SQLMap : additional techniques

Mar 21, 2023 by Thibault Debatty | 2258 views

Offensive Security Cylab Play

https://cylab.be/blog/260/sqlmap-additional-techniques

In a previous blog post, we have explained what SQL injection is, and how to exploit it using sqlmap. In this blog post, we will show some additional techniques: how to exploit web applications that use clean URLs, how to exploit a POSTed form, how to hide traces etc.

To illustrate these techniques, we will use vulnerable apps from Cylab Play, our collection of vulnerable apps.

POSTed form

SQLMap has the --form option that allows to detect and exploit forms. So you can exploit a form with:

sqlmap -u <url> --forms --DBS

POST-SQL-Injection.png

For example, using the SQL Injection app:

./sqlmap.py -u "http://ip172-18-0-147-cgcqcaqe69v0008hskn0-8000.direct.labs.play-with-docker.com/" --forms --dbs

SQLite databases

In some cases, SQLMap may not detect a vulnerability because the database used by the web application is not MySQL, like SQLite for example. In those cases, you can use the parameter --dbms=DBMS to force the tested DBMS.

You can test this with the SQLite Injection app for example:

sqlmap-sqlite.png

Clean URLs

SQLMap is also able to exploit applications that rely on nice URL’s. For this, you must flag the ‘exploitable’ part of the URL with a *

You can test this technique against our SQL Nice Injection app:

SQL-Nice-Injection.png

./sqlmap.py -u http://ip172-18-0-159-cgcqpng1k7jg008skmk0-8000.direct.labs.play-with-docker.com/page/43* --dbs

UserAgent

By default, SQLMap uses the UserAgent sqlmap/<version> ... to run http queries. This is extremely visible in the logs.

sqlmap-useragent.png

You can use another user agent with the option -A "<user agent>". For example:

./sqlmap.py -u http://127.0.0.1:8000/page/43* --dbs -A "Mozilla/4.3 (X11; Linux x86_64; rv:123.0) Gecko/230320 Firefox/123.0"

Purge

Finally, SQLMap keeps a cache of detected vulnerabilities, to speed-up subsequent queries. If you are testing a local app (like http://127.0.0.1:8000), your results may be corrupted by previous tests. Hence you can clear the cache with:

./sqlmap.py --purge

This blog post is licensed under CC BY-SA 4.0

How to detect filtered (and opened) outgoing ports on a network?
Sometimes you want to access services running on unusual ports, like a SSH server running on port 2222 for example. If connection fails, how can we detect the outgoing ports that are filtered or open on the network?
May 16, 2023 | 2106 views
Adv-Bot: Realistic Adversarial Botnet Attacks against Network Intrusion Detection Systems
Due to the numerous advantages of machine learning (ML) algorithms, many applications now incorporate them. However, many studies in the field of image classification have shown that MLs can be fooled by a variety of adversarial attacks. This raises many questions in the cybersecurity field, where a growing number of researchers are recently investigating the feasibility of such attacks against machine learning-based security systems, such as intrusion detection systems.
Mar 28, 2023 | 1189 views
Web shells and the dangers of unrestricted file upload
In previous blog posts, we have already illustrated two web application vulnerabilities: brute force login cracking and SQL injection. In this post we illustrate a 3rd vulnerability, unrestricted file upload, and show how it can be exploited using a web shell.
Jan 26, 2023 | 2663 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept