As I discussed in my previous post that we can exploit Union Based SQL Injection with the help of manual SQL queries. now we will do the same exercise with a Python based tool SQLMAP.
Note:- This tutorial is being carried out on demo test site provided by ACUNETIX, You can also try on the same website.
Sqlmap is arguably the most popular and powerful sql injection automation tool available and it is completely open-source. All it needs is the vulnerable URL in case of get request or a text file in case we want to perform it on a post request.
Sqlmap can exploit the application’s database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions.
What is OS Command Injection
OS Command Injection is a vulnerability which describes improper neutralization of special elements. It can result in modification of the intended OS command that is sent to a downstream component.
So, OS command injection weaknesses can expose an environment to an attacker even if he does not have direct access to the operating system. Also, if the application is running with higher privilege, it may allow an attacker to specify commands that may not be available otherwise.
Running OS commands is very useful functionality but it can equally trigger a vulnerability if not used correctly.
Types of OS Command Injection
There are two sub-types of command Injection.
- An application executes a fixed program that is under its control and accepts external input as arguments to that program. e.g. the application may run system(“nslookup [HOSTNAME]”) to run nslookup and allow the user to supply a HOSTNAME, which is actually an argument.
Interestingly, if the program does not remove separators from the externally supplied HOSTNAME argument, the attacker could place separators inside the argument and execute his own command.
- The application uses input to select which program to run and what commands to use. The application sanitizes the input and then simply redirects the entire command to the operating system.