Forum Thread: test sql injections

>>cd /pentest/database/sqlmap (update with svn first) 

sqlmap is a series of python scripts that automate searching for vulnerabilities in the target (also uses the Metasploit Framework for some of the payloads). There are a TON more options so I def recommend you -h and read some of them. Mainly the Tor and Proxy settings need to be configured before you start as you don't wan't to be v&.

The idea is, the website or service takes your input and turns it into a query for the database, to then return the data searched for. If the input is not cleaned up and stripped of special chars, then you might have the ability to run your own queries and gain extra info from the tables, or even execute arbitrary code. This is how Anonymous pulled off the HBgary attack, as well as most website defacement nowadays.

I can not stress enough. A mapping like this looks very mess on the server logs and you do not wan't your IP address all over that. Be smart and proxy up. Of course, you would not be doing that, and you are just testing on your own network ;)

My advice would be, before you start mapping out, read up a little bit on SQL. Once you understand the idea of a query and what it is doing, the rest will make more sense to you. 

Yeah, take the time and learn everything thoroughly, don't try to be a skiddie. No one ever became a hacker by learning SQLi instead of SQL or XSS instead of JavaScript etc.

Thanks to both of you. Im very familiar with SQL and code in it daily. However, Im not good with ... um.. exploiting its weaknesses?

Well, maybe we can help you. What are you trying to exploit? You said you code a lot of SQL, do you understand the idea of injection?

The concept as I understand it, is exploiting input into applications, attempting to add/modify a query that is processing the application's input. With the effect of exposing data/tables/etc.

For example:

Application has enter name/password fields.
The query that processes it, would be : $query = mysql_query("SELECT `data`,`data` FROM `usertable` WHERE `name`='".$nameInput."' AND `password`='".$passInput."'",$database);

An injection would type into the name field:
"'",$database); >>>write new query<<<

1. Leaving the end of the ["'",$database);] blank would allow the script to continue running, as most developers, or good ones at least (like myself hehehe) would put ["'",$database) or die(mysql_error());] meaning the script would stop executing, because theres an error in the query.

2. adding your own query, you could put whatever you wanted to do in there and attempt to get the script to execute what you want instead. 

Yes/no?

Yep! You pretty much nailed it. There are several different methods of injection but they are follow the same line. You are abusing the fact that user input is being directly parsed into a query and ran against the database. Good programming would negate that by sanitizing the input before it's actually ran. However this is not an common as one might think.

What SQLmap does is search for and attempt to exploit these vulnerabilities in a speedy and automated fashion. I am going to be writing an article on sqlmap because I find it to be critical to pentesting.

I would just add that the "or die()" piece is not enough to protect your DB. You want to make sure you escape any user inputs before passing them to your database.

There are very easy/standard ways to do this in every language out there. Since PHP is interpreted at runtime and is so easy to pick up, many people start building sites in it before they learn any of the security precautions. As a result, many of the sites susceptible to these kinds of attacks are written in PHP.

A good precaution would be to use stored procedures instead of defining dynamic SQL queries by concatenating strings in PHP (or whatever language of choice). This also gives you the added benefit of precompiled execution plans, which can speed your bigger & more common queries up.