7.0 KiB
by Bernardo Damele A. G. and Miroslav Stampar
version 1.0-dev, XXX XX, 2012
Abstract
This document is the user's manual for sqlmap.
Introduction
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Requirements
sqlmap is developed in python, a dynamic, object-oriented, interpreted programming language freely available from http://python.org/download/. This makes sqlmap a cross-platform application which is independant of the operating system. sqlmap requires Python version 2.6 or above. To make it even easier, many GNU/Linux distributions come out of the box with Python installed. Other Unixes and Mac OSX also provide Python packaged and ready to be installed. Windows users can download and install the Python installer for x86, AMD64 and Itanium.
sqlmap relies on the Metasploit Framework for some of its post-exploitation takeover features. You need to grab a copy of the framework from the download page - the required version is 3.5 or higher. For the ICMP tunneling out-of-band takeover technique, sqlmap requires the Impacket library too.
If you are willing to connect directly to a database server (switch -d), without passing through the web application, you need to install Python bindings for the database management system that you are going to attack:
- Firebird: python-kinterbasdb
- Microsoft Access: python-pyodbc
- Microsoft SQL Server: python-pymssql
- MySQL: python pymysql
- Oracle: python cx_Oracle
- PostgreSQL: python-psycopg2
- SQLite: python-pysqlite2
- Sybase: python-pymssql
If you plan to attack a web application behind NTLM authentication or use the sqlmap update functionality (switch --update) you need to install respectively python-ntlm and python-svn libraries respectively.
Optionally, if you are running sqlmap on Windows, you may wish to install the PyReadline library in order to take advantage of the sqlmap TAB completion and history support features in the SQL shell and OS shell. Note that these functionalities are available natively via the standard Python readline library on other operating systems.
Scenario
Detect and exploit a SQL injection
Let's say that you are auditing a web application and found a web page that accepts dynamic user-provided values via GET, POST or Cookie parameters or via the HTTP User-Agent request header.
You now want to test if these are affected by a SQL injection vulnerability, and if so, exploit them to retrieve as much information as possible from the back-end database management system, or even be able to access the underlying file system and operating system.
In a simple world, consider that the target url is:
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1
Assume that:
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1
is the same page as the original one and (the condition evaluates to True):
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2
differs from the original one (the condition evaluates to False). This likely means that you are in front of a SQL injection vulnerability in the id GET parameter of the index.php page. Additionally, no sanitisation of user's supplied input is taking place before the SQL statement is sent to the back-end database management system.
This is quite a common flaw in dynamic content web applications and it does not depend upon the back-end database management system nor on the web application programming language; it is a flaw within the application code. The Open Web Application Security Project rated this class of vulnerability as the most common and serious web application vulnerability in their Top Ten list from 2010.
Now that you have found the vulnerable parameter, you can exploit it by manipulating the id parameter value in the HTTP request.
Back to the scenario, we can make an educated guess about the probable syntax of the SQL SELECT statement where the user supplied value is being used in the get_int.php web page. In pseudo PHP code:
$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];
As you can see, appending a syntactically valid SQL statement that will evaluate to a True condition after the value for the id parameter (such as id=1 AND 1=1) will result in the web application returning the same web page as in the original request (where no SQL statement is added).
This is because the back-end database management system has evaluated the
injected SQL statement. The previous example describes a simple boolean-based blind SQL injection
vulnerability. However, sqlmap is able to detect any type of SQL injection flaw and adapt
its work-flow accordingly.
In this simple scenario it would also be possible to append, not just one or more valid SQL conditions, but also (depending on the DBMS) stacked SQL queries. For instance: [...]&id=1;ANOTHER SQL QUERY#.
sqlmap can automate the process of identifying and exploiting this type of vulnerability. Passing the original address, http://192.168.136.131/sqlmap/mysql/get_int.php?id=1 to sqlmap, the tool will automatically:
- Identify the vulnerable parameter(s) (
idin this example) - Identify which SQL injection techniques can be used to exploit the vulnerable parameter(s)
- Fingerprint the back-end database management system
- Depending on the user's options, it will extensively fingerprint, enumerate data or takeover the database server as a whole
...and depending on supplied options, it will enumerate data or takeover the database server entirely.
There exist many resources on the web explaining in depth how to detect, exploit and prevent SQL injection vulnerabilities in web applications. It is recommendeded that you read them before going much further with sqlmap.
[TODO]