First things first, what is sqlmap? It’s a open source penetration testing tool for automating the process of finding SQL injection flaws and taking over databases. I won’t get into the full capabilities here, but you can learn more at [http://sqlmap.org/]*
The following is really just a combination of my notes, and an extra credit assignment given by one of my professors in the spring. This was not a tool we covered in class, and the question was “Can You get a shell on a webserver using sqlmap?”
The intial set up here is a Kali Linux virtual machine and Windows 7 virtual machine hosted on my own personal workstation. At the time, I had the vulnerable web application BadStore . The Website was accesible to the Kali VM via an entry in the /etc/hosts file. I typically was using Burpsuite as my proxy from the Kali Linux VM, however this was my exploration of sqlmap used alone.
Premise: Using Sqlmap from my Kali VM to attack a web application hosted on my Windows 7 VM, it is possible to get a shell on the web server.
Firstly, you should use sqlmap against a url hosted on the target server to see what you can learn about the systems. It can also show us what sort of sql injection attacks a parameter, like GET customerid is vulnerable to. In the following a submission URL was fed to sqlmap.
Finally, we can also see the server OS, the version of Apache and type of database.
So we know it’s a site hosted with Apache 2.2.22 with PHP 7.1.7 and MySQL above 5.0.12. This information has been automatically saved in a file for us as well.
Looking through the advanced help there are a few parameters that seem interesting.
I didn’t want to mess with the registry to prove access since I wanted to more or less maintain the VM for later practice. So I went full script kiddie and used the operators : File Write and File Dest to upload the backdoor WhiteWinterWolf [https://www.whitewinterwolf.com/posts/2017/12/02/wwwolfs-php-webshell-users-guide/] to upload to the webserver. For the purpose of making it easier for me to upload files, and browse the system it was quite helpful. The first two images below, is a screencap from the Windows 7 vm I took to verify the file was uploaded.
I was able to navigate to the web shell like so:
Image 4 above, shows where my asignment write up left off more or less. It did take me a fair bit of trial and error since it was the first time I’d used sqlmap before, but it really does a lot of the work for you. If you’re like me, then hosting and breaking your own bulnerable web apps is the easiest way to learn about and really understand how these systems work together. But you haven’t really done anything if you use other people’s tools, so don’t neglect that side of study either!
All that’s left from here on out are my notes I kept for myself on the assignment and a footnote about proper use of sqlmap. Feel free to peace out at this point. I’d recommend visiting sqlmap.com to look at the demo’s and information they have availible to learn more.
–os-shell (from the file access help in sqlmap)
I thought from the description maybe it meant a CMD shell on Windows. But it’s actually giving a whole bunch of options to find writable web root / htdocs directories.
It wasn’t that helpful because the process user (which is what I was at the time) doesn’t have the privilege to write.
—priv–esc —os-shell : Adding PrivEsc didn’t noticeably change OS Shell output and running it as the only parameter other then U only gave stored session information.
If you open Index with Nano there is nothing there…
Not really sure if it’s reading anything or what good it is to me if I can’t personally read it. When I searched for a fake file it saved the information to a text file and didn’t make a document in the /www.sql.net/files directory.
*On sqlmap: At the time I last accessed sqlmap’s webpage https was not configured. It is published under GNU Public License. Please note their disclaimer “Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.”