Hello everyone and
welcome to this tutorial of setting up SQLMAP for web-gui. Web-GUI simply
refers to the interface that a browser provides you over the http/https
service.
SQLMAP is a popular
tool for performing SQL injection attacks on sites affected by mysql errors; be
it an error based sql injection or hidden sql, sqlmap is the biggest tool there
is for SQL injection attacks. But very few people know that sqlmap also
provides an API for it’s service that is written in python that we can use to
develop a front end for the same sqlmap which is on command line interface.
One such person is
Hood3dRob1n(https://github.com/Hood3dRob1n/SQLMAP-Web-GUI) who has created a
PHP based front end for sqlmap and today, we’ll be setting it up in Kali Linux.
It is needless to say, it will be compatible with any Linux distro.
Let’s get started.
Table
of contents:
1. Cloning the github
repository and giving necessary permissions
2. Locating and hosting
the API
3. Launching the front
end
4. Attacking practice
lab for SQLi
Cloning the github
repository
First, we need to
clone the Hood3dRob1n repository. To clone, we’ll use the git clone command and
put the folder named sqlmap inside “/var/www/html.”
cd SQLMAP-Web-GUI
mv sqlmap ..
cd ..
chmod 777 sqlmap
Locating and hosting
the API
The next step is to
host an apache server. If you don’t have apache pre installed, you can install
it with apt-get install apache2 command.
After we have hosted
the Apache server, we need to run the sqlmapapi.
The default folder
would vary with multiple linux distros, so we used the locate command to
locate the file named “sqlmapapi.py”
We need to run this
API using the command:
python usr/share/sqlmapapi.py
-s
Launching the front end
If you have followed
this tutorial so far, you’ll see the following screen when you open
localhost/sqlmap
And
voila! Just like that you are good to start injecting SQL queries.
Attacking practice lab
for SQLi
There are 6 tabs
essentially here.
·
BASIC: This tab allows you to set the URL
to test SQL injections. You can set HTTP method too. Given options are POST,
PUT, HEAD etc.
·
REQUEST: Allows you to modify your request with
optional parameters like time delay, timeout between requests, no. of retries to
connect, user agent etc.
·
INJECTION & TECHNIQUE: Lets
you choose which kind of injection and techniques you are applying-- Boolean
based, error based, inline etc. as well as other options like use of DBMS hex
functions for data retrieval, kind of database (MYSQL or MSSQL) and so on.
·
DETECTION: To set a custom string to match.
·
ENUMERATION: What data to retrieve. Eg: current
user and current database dump. Or if you are feeling fancy, all users all data
dump. You can play around with it.
·
ACCESS: Access parameters. Leave this at
default if you don’t know your way around it.
We will set the
parameters one by one as we proceed. But we never attack on live websites,
hence, we used another PC with an IP address of 192.168.1.105 to host a
practice lab for SQL injection attacks called SQL-Dhakkan. Refer to this article to know how you can
set it up yourself!
If you are successful
to set up the lab, you’ll get a screen something like this:
I am on Lesson 1
currently and I know that id=1 has an error based SQLi vulnerability. So, let’s
copy this URL to our web-gui sqlmap.
It is highly
recommended that you get yourself familiar with HTTP methods and read how to
manually attack SQLi here because it will give you a
profound idea of the options we will be selecting further in the tutorial. But
if you wish to continue with the tutorial instead, who am I to stop you!
Go to the enumeration
tab and select the methods that you want to test.
Once set, set the type
of SQLi you want to perform.
Once you are satisfied
with the choices you input, run the scan!
For the purpose of
this tutorial we have performed a really basic scan that tells us the current
database and hostname, but you can play around with the parameters as you like.
Conclusion: Web based GUI for sqlmap is definitely a plus point over the
traditional sqlmap for many reasons, one of them being the ease of access.
There is no need to remember such long commands. Drag, drop and done!
Plus, web-based GUI is
nothing but a web app for you. A web app that runs sqlmap, isn’t it great?
Hope you enjoyed this
little tutorial.
0 comments:
Post a Comment