Poison

SQLmap

The aim of many a SQL injection attack is to extract sensitive information from a database, but attacking a database can have far more wide-reaching consequences. SQLmap [2] is an open source program that provides the perfect basis for comprehensive attacks on database systems. It is written in Python and is thus system-independent, and it is extensible through the addition of modules. SQLmap needs Python version 2.6 or newer.

The Takeover function also requires the Metasploit framework [3]. SQLmap supports any popular database system, such as MySQL, PostgreSQL, Oracle, or Microsoft SQL Server. Additionally, it supports five different SQL injection methods: Boolean-based blind, time-based blind, error-based, UNION query, stacked queries, and out-of-band. The python sqlmap.py command launches the tool.

The URL to be checked follows the -u parameter in quotes. Safe in the knowledge that the SQL injection vulnerability is hiding behind the ID input field, you can add the --forms parameter to the command line. This tells SQLmap to test all input fields for SQL injection vulnerabilities. The user already has a session cookie from a previous login attempt. You need to tell SQLmap about this cookie for the attack to succeed, and you can discover this, for example, using the Firefox "Tamper Data" plugin. The complete line now looks like this:

sqlmap.py -u "http://127.0.0.1/dvwa/ vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=ce0aa7922720f3190bf9bbff7f24c434;security=low" --forms

After a short while, SQLmap finds the matching ID field and asks whether you want to check it. After you confirm the prompt, SQLmap will begin the analysis.

GET http://127.0.0.1:80/dvwa/vulnerabilities/sqli/?id=&Submit=Submit
Cookie: PHPSESSID=ce0aa7922720f3190bf9bbff7f24c434;security=low
do you want to test this form? [Y/n/q]

After a successful scan, SQLmap presents the potential attack vectors in the form of prebuilt SQL statements. At that point, the user can decide whether to continue the attack manually or to let SQLmap have a go at exploiting the vulnerability. After confirming the prompt, SQLmap terminates because there are no further parameters.

SQLmap can output the complete, unfiltered content of the database (--dump-all) or just individual records (--dbs). Because a database can contain much irrelevant information, it makes sense to target the most important data to speed up the process. Add --dbs to the command and you will see the available databases.

available databases [5]:
[*] cdcol
[*] dvwa
[*] information_schema
[*] mysql
[*] test

The information_schema and dvwa databases are worth closer attention. information_schema tells the user about the metadata in the database, such as data types or access privileges. This metadata can be very valuable in the case of a targeted attack. In this case, suppose dvwa appears to be the most interesting database. To retrieve the records from the dvwa database, you would add the -D dvwa option to the command line.

Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

The output of the command now offers an overview of the tables in the database. To access valuable information, take a closer look at the users table by adding -T users to the command line. The output lists the available columns and their data types (Listing 1).

Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user       | varchar(15) |
| user_id    | int(6)      |
+------------+-------------+

To retrieve the table content, now add --dump to the command line. The final command looks like this:

python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit= Submit#"--cookie="PHPSESSID=ce0aa7922720f3190bf9bbff7f24c434;security=low" --forms -D dvwa-T users --columns --dump

Sqlmap has detected that the password hashes are located in the password table; the program can then run a dictionary attack against them. A few seconds the attack executes, Sqlmap reveals the clear text passwords (Figure 2).

Figure 2: The password cracker uses a brute force attack.

Within just 35 seconds, SQLmap extracted sensitive data from the database.

Takeover

In combination with Metasploit, SQLmap gives attackers the option of hijacking the underlying system. Users can choose from various modules. Depending on the database, various exploits will give command of the server. The --os-pwn option is used here; it can give an attacker a remote shell on servers that are running Windows 2003 R2.

After adding --os-pwn to the command, select, for example, Option 1 (TCP : Metasploit Framework) when the program asks you what kind of tunnel to create. SQLmap now attempts to drop a file onto the server and then call the file (Figure 3).

Figure 3: The file dumped on the server by SQL injection can give the attacker a remote shell.

The attacker then needs to choose the payload (i.e., the function to call after executing the exploit). The possible payload options are Meterpreter, Shell, or VNC. Meterpreter is a collection of functions that you can run on the system (Figure 4). Shell gives you a system shell on the hijacked server, and VNC creates a remote VNC connection to the server that the attacker can use to gain access to the desktop of the target system.

Figure 4: Meterpreter fires a broadside at the server and can install back doors if so desired.

In the lab attack, I restricted the test to a shell option, although Meterpreter would be more useful for a wide-scale attack. Meterpreter can, for example, migrate into processes to gain more extended rights or hide deep in the system as a back door for the attacker to use when accessing the system later. This advanced functionality is beyond the scope of this article.

After selecting Shell, SQLmap uses Metasploit to open a connection to the server; the user is given a remote shell and thus is free access to the server.

SQL injection has thus given the attacker administrative privileges on the server. The attacker now has complete access to all of the server's system resources and can control, manipulate, and even totally disable the server.

Conclusions

SQL injection is still one of the most dangerous vulnerabilities that web administrators face on today's networks. The development of tools such as SQLmap makes it very easy for hackers to break into systems and cause enormous damage. Thus, developers and administrators must carefully validate the code running on the server and rule out any vulnerabilities.

A strict ruleset for programmers can help close down security holes caused by SQL and other similar programming languages. Also, regular auditing of web applications can improve the overall security of your network; Security experts recommend monthly checks for large-scale applications that are under constant development. Regular inspection of logfiles is also important for revealing traces of any recent intrusion attempts.