Posted in Penetration Testing, web app testing

DB enumeration with SQLmap

In the last post I performed a brute-force dictionary attack on a login page to gain entry to the admin panel. This was a very basic attack using a known weak password I set beforehand. Now I’d like to use this weak Web Application to perform some database enumeration.

Seattle Sounds v0.3 VM

Similarly to the last two topics, I’ll be using the vulnerable VM ‘Seattle v0.3’ from Vulnhub created by HollyGraceful. You can find the VM here

Let’s get started

Burpsuite will come in handy here once again as we can use some of the information in a request we send in the proxy. Review the last post to see how you would grab a request sent from your browser. In this example we won’t be grabbing a request sent from a failed login.

Navigate to one of the items for sale on the site. It can be anything. Now click into an item. Turn Burpsuite Interception On and refresh the page. Burpsuite will grab the request similar to the one shown below. Navigate your way to Burpsuite > Proxy > Intercept

Request

Right click the request text and save to /root/request.txt – This will help you follow the rest of the post as this is referenced a few times in the command line later.

Now that we have the request.txt file we can now close Burpsuite and the browser if you wish.

Terminal

Open a terminal session. I’m using Kali Linux for my example. At the prompt enter this command.

sqlmap -r /root/request.txt

I’ve tested this a few times with different parameters, however, the above command should be enough to grab the database type.

rootRequest

As you can see SQLmap has identified the database backend to be ‘MySQL’.  An Open Source database platform widely used in conjunction with Apache web server.

Why is this important?

Determining the database is very important. Maybe not for the purposes of SQLmap as most of the process is automated, however, behind the scenes, SQLmap will alter SQL statements to query the DB depending on the version of the DB. The commands are different for different versions of a DB. In cases where you are enumerating a DB manually, you first need to know the version type or your commands might not work.

Let’s grab the DB name

You will see from the next part and also through testing, why the previous part may not be useful. A lot of people would likely just jump to using this next command to identify the current DB in operation. Enter the command below to identify the current DB.

sqlmal -r /root/request.txt –current-db

Sqlmap will throw up some information on some of the commands used to enumerate this information. The result should hopefully be this.

DBfound

Great! We have identified the database name to be ‘seattle’ Actually this is quite common for companies to name their database after the company name. After setting up SQL Databases in my job it’s amazing how many DB’s are named after the company. However, this enumeration process is still important to get the correct syntax.

Now we’ll move on to identifying the tables within the database.

Table Enumeration

In Linux terminal we can just press the up arrow key and use our last command entered. Use this to modify the last command to show the below command.

sqlmap -r /root/request.txt -D seattle –table

SQLmap will run through a similar process as before and after a short time it will show you the details of the tables within the ‘seattle’ DB.

tablesFound

A pretty simple Web Application. As most are. Blogs, Products & Members. Much like the website layout. Next we’ll dump the contents of the table ‘tblMembers’ to the terminal. Altering your last command line entry, enter the following.

sqlmap -r /root/request.txt -D seattle -T tblMembers –dump

It almost seems far too easy at the point when this command finishes. However, during this process you are asked a couple of questions.

Do you want to store hashes to a temp file for eventual further processing with other tools? [y/n]

Do you want to crack them via a dictionary attack?[y/n/q]

Some websites store passwords in the database as hashes of the password. This would need to be cracked later on by software like John the Ripper.

After selecting ‘No’ to both of these questions I ended up with the results below.

success

We have successfully dumped the contents of a table within a MySQL database to the screen. You can try the same dump on the other tables to just by altering the last command to show the other tables.

Frightening

It’s a sobering prospect, realising how easy and fast this process can be. This website was designed to be vulnerable to the max. This is probably the most basic form of DB enumeration. The next step would be to find out how to enumerate the backend DB without using SQLmap. This is where you’ll find it important to identify the DB version early on.

I can imagine SQLmap being very useful in a time restricted Pen test as proof of concept to a client that in fact, their DB can be pulled easily. However, it is important to understand how SQLmap works. You get snippets of the commands it passes over, so it’s worth reviewing these and looking up what the commands mean.

If you find this part of Web App Pen Testing interesting and want to know more, it’s going to be really useful to learn about SQL statements, how they are written and the syntax needed for the different versions. Once you get your head around how to query a database, performing queries on a vulnerable database will be easier.

 

Disclaimer

This post is for documentational purposes as proof of concept in Web Application Penetration Testing training. This method should never be used on a live website environment unless you have exclusive permission to do so.

Thanks!

Thanks again to @HollyGraceful for the VM and Vulnhub for hosting it.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s