« Previous 1 2
Discovering SQL injection vulnerabilities
Poison
SQLmap
The aim of many a SQL injection attack is to extract sensitive information from a database, but attacking a database can have far more wide-reaching consequences. SQLmap [2] is an open source program that provides the perfect basis for comprehensive attacks on database systems. It is written in Python and is thus system-independent, and it is extensible through the addition of modules. SQLmap needs Python version 2.6 or newer.
The Takeover function also requires the Metasploit framework [3]. SQLmap supports any popular database system, such as MySQL, PostgreSQL, Oracle, or Microsoft SQL Server. Additionally, it supports five different SQL injection methods: Boolean-based blind, time-based blind, error-based, UNION query, stacked queries, and out-of-band. The python sqlmap.py
command launches the tool.
The URL to be checked follows the -u
parameter in quotes. Safe in the knowledge that the SQL injection vulnerability is hiding behind the ID
input field, you can add the --forms
parameter to the command line. This tells SQLmap to test all input fields for SQL injection vulnerabilities. The user already has a session cookie from a previous login attempt. You need to tell SQLmap about this cookie for the attack to succeed, and you can discover this, for example, using the Firefox "Tamper Data" plugin. The complete line now looks like this:
sqlmap.py -u "http://127.0.0.1/dvwa/ vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=ce0aa7922720f3190bf9bbff7f24c434;security=low" --forms
After a short while, SQLmap finds the matching ID
field and asks whether you want to check it. After you confirm the prompt, SQLmap will begin the analysis.
GET http://127.0.0.1:80/dvwa/vulnerabilities/sqli/?id=&Submit=Submit Cookie: PHPSESSID=ce0aa7922720f3190bf9bbff7f24c434;security=low do you want to test this form? [Y/n/q]
After a successful scan, SQLmap presents the potential attack vectors in the form of prebuilt SQL statements. At that point, the user can decide whether to continue the attack manually or to let SQLmap have a go at exploiting the vulnerability. After confirming the prompt, SQLmap terminates because there are no further parameters.
SQLmap can output the complete, unfiltered content of the database (--dump-all
) or just individual records (--dbs
). Because a database can contain much irrelevant information, it makes sense to target the most important data to speed up the process. Add --dbs
to the command and you will see the available databases.
available databases [5]: [*] cdcol [*] dvwa [*] information_schema [*] mysql [*] test
The information_schema
and dvwa
databases are worth closer attention. information_schema
tells the user about the metadata in the database, such as data types or access privileges. This metadata can be very valuable in the case of a targeted attack. In this case, suppose dvwa
appears to be the most interesting database. To retrieve the records from the dvwa
database, you would add the -D dvwa
option to the command line.
Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
The output of the command now offers an overview of the tables in the database. To access valuable information, take a closer look at the users
table by adding -T users
to the command line. The output lists the available columns and their data types (Listing 1).
Listing 1
Users Table
Table: users [6 columns] +------------+-------------+ | Column | Type | +------------+-------------+ | avatar | varchar(70) | | first_name | varchar(15) | | last_name | varchar(15) | | password | varchar(32) | | user | varchar(15) | | user_id | int(6) | +------------+-------------+
To retrieve the table content, now add --dump
to the command line. The final command looks like this:
python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit= Submit#"--cookie="PHPSESSID=ce0aa7922720f3190bf9bbff7f24c434;security=low" --forms -D dvwa-T users --columns --dump
Sqlmap has detected that the password hashes are located in the password
table; the program can then run a dictionary attack against them. A few seconds the attack executes, Sqlmap reveals the clear text passwords (Figure 2).
Within just 35 seconds, SQLmap extracted sensitive data from the database.
Takeover
In combination with Metasploit, SQLmap gives attackers the option of hijacking the underlying system. Users can choose from various modules. Depending on the database, various exploits will give command of the server. The --os-pwn
option is used here; it can give an attacker a remote shell on servers that are running Windows 2003 R2.
After adding --os-pwn
to the command, select, for example, Option 1 (TCP : Metasploit Framework
) when the program asks you what kind of tunnel to create. SQLmap now attempts to drop a file onto the server and then call the file (Figure 3).
The attacker then needs to choose the payload (i.e., the function to call after executing the exploit). The possible payload options are Meterpreter, Shell, or VNC. Meterpreter is a collection of functions that you can run on the system (Figure 4). Shell gives you a system shell on the hijacked server, and VNC creates a remote VNC connection to the server that the attacker can use to gain access to the desktop of the target system.
In the lab attack, I restricted the test to a shell option, although Meterpreter would be more useful for a wide-scale attack. Meterpreter can, for example, migrate into processes to gain more extended rights or hide deep in the system as a back door for the attacker to use when accessing the system later. This advanced functionality is beyond the scope of this article.
After selecting Shell
, SQLmap uses Metasploit to open a connection to the server; the user is given a remote shell and thus is free access to the server.
SQL injection has thus given the attacker administrative privileges on the server. The attacker now has complete access to all of the server's system resources and can control, manipulate, and even totally disable the server.
Conclusions
SQL injection is still one of the most dangerous vulnerabilities that web administrators face on today's networks. The development of tools such as SQLmap makes it very easy for hackers to break into systems and cause enormous damage. Thus, developers and administrators must carefully validate the code running on the server and rule out any vulnerabilities.
A strict ruleset for programmers can help close down security holes caused by SQL and other similar programming languages. Also, regular auditing of web applications can improve the overall security of your network; Security experts recommend monthly checks for large-scale applications that are under constant development. Regular inspection of logfiles is also important for revealing traces of any recent intrusion attempts.
Infos
- Damn Vulnerable Web Application:http://www.dvwa.co.uk/
- SQLmap: http://sqlmap.org
- Metasploit: http://www.metasploit.com
« Previous 1 2