cubalo

I’ve been insanely busy with work for the past few weeks so I’ve been neglecting the site a bit. In the past I’ve done a lot of web app testing, but as of late is has become a rare occurrence so I need to make sure I keep my skills up. Usually, I fire up Web Security Dojo and mess around a bit with WebGoat/Gruyere/DVWA. This time I thought I would actually put my thoughts and process into words and share it. In this tutorial, I will demonstrate how to use sqlmap to get SQL injection on DVWA under the medium security settings.

Setup

Start up a VM running something with DVWA (Dojo, Metasploitable, etc.) then login to the app (default credentials are admin:password). On the bottom-left side of the page will be a menu option titled “DVWA Security”. Click that and change the Script Security to “medium.” This doesn’t really matter since we will be using sqlmap to do the heavy lifting.

Gathering Info

Next, fire up Burp Suite, start the proxy with Intercept turned off, and tell your browser to go through it (using the Foxy Proxy browser plugin is the easiest).

In the browser, click the “SQL Injection” challenge from the menu on the left side of the page. Once the page is loaded, there will be a text box to search a user ID. Go back into Burp and turn on Intercept. In the browser, enter 1 into the box. This will return the information for the user with ID 1, admin. You’ll notice that the page isn’t loading. This is because Burp is intercepting the communication. Open up the Burp window and notice the GET request. From here, we want to grab the destination and cookie value and save it for later.

Click the Forward button until the page is loaded and turn off Intercept. Now go back the browser and you’ll see the SQLi page is loaded and showing the details for the user “admin.”

This shows that the information we enter into the text box is what is being queried in the database, so this will be our target for injection.

Dumping users and passwords

In a terminal, we need to provide sqlmap with the options it needs to attack the app. The command you will want to enter is:

sqlmap -u "http://192.168.1.111/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=medium ; PHPSESSID=4c74cbff87f966532a7111ba2480620f" --dbs

The structure of this command is as follows.

• -u  = Host (mine is 192.168.1.111) + Path (/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit)
• –cookie = Both of the cookies we captured in Burp. You will need two, security and PHPSESSID.
• –dbs = Enumerate databases

When running, choose to continue with whatever sqlmap asks you. It will find that the ‘id’ parameter is vulnerable and ask if you want to keep testing others. Choose “N.” Once completed, it will display the injection points (mine showed 4 types) and the available databases.

From here, we need to select what database we want to go after. For this example, we’ll hit “dvwa.” So now, in sqlmap we need to find out the tables in the database. To do this, we need to modify the options a little bit. Remove the –dbs option and add “-D dvwa –tables” to make the new command:

sqlmap -u "http://192.168.1.111/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=medium ; PHPSESSID=4c74cbff87f966532a7111ba2480620f" -D dvwa --tables

This will show us the tables, guestbook and users.

Next we’ll dump the columns from the table. Do this by removing the “–tables” option from the command and add “-T users –columns” and run it.

sqlmap -u "http://192.168.1.111/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=medium ; PHPSESSID=4c74cbff87f966532a7111ba2480620f" -D dvwa -T users --columns

We can see that there are some interesting values in this table, so we definitely want to dump this. A cool option sqlmp provides us with is the ability to bruteforce password hashes during the dump. During the next and final command, we will have the option to crack the hashes so make sure to approve it when it pops up (the default dictionary, option 1, works just fine). The final command to dump the table’s data is:

sqlmap -u "http://192.168.1.111/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=medium ; PHPSESSID=4c74cbff87f966532a7111ba2480620f" -D dvwa -T users --dump

When it is done cracking, we will have all of the passwords for DVWA, including the admin user.

Conclusion

Obviously, we were attacking an extremely vulnerable web application in this tutorial, however sqlmap provides a ton of options to tailor the command to your needs for the more challenging tests. I have found that during a normal assessment, sqlmap can prove to be very useful, however do not expect it to be a skeleton key for all databases you come across. For example, by changing the Script Security to “high” in DVWA, restrictions are placed on the ‘id’ parameter which was found to be injectable on the medium security setting, making it non-injectable using the method in this tutorial.

(Notice the “$id = stripslashes($id);” and if statement checking if the $id value is numeric.)

Also, don’t forget to turn off your machine or VM running your vulnerable app when you are done!