By: Kevin Mark
September 1, 2015
Tutorial: How to Use SQLMAP
By: Kevin Mark
September 1, 2015
sqlmap -u http://kevinmark.com/article.php?id=IDIOT --dbs(dbs stands for (databases))We're exploiting our target using SQL Injection. It has run those tests. Just read carefully, and sometimes, errors can appear. Other times you will need to say yes/no to continue with more tests or end tests if targets aren't vulnerable or aren't vulnerable to that method. PPlease NOTE: It's not only PHP based. This is for ASP, ASPX you name it. Now, we have retrieved two databases from this site. The one database is Information_schema and the other one is kevinmark_db. Time to get the tables, so we can dig into what we actually want to retrieve from our target. We'll now type:
sqlmap -u http://kevinmark.com/article.php?id=IDIOT -D kevinmark_db --tablesOkay! so far, so good We have retrieved a bunch of stuff. This includes some stuff we cannot use: articles, photo albums and stuff like that.What we could use here was: users, admin, customers_payment, for example. Our target has all the users here - admins and inside of customers_payment, there might be credit cards stored! BAD!We'll check the columns inside of each table. We're are going to start with users. Type the following:
sqlmap -u http://kevinmark.com/article.php?id=IDIOT-D kevinmark_db -T users --columns(T stands for tables) so to increase the speed, you can add --threads 5 after --columns *.We retrieved a lot of stuff, including emails, usernames, passwords and personal details. Like fullname, lastname etc. As I've said previously, passwords might be encrypted as most are. These encryptions are most likely MD5. But other times, it can be another form.We're now going to the dump part. We've seen what we want and are going to make the last step in our small project here. BTW, it all depends on what you want to start with. Most people would start with admin since it'll give you the chance to access the admin panel, which can be found by Google Dorking, manual check or scan.
Pay attention if you admin a website. Your users trust you very much to have good, strong security. Even if your user database gets dumped, and the evil attacker chooses to share it, you might saysay "the passwords are encrypted." It doesn't change the fact that personal information still got "hacked" including email, password and other information. It would be very bad for your reputation. Your users might having a hard time to actually trusting you in the future!"Let's continue. We ended on the the dump part and saw that, inside the table "users," we had email, username, password...etc. Type the following:
sqlmap -u http://kevinmark.com/article.php?id=IDIOT -D kevinmark_db -T users -C email,username,password --dump --threads 5(The C means columns.)We could also simply instead of adding each name, simply doing like this; -D kevinmark_db -T users --dump --threads(That will just dump the whole table.)What have you learned so far? You've learned the basics of SQLmap. There's so much you can do also besides that. You can check out all commands for sqlmap by typing; sqlmap -h which means sqlmap help. I have uploaded a pastebin with all commands here: pastebin Don't forget to check out my other contributions!