Connecting directly to database with credentials in SQLMap

CatChMeIfUCan picture CatChMeIfUCan · Mar 3, 2018 · Viewed 10.7k times · Source

I have the credentials of a TARGET website database and SQLMap Claims that you can connect to the database directly Here are my Commands on SQLMap in Kali Linux

sudo sqlmap -d mysql://USER:PASSWORD@TARGET_IP:MySQL_Port/DATABASE

example

sudo sqlmap -d mysql://admin:[email protected]:3306/information_schema

but this is the error I get every time

[CRITICAL]  SQLAchemy connection issue ('(_mysql_exceptions.OperationalError)
(1045, "Access denied for user 'admin'@'17.45.65.11' (using password: YES)")')

The IP 17.45.65.11 was my IP ofc which denied

So is there a Problem with my command?

OR anyone knows a better way to connect directly to a target database with credentials?

Answer

SergiyKolesnikov picture SergiyKolesnikov · Mar 6, 2018

Credentials for MySQL include not only a username and a password, but also a set of allowed IP addresses. So, even if we have the correct username and password, but the connection is established from a not allowed IP, we will get the 1045 "Access denied" error from sqlmap.

To illustrate the problem, I setup a test database testdb with user admin. Here are the user's credentials:

MariaDB [testdb]> select host,user,password from mysql.user where user='admin';
+-------------+-------+-------------------------------------------+
| host        | user  | password                                  |
+-------------+-------+-------------------------------------------+
| 92.168.0.20 | admin | *00A51F3F48415C7D4E8900010101010101010101 |
+-------------+-------+-------------------------------------------+

As it is shown in the host column, the user admin is allowed to access the server only from the IP 92.168.0.20. Now, if I run sqlmap from this IP it succeeds:

$ sudo sqlmap -d 'mysql://admin:[email protected]:3306/testdb'

...

[*] starting at 09:28:43

[09:28:43] [INFO] connection to mysql server 92.168.0.99:3306 established
[09:28:43] [INFO] testing MySQL
[09:28:43] [INFO] resumed: [[u'1']]...
[09:28:43] [INFO] confirming MySQL
[09:28:43] [INFO] resumed: [[u'1']]...
[09:28:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[09:28:43] [INFO] connection to mysql server 92.168.0.99:3306 closed

[*] shutting down at 09:28:43

If I run sqlmap from a different IP it fails with the 1045 "Access denied" error (exactly as in your output):

$ sudo sqlmap -d 'mysql://admin:[email protected]:3306/testdb'

...

[*] starting at 09:32:00

[09:32:00] [CRITICAL] SQLAlchemy connection issue ('(_mysql_exceptions.OperationalError)
  (1045, "Access denied for user 'admin'@'92.168.0.55' (using password: YES)")')

[*] shutting down at 09:32:00

So, if you are sure that you have the correct username and password, the problem is highly likely in the allowed IPs. When creating a MySQL user, it is common practice to allow access only from localhost. Therefore, you may have the correct username and password, but you can use them only locally on the server. On the other hand, the fact that the server accepts connections from outside may indicate that some other IP's are allowed to connect. In this case, you have to find out which IP's are allowed and connect from one of those.