Hacking Tutorials SQL Injection

Breaching Databases In Minutes With SQLMap

Hello Guys!
In previous article we learned how we can use SQL queries to make the database to disclose confidential information (even the usernames and passwords of the admin panel).
Well that was quite boring right? Well this is hacking its boring unless you don’t know what are you doing but when you mix knowledge with creativity…miracles happen.
But manual SQL Injection? Ain’t nobody got time for that.
So in this article I will be introducing a powerful database takeover tool called SQLMap.
Now lets get straight to the point.

SQLMap

It is a tool designed to satisfy all your needs related to SQL Injection. It can detect and bypass WAF (Web Application Firewall), can detect database type (like MSSQL, Oracle, Postgresql etc.) and version, it can perform different kind of injections (like blind, error based, time based etc.), it supports proxy, multiple strings for faster enumeration etc. etc. etc.
In simple word its the best Automatic SQLi Tool so far.
Just give it an injection point and it will do everything itself.
Excited? Me too man lets do this.

Spotting A Potential Injection Point

I was just checking the school website of my crush to see if there are any pictures of her.
Aaaand I found one and clicked on it but then accidentally looked at the address bar of my browser and I saw this:

Sorry I can’t let you see the complete URL and yeah this article is only Educational Purposes.
?id=46 this thing…different values of the id pulls out different data different data from the database. And as we learned in our previous article if a webpage uses SQL Queries to generate results it may generate anything that a user *coughs* a hacker wants.
So ummm here is my target webpage “******.**/udml/photo_gallery.php?id=6
” or you may call it an injection point (as a hacker can insert his own SQL Queries here)
Now lets try to breach into the database with SQLMap,

Injecting With SQLMap

Lets open terminal and type:

Here sqlmap represents SQLmap, -u represents URL, and then www.******.**/photo_gallery.php?id=6 is the value of URL.
Ok so I entered this command and I have this:

So SQLMap checked if the URL exists, then it checked if it is protected by a WAF/IPS/IDS, then it checked if the parameter id is dynamic which means whether its value changes or not.
Then it told me that it is vulnerable to SQL Injection and it guessed the Database Management System too i.e. MySQL.
Now in the last line it’s asking me if want to do further tests but no, it has guessed the DBMS so we don’t need it to do that.
And have you noticed that Y is in uppercase (here [Y/n] when it asks to choose an option?
Well the recommended option is always showed in uppercase and you should always enter that recommended option if you don’t know what you are doing.
So I entered Y and it began to check for the version of DBMS (version of MySQL).
After a few minutes I got this

Gotcha! Now it is confirmed that its vulnerable to SQL Injection and now its time to breach into the databases and stop testing further (So I entered N)
Hmm so now we know SQL Injection is possible we can tell SQLMap to retrieve/enumerate/find Databases.
For this I will pass the following command to the terminal,

Where –dbs tells SQLMap to retrieve databases.
This command got me here,

Hmm so there are two databases (denoted by the [*] symbol) so which one should we breach?
Well the first database we have is information_schema and this a database you are going to find in nearly every DBMS system. It stores read only information about the other databases.
So this is not the interesting stuff.
The next database is udmlacin_db which is probably the core database so we have to breach into it.
For that we will have to find the tables that are present in the database udmlacin_db and for that I will enter the following command in the terminal,

Where -D defines the target database.
And this command will show all the tables present in the target database like this,

Hmmm now what? I don’t know, it depends on what kind of information you want from the database.
In my case, I am interested in the table named admin because it may contain credentials (username, password etc.) by which we can login into admin panel of the website and can make changes to the website.
Hmmm so we lets retrieve the columns present in the table admin.
For this I will enter,

Where -T option is used to supply the target table name.
Aaaand SQLMap retrieves the columns,

Now lets dump this column to see whats inside of it
For this I will supply the following command,

In know time I got the results,

Whoa!! Thats a strong password!!
Nope…Its a hash!
Well yeah it is the password but it is encrypted, so you need to crack the cash to know the real password.
We are going to talk about Encryption and Hashes soon but for now I want to you to get familiar with SQLMap.
Comment down if you don’t understand something.
Till then, keep readingkeep learning.

Here is a Tutorial Video For You People To Understand It Better :

Also Read: What is Deep Web? [Includes Real Screenshots]


About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

7 Comments

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<