just one or more
valid SQL condition(s), but also stacked SQL queries, for instance something like [...]&id=1; ANOTHER
SQL QUERY# if the web application technology supports stacked queries , also known asmultiple statements .
Now that you found this SQL injection vulnerable parameter, you can exploit it by manipulating the id
parameter value in the HTTP request.

There exist many resources on the Net explaining in depth how to prevent, how to detect and how to exploit
SQL injection vulnerabilities in web application and it is recommended to read them if you are not familiar
with the issue before going ahead with sqlmap.

Passing the original address,

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1 to sqlmap, the tool
will automatically:

_ Identify the vulnerable parameter(s) (id in this scenario);

_ Depending on the user's options, sqlmap uses the blind SQL injection or the inband SQL injection
technique as described in the following section to go ahead with the exploiting

No comments: