Automated SQL Injection With SQLmap

So, my wordpress analytics tell me that you guys are looking for a “how to pwn with sqlmap ubuntu” article. No seriously, that was someone’s search term. I’m hesitant to do this, but I figure with everything else I post it’s not the worst thing

 I could do. Cue the song “There Are Worse Things I Could Do” from Grease.

So here we go, we’re using a “live web app” with a known vulnerability for this exercise. The webapp is available in the OWASP Broken Web Apps virtual machine for those that want to follow along.

For this you will need sqlmap which if you’re using Back Track 5 as I have in this guide is already included. If you’re not you can get it here : http://sqlmap.sourceforge.net/

There are also a few other tools to do this for you like sqlsus. They all pretty much do the same thing.

So real quick, before we start there are two things you need to realize.

• 1 – doing this to a database/webapp that you don’t have permission to do it to is illegal.
• 2 – SQLmap performs blind sql injection. Thus it may not detect all vulnerabilities, and likely will take longer to enumerate the actual injection than is actually needed, thus I recommend performing non blind sqli manually to save yourself time.

Okay so now that we have that stuff out of the way and should have sqlmap installed by now (if you don’t know how to install it you really don’t need to be using it.) we can begin.

Vulnerable Web App

In the WordPress Spreadsheet plugin there is a SQL injection vulnerablity in the ss_functions.php that is called in ss_load.php.
The vulnerable code can be seen here :

1	if ($wpdb->query("SELECT * FROM $table_name WHERE id='$id'") == 0) {

Now that we have our vulnerable bit of code we can use SQLmap to exploit it.

SQLMap

SQLmap is an extremely powerful tool that gives you a LOT of control over how deep you get into exploiting the database. You can simply use it to confirm a vulnerability and it will give you a valid injection string to manually confirm, or you can go all the way to a full dump and sometimes (if the dbms is configured poorly gain a remote interactive sql shell/os shell).

Getting an Injection String

If you simply want to determine that the injection vector exists we can run sqlmap as follows

1	./sqlmap.py -u http://atfieldsandotherstuff.com/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1

Note : I’ve just added an entry in my hosts file to create the domain, an ip will work fine in place of this.

We discover shortly after running the command that parameter ss_id is in fact injectable, and are given the option to continue testing other parameters, you may wish to do this, however for this guide there is no point so I won’t. So we hit N. (which is the default)

As you can see we are presented with a list of three injections that we can use to
verify our vulnerability.

And we can confirm that the paramater is in fact injectable.

Database Dumping

The ever popular thing to do with SQLi is “dumping the database”. This is usually how your passwords end up on pastebin, and it’s rather trivial to do it with sqlmap.
You have two options for this dump and dump-all. Dump-all will dump ALL the DBMS database tables where as dump will only dump the active dbms database tables.
Note : If the database user for the vulnerable web app is not dba there is no difference between the two options.
So we’re going to go with a dump since this user is not the dba. (a quick way to find out is using the enumerate-privileges switch with sqlmap.)

1	./sqlmap.py –dump -u  http://atfieldsandotherstuff.com/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1

After awhile you will be presented with a nice dump of your database, which sqlmap conveniently stores for you. If sqlmap detects hashed strings in the database it will also attempt to crack them for you. This can take a long time, so it may be best to just dump them hashed and crack them off site on a system that is built for hash-cracking (oclhashcat comes to mind).

Other features you might find interesting

Additionally sqlmap comes with a few options to “take over” a dbms. These do not work in all cases, and usually rely on weak configurations where the user who owns the vulnerable database happens to be the dba. These options are.

• –os-cmd=OSCMD Execute an operating system command
• –os-shell Prompt for an interactive operating system shell
• –os-pwn Prompt for an out-of-band shell, meterpreter or VNC
• –os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
• –os-bof Stored procedure buffer overflow exploitation
• –priv-esc Database process’ user privilege escalation

By default the OWASPBWA virtual machine is not configured to allow this, however it would be trivial to grant the owner of the vulnerable database the privileges to utilize these vectors if you’re bored. Keep in mind if you prompt for an out of band meterpreter shell you have to have the Metasploit Framework installed.
There you have it, despite the fact that I will probably regret doing this and get a ton of questions asking how to find vulnerable webapps that’s the basics of using sqlmap for automated blind sqli