Tag Archives: vulnerability assessment

SQL injection with SQLMap

sqlmap, included in the Kali distro, is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and even accessing the underlying file system and executing OS commands via out-of-band connections.

Dump Table Contents

The first step is to allow sqlmap to scan for the OS, web server, and database version information. Note that this is for a specific page! So it may be a better idea to use a program like the OWASP-ZAP scanner to find pages that might be susceptible to SQL injection, then use this program to scan THAT PAGE. sqlmap CAN crawl a website, but it would be more efficient to use another program first to find potential targets.

sqlmap -u http://www.example.com

This will tell you whether or not a server is vulnerable to SQL injection. Once you’ve found a page that is, you can use sqlmap to get the names of the databases on the server. To do this, type

sqlmap -u http://www.example.com –dbs

This gives you a list of the available databases on the system.

Once you have this list of databases, you can then narrow it down even further to find the tables of a certain database. Using the example database name “database_name”:

sqlmap -u http://www.example.com –tables -D database_name

sqlmap will now give you the tables it can find in that database! Pretty cool. With this info, we can narrow it down even further to get the columns of that table. With the example table name of “table_name”:

sqlmap -u http://www.example.com –columns -D database_name -T table_name

We can now also dump the contents with all this information:

sqlmap -u http://www.example.com –dump -D database_name -T table_name

Crawl a Website

sqlmap can crawl a webpage to look for pages that are vulnerable to SQL injection. You also have the ability to set the level of the crawl (distance from starting page). The batch option below tells sqlmap to run in non-interactive mode and to take the default action whenever user input would be requested.

sqlmap -u http://www.example.com –batch –crawl=3

Execute SQL queries

On these servers that are vulnerable to SQL injection we can attempt to execute our own SQL queries. Notable things to do would be to add users. We can do this using the –sql-shell parameter. This will give us an interactive SQL shell on the remote machine. If this doesn’t work, you can try sending specific SQL queries with the –sql-query parameter. Both are shown below.

sqlmap -u http://www.example.com –sql-shell

sqlmap -u http://www.example.com –sql-query “SELECT ‘foo'”

Shell on the Remote OS

This works very rarely. But it’s a good thing to test for on your server! If it works, you’ve completely taken over the server, so make sure you aren’t vulnerable! This is only possible when the back-end database management system is either MySQL, PostgreSQL, or Microsoft SQL Server, and the session user has the needed privileges to abuse specific functionalities and weaknesses.

sqlmap -u http://www.example.com –os-shell

sqlmap -u http://www.example.com –os-cmd

Getting Started with OpenVAS

OpenVAS is included in the current Kali linux distro, so this guide will walk you through the initial setup of OpenVAS and then how you use the program.

First we need to create a certificate for OpenVAS to use. You can just accept all the default values by pressing [Enter] – they are only used locally.

sudo openvas-mkcert

Next we will create a matching certificate with a username. It doesn’t matter what this username is – you’ll never use it again outside this setup. Our username here is “pentest”.

sudo openvas-mkcert-client -n pentest -i

Next we can update our database of vulnerabilities. Keep this command in mind – you’ll want to update every now and then.

sudo openvas-nvt-sync

Next we’ll need to stop a few services so that we can perform updates without conflict.

sudo service openvas-manager stop
sudo service openvas-scanner stop

Now we can start our actual scanner and allow it to update itself. These steps can take a while – be patient!

sudo openvassd

Rebuild our database …

sudo openvasmd --rebuild

Update our security content automation protocol data…(another database used by OpenVAS to check for vulnerabilities)

sudo openvas-scapdata-sync

Update cert data …

sudo openvas-certdata-sync

Woo! The back end stuff is all setup now. Now we need to create an administrator user and password used to log in to the OpenVAS system. All this sounds complicated, but it’s not. Once things are up and running, it’s point and click! Here we’ll use the username “admin”. You’ll be asked to pick a password – don’t forget these, you’ll need them when you want to use OpenVAS.

sudo openvasad -c add_user -n admin -R Admin

You’ll be asked for a password and warned that this account has full privileges.

Now we need to restart all these services we’ve been updating.

sudo killall openvassd
sudo service openvas-scanner start
sudo service openvas-manager start
sudo service openvas-administrator restart
sudo service greenbone-security-assistant restart

Wait a second, you say! What is that greenbone thing?! Well – glad you asked! That is a web interface for the OpenVAS program. It’s pretty – you’ll like it a lot.

With all of this done, you can pull up your browser and point it to https://localhost:9392. Remember that username and password I told you you’d need to remember? Good! use that to log in to the welcome screen of Greenbone.


Once you’re logged in, you can use the quick start box to enter in the host you wish to scan and hit “Start Scan” to get going.  It’s as easy as that! You can view results even before the scan is done, then when it’s over you can output the results as HTML, PDF, TXT, and many more.  Enjoy!