The objective of this post is to show how one might go about identifying a SQL injection vulnerability on a website and then exploiting that vulnerability by obtaining any sensitive information contained within the database.
First, we need to have a target. In our case, we’re going to obfuscate the domain name of our target because it’s an actual working, live site with SQL injection vulnerabilities and they take credit information (ouch). Obviously this is not good – so we don’t want to put them on blast.
Once we have a target domain, we need to think about our approach. First and foremost, before we can exploit a SQL injection vulnerability, we need to find one. There are a number of ways to hunt for them, but we’re going to use OWASP Zed Attack Proxy (ZAP) to help with automating discovery. ZAP may not be as robust as Burp Suite but it’s easy to use and what we’ve chosen. In the interest of ensuring our testing is not traced back to us, we’ve launched ZAP using the following commands:
service tor start
service tor status
root@kali:/usr/share/zaproxy# java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=9050 -jar zap-2.4.1.jar
We begin by plugging in our target domain name (as seen below) and clicking “Attack”.
The length of time it takes to fully scan a domain depends on a number of factors. As ZAP finds vulnerabilities, they’ll be listed in the “Alerts” tab:
As you can see, ZAP has found a number of possible of areas within the site that are susceptible to SQL injection. ZAP is not really capable of exploiting any vulnerabilities that it discovers, so we need to another tool. In this case, we’ve chosen sqlmap. Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
As mentinoed above, we want to ensure that our work is not traced back to us. For this reason, we’re going to proxy our connections with switches built into sqlmap. The full command we want to run is this:
sqlmap –tor –tor-type=SOCKS5 –check-tor –random-agent –dbs –dump -u http://domain-name-here.org/board/board.php?id=6
The following output from sqlmap indicates injection point vulnerabilities:
While some tables from the database contains non-sensitive information (like the one above), others contain very sensitive information:
We also obtained a list of usernames and password hashes when we dumped their databases…which could probably be cracked with minimal effort.