This document provides information about SQL injection vulnerabilities and how to use the SQLMap tool to exploit them. It discusses the different types of SQL injections, how they work, and their impact. It then describes SQLMap's features for detecting and exploiting SQL injections, such as enumerating databases, tables, columns, and dumping data. It lists useful SQLMap option keys and provides an overview of how to use SQLMap to identify and exploit SQL injection vulnerabilities.
2. LAB Setup :-
1) VM with Hack me Bank Installed
http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/
2) SQL-Map For Windows
https://github.com/sqlmapproject/sqlmap/zipball/master
3) SQL-Map For Unix
It is there on Backtrack 5
3. OWASP TOP 10
A1 : Injection
Injection flaws, such as SQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data
can trick the interpreter into executing unintended
commands or accessing unauthorized data
4. Injections
Common type of injections :
SQL
LDAP
Xpath
etc
IMAPCT :
As disastrous as handling the database over to the
attacker
Can also lead to OS level access
5. Definition
Exploiting poorly filtered or in-correctly escaped SQL
queries to execute data from user input
Types
Error Based
Blind Injections
Boolean Injections
6. How They Are Work?
Application presents a form to the attacker
Attacker sends an attack in the form data
Application forwards attack to the database in a SQL query
Database runs query containing attack and sends encrypted
result back to application
Application renders data as to the user
9. SQL MAP INTRODUCTION
Powerful command line utility to exploit SQL Injection
vulnerability
Support for following databases
MySQL Firebird
IBM DB2 Microsoft SQL Server
Oracle SAP MaxDB
SQLite Sybase and
PostgreSQL Microsoft Access
10. TECHNIQUES OF SQL INJECTION
Boolean-based blind
Time-based blind
Error-based
UNION query
Stacked queries
11. SQL MAP OPTION KEYS
o -u <URL>
o -dbs (To enumerate databases)
o -r (For request in .txt file)
o -technique (SQL injection technique)
o - dbms (Specify DBMS)
o -D <database name> --tables
o -T <table name> --columns
o -C <column name> --dump
o --cookie (Authentication)
o --dump-all
12. SQL MAP FLOW
Enumerate the database name
Select database and enumerate tables
Select tables and enumerate columns
Select a column and enumerate rows(data)
Choose whatever u want
13. WHY USED SQL MAP?
Built in capabilities for cracking hashes
Options of running user defined queries
You could run OS level commands
You could have an interactive OS shell
Meterpreter shell with Metasploit
14. EXTRA USEFUL SQL MAP OPTION KEYS 1
--os-cmd
Run any OS level command
--os-shell
Starts an interactive shell
--os-pwn
Injects a Meterpreter shell
--tamper
Evading WAF
15. EXTRA USEFUL SQL MAP OPTION KEYS 2
--tor: Use Tor anonymity network
--tor-port: Set Tor proxy port other than default
--tor-type: Set Tor proxy type (HTTP - default,
SOCKS4 or SOCKS5)
--check-payload: Offline WAF/IPS/IDS payload
detection testing
--check-waf: heck for existence of WAF/IPS/IDS
protection
--gpage: Use Google dork results from specified
page number
--tamper: custom scripts
16. U WANT TO EXPLORE MORE
SQL MAP Usage Guide
http://sqlmap.sourceforge.net/doc/README.html
SQL MAP WITH TOR
http://www.coresec.org/2011/04/24/sqlmap-with-tor/
17. THANK YOU
BY: Manish Bhandarkar
http://www.hackingforsecurity.blogspot.com