This document provides information about SQL injection vulnerabilities and how to use the SQLMap tool to exploit them. It discusses the different types of SQL injections, how they work, and their impact. It then describes SQLMap's features for detecting and exploiting SQL injections, such as enumerating databases, tables, columns, and dumping data. It lists useful SQLMap option keys and provides an overview of how to use SQLMap to identify and exploit SQL injection vulnerabilities.

1. SQL Injection
BY: Manish Bhandarkar

2. LAB Setup :-
1) VM with Hack me Bank Installed
http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/
2) SQL-Map For Windows
https://github.com/sqlmapproject/sqlmap/zipball/master
3) SQL-Map For Unix
It is there on Backtrack 5

3. OWASP TOP 10
 A1 : Injection
 Injection flaws, such as SQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data
can trick the interpreter into executing unintended
commands or accessing unauthorized data

4. Injections
 Common type of injections :
 SQL
 LDAP
 Xpath
 etc
 IMAPCT :
 As disastrous as handling the database over to the
attacker
 Can also lead to OS level access

5. Definition
 Exploiting poorly filtered or in-correctly escaped SQL
queries to execute data from user input
Types
 Error Based
 Blind Injections
 Boolean Injections

6. How They Are Work?
 Application presents a form to the attacker
 Attacker sends an attack in the form data
 Application forwards attack to the database in a SQL query
 Database runs query containing attack and sends encrypted
result back to application
 Application renders data as to the user

8. SQL MAP

9. SQL MAP INTRODUCTION
 Powerful command line utility to exploit SQL Injection
vulnerability
 Support for following databases
 MySQL  Firebird
IBM DB2  Microsoft SQL Server
Oracle  SAP MaxDB
SQLite  Sybase and
PostgreSQL  Microsoft Access

10. TECHNIQUES OF SQL INJECTION
 Boolean-based blind
 Time-based blind
 Error-based
 UNION query
 Stacked queries

11. SQL MAP OPTION KEYS
o -u <URL>
o -dbs (To enumerate databases)
o -r (For request in .txt file)
o -technique (SQL injection technique)
o - dbms (Specify DBMS)
o -D <database name> --tables
o -T <table name> --columns
o -C <column name> --dump
o --cookie (Authentication)
o --dump-all

12. SQL MAP FLOW
 Enumerate the database name
 Select database and enumerate tables
 Select tables and enumerate columns
 Select a column and enumerate rows(data)
 Choose whatever u want

13. WHY USED SQL MAP?
 Built in capabilities for cracking hashes
 Options of running user defined queries
 You could run OS level commands
 You could have an interactive OS shell
 Meterpreter shell with Metasploit

14. EXTRA USEFUL SQL MAP OPTION KEYS 1
 --os-cmd
 Run any OS level command
 --os-shell
 Starts an interactive shell
 --os-pwn
 Injects a Meterpreter shell
 --tamper
 Evading WAF

15. EXTRA USEFUL SQL MAP OPTION KEYS 2
 --tor: Use Tor anonymity network
 --tor-port: Set Tor proxy port other than default
 --tor-type: Set Tor proxy type (HTTP - default,
SOCKS4 or SOCKS5)
 --check-payload: Offline WAF/IPS/IDS payload
detection testing
 --check-waf: heck for existence of WAF/IPS/IDS
protection
 --gpage: Use Google dork results from specified
page number
 --tamper: custom scripts

16. U WANT TO EXPLORE MORE
 SQL MAP Usage Guide
http://sqlmap.sourceforge.net/doc/README.html
 SQL MAP WITH TOR
http://www.coresec.org/2011/04/24/sqlmap-with-tor/

17. THANK YOU
BY: Manish Bhandarkar
http://www.hackingforsecurity.blogspot.com