Hello and welcome to another tutorial,You may have read my other contributions on Cybrary. If not, you should check them out:
How to Manually Use SQL Injection with the UNION SELECT Method [Guide]
How to Find Web-Based Vulnerabilities (Manually and with Tools)
As you might already know, SQL Injection is an open source tool. The tool is very simple to use, but very SMART!What does it do for you? It automatically detects the SQL flaws and exploits them for you when detecting what method it has to use for injection. When it has detected and performed what it should do, you'll be able to see databases, tables and columns.Once you're inside, there are no limits on what you can do - ALMOST. It depends on what the target has stored for their or customers information. For example: credit cards, users and whatsoever.As you might already know, critical information might also be encrypted. But, we aren't going to talk about that this time. How can you use it? First, you'll have to download it, if it's not already installed and configured. You can visit SQLMAP's official website for checking out the latest version and downloading it:
Let's start. Don't forget to test this in your own lab or perform where allowed for educational purposes. Don't test this on targets where you aren't allowed. This can be considered an attack and could lead to serious fines or jail time. So, don't ruin your life with these kinds of decisions.Our target for today is: http://kevinmark.com/article.php?id=IDIOT. Like this guy, I didn't secure my website enough to prevent an attack. If you've read my other contributions, you'll know know how you find out if the target is vulnerable. By simply adding >'< after " /article.php?id=IDIOT' " < It gives an error that says something like: You have an error in your SQL syntaxAs hackers, we're loading up Terminal - and we're going to make sure SQLmap is working first. It depends on what what machine you're on. If Kali Linux, BackBox or other Linux based, simply type sqlmap if you downloaded it from example apt-get. Else, use ./sqlmap.py or python sqlmap.py. To make sure it's working, it will look like this.
There are multiple ways to use SQLmap. You can add proxies and do many other things. I'll only will only teach you the basics, so you can get an understanding of how the actual tool works. You can always research to build your knowledge. We're going to write this:
sqlmap -u http://kevinmark.com/article.php?id=IDIOT --dbs(dbs stands for (databases))
We're exploiting our target using SQL Injection. It has run those tests. Just read carefully, and sometimes, errors can appear. Other times you will need to say yes/no to continue with more tests or end tests if targets aren't vulnerable or aren't vulnerable to that method. PPlease NOTE: It's not only PHP based. This is for ASP, ASPX you name it. Now, we have retrieved two databases from this site. The one database is Information_schema and the other one is kevinmark_db. Time to get the tables, so we can dig into what we actually want to retrieve from our target. We'll now type:
sqlmap -u http://kevinmark.com/article.php?id=IDIOT -D kevinmark_db --tables
Okay! so far, so good We have retrieved a bunch of stuff. This includes some stuff we cannot use: articles, photo albums and stuff like that.What we could use here was: users, admin, customers_payment, for example. Our target has all the users here - admins and inside of customers_payment, there might be credit cards stored! BAD!We'll check the columns inside of each table. We're are going to start with users. Type the following:
sqlmap -u http://kevinmark.com/article.php?id=IDIOT-D kevinmark_db -T users --columns(T stands for tables) so to increase the speed, you can add --threads 5 after --columns *.
We retrieved a lot of stuff, including emails, usernames, passwords and personal details. Like fullname, lastname etc. As I've said previously, passwords might be encrypted as most are. These encryptions are most likely MD5. But other times, it can be another form.We're now going to the dump part. We've seen what we want and are going to make the last step in our small project here. BTW, it all depends on what you want to start with. Most people would start with admin since it'll give you the chance to access the admin panel, which can be found by Google Dorking, manual check or scan.
Pay attention if you admin a website. Your users trust you very much to have good, strong security. Even if your user database gets dumped, and the evil attacker chooses to share it, you might saysay "the passwords are encrypted." It doesn't change the fact that personal information still got "hacked" including email, password and other information. It would be very bad for your reputation. Your users might having a hard time to actually trusting you in the future!"
Let's continue. We ended on the the dump part and saw that, inside the table "users," we had email, username, password...etc. Type the following:
sqlmap -u http://kevinmark.com/article.php?id=IDIOT -D kevinmark_db -T users -C email,username,password --dump --threads 5
(The C means columns.)
We could also simply instead of adding each name, simply doing like this; -D kevinmark_db -T users --dump --threads
(That will just dump the whole table.)
What have you learned so far? You've learned the basics of SQLmap. There's so much you can do also besides that. You can check out all commands for sqlmap by typing; sqlmap -h which means sqlmap help. I have uploaded a pastebin with all commands here: pastebin
Don't forget to check out my other contributions!