SQLMAP Lab - 2 Virtual Machine Option
SQLMAP Lab - 2 Virtual Machine Option
Steps for the SQL Injection Lab. This option is for having 2 virtual machines both running.
A) Download the Metasploitable2 Virtual Machine and run it locally. You will need to have your Kali Linux
and Metasploitable 2 running (Resource could be an issue for some)
2) Import appliance - Make sure you uncheck the USB port and REINITIALIZE the network card and also
BRIDGE your network adapter
5) Find out the IP address of your Metasploitable 2 machine by opening a terminal and typing: ifconfig
8) Open a Firefox Browser and type in the IP address of your Metasploitable 2 virtual machine, select DVWA
and login with the username: admin password: password
Once logged in, select DVWA Security and set the security to low for this test and press the Submit button.
Then select SETUP and CREATE / RESET DATABASE, this will create the databases for us to attack.
9) From Kali Linux open up the Firefox browser and click on the 3 lines and select Preferences
10) Click on Settings and follow the setup below and click the OK button.
16) Go back to the DWVA login link and type in the username and password and click the Login button.
As the Firefox Browser routes the traffic to BurpSuite, you will see that a session cookie was captured.
Make sure you have this session cookie as this will be the key to our next step with the SQLMap application
inside Kali Linux.
17) Once you have the session cookie, you can go back to your Firefox Browser | Preferences and select No
proxy option and click OK as we will no longer need to intercept the network traffic.
18) Next we will click on a Terminal session inside Kali Linux and type the word sqlmap which will bring up the
SQLMap application.
19) Make sure you have your session cookie from BurpSuite as we will use it now for the SQL Injection attack.
For my session, the cookie is: security=low; PHPSESSID=eb3d1ecc9aaa0f8d478e66e9ce6f1738
Now that we have our cookie value, let’s revisit the SQLMap injection scheme.
Example of sqlmap command to type: YOUR IP ADDRESS and COOKIE VALUE will be different
******* In front of the cookie and dbs word are two - - making it look like -- **********
SQLMAP will ask you a bunch of questions, just click Y and enter and it will go all the way to the end. You should see this
screen when it is done. Look at the available databases.
We will then try to enumerate tables in one of the databases.
Sqlmap command example below: IP ADDRESS and COOKIE VALUE are different for your command
We can view who is the current user with the following command: IP ADDRESS and COOKIE VALUE are different
Upload a word document with the screenshots of your SQL Injection Lab from SQL MAP.
2) Your results from your SQL Map output of running all the commands from the handout with your session cookie.