Using sqlmap with web forms

I’m honing my pen testing skills in preparation for taking the OCSP test by doing CTFs, and one of the VMs that I download from VulnHub was Pinky’s Palace. I ran a nmap scan and was identified services that were running on the VM and got to a login page in the website.

I viewed the source of the page and didn’t see anything that I could use to easily bypass the form. I then tried SQL injection on the webpage with 'or'1'='1 and didn’t get any results back, which made me think that the machine was not vulnerable to SQL injection attacks. I got stumped for a while because there were no other vectors for me to use to get on the host, that I could see. I researched tools that are capable of automating SQL attacks and found sqlmap. Running sqlmap with the following command allowed me to enumerate the databases on the server.

sqlmap -u --proxy --data="user=admin&pass=pass&submit=Login" --level 5 --dbs

The -u identifies the webpage that we want sqlmap to interact with.
--proxy tells sqlmap to route all requests through that proxy, something that is required due to the security configurations on the nginx web server
--data="user=admin&pass=pass&submit=Login" gives sqlmap the information to submit on the web form to interact with the backend SQL database
--level 5 is the number of tests to run on the server, 1 being the default and 5 being the highest
--dbs enumerates the databases in on the server
After sqlmap ran I got the following results:

From there I needed to enumerate the tables in the databases, and all that was required was to replace --dbs with --tables and wait, after several hours I received the following results:

There are too many tables to fully show in the databases, but the one of interest to me is the user table in pinky_sec_db. Now I need to dump that table to grab the hashes so I can try to crack them. I do that with:
sqlmap -u --proxy --data="user=admin&pass=pass&submit=Login" --level 5 --dump users with --dump identifying what table to dump out of the database.

With this output, I was able to retrieve the password hashes for the two users on the website to try to crack through various other methods to gain further access to the server.

Leave comment

Your email address will not be published. Required fields are marked with *.