As we discussed in the beginning of this section, HTTP headers are also a form of user input,
and HTTP cookie and headers like user-agent or referrer can be a common place to look for SQL
injection; however, the problem with it is that most web application scanners are not good at
detecting http header-based SQL injections. Luckily, sqlmap has an option to automatically test
for all HTTP headers and http cookies for SQL injection vulnerabilities.
By default, sqlmap tests only for GET and POST inputs; however, we can tweak it a little bit
by supplying an additional --level argument.
Sqlmap levels
GET/POST—
Default
HTTP Cookie—
Level 2 and above
HTTP Headers—
Level 3 and above
Web Hacking
◾
369
Operating System Takeover with Sqlmap
There are various commands in sqlmap that would allow you to execute system commands upon
the underlying operating system. From the sqlmap help menu under the operating system section,
we can find the following commands:
-- os-cmd=OSCMD
Execute an operating system command
-- os-shell
Prompt for an interactive operating system shell
-- os-pwn
Prompt for an out-of-band shell, meterpreter, or VNC
-- os-smbrelay
One-click prompt for an OOB shell, meterpreter, or VNC
-- os-bof
Stored procedure buffer overflow exploitation
-- priv-esc
Database process user privilege escalation
-- msf-path=
Path where Metasploit Framework 3 is installed
-- tmp-path=
Remote absolute path of temporary files directory
We will discuss about the first three commands next.
OS-CMD
The
os-cmd
can be used to execute commands on the target operating system by using the
LOAD_File function that we discussed earlier. Let’s try executing the ID command; we will issue
the following command from the sqlmap:
./sqlmap.py –u http://localhost/?support=yes --os-cmd=id
id
command in Linux would display information about the particular user such as username,
user id, and group id.
Here is the output of the successful execution of the command:
OS-SHELL
The next option is the
os-shell
, which gives an interactive shell so we can easily execute
commands.
|