1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacking a Website using SQLMAP in Kali Linux

  1. Cyber Guide

    Cyber Guide Moderator Staff Member

    Messages:
    26
    Likes Received:
    10
    Trophy Points:
    8
    Joined
    Apr 26, 2017
    In this post we will learn how to hack a database of a website using SqlMap in Kali Linux. Before starting the main process you should have following items:

    • A working Kali Linux System Installed in your system.
    • A list of Google Dorks which are used to find Vulnerable Websites. You can find some website here l33tmir
    • Most important thing you need in Patience.
    Hacking a Website using SQLMAP
    Use the Following steps to Start:

    1. Boot into your Kali Linux Machine. Start the terminal and type-


    CODE (open)
    sqlmap -h


    2.It lists the basic commands that are supported by SqlMap. To start with, we'll execute a simple command
    sqlmap -u <URL to inject>. In our case, it will be-

    CODE (open)


    3.Sometimes, using the --time-sec helps to speed up the process, especially when the server responses are slow.

    CODE (open)


    4. Either ways, when sqlmap is done, it will tell you the Mysql version and some other useful information about the database

    [​IMG]

    Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which have to be answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might come across-
    • Some message saying that the database is probably Mysql, so should sqlmap skip all other tests and conduct mysql tests only. Your answer should be yes (y).
    • Some message asking you whether or not to use the payloads for specific versions of Mysql. The answer depends on the situation. If you are unsure, then its usually better to say yes.




    Enumeration
    Database

    In this step, we will obtain database name, column names and other useful data from the database.[​IMG]

    So first we will get the names of available databases. For this we will add --dbs to our previous command. The final result will look like -

    CODE (open)


    [​IMG]

    So the two databases are acuart and information schema.

    Table

    Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using --tables command. The final sqlmap command will be-

    CODE (open)


    The result should be something like this -
    Database: acuart
    [8 tables]
    +-----------+
    | artists |
    | carts |
    | categ |
    | featured |
    | guestbook |
    | pictures |
    | products |
    | users |
    +-----------+
    Now we have a list of tables. Following the same pattern, we will now get a list of columns.

    Columns
    Now we will specify the database using -D, the table using -T, and then request the columns using --columns. I hope you guys are starting to get the pattern by now. The most appealing table here is users. It might contain the username and passwords of registered users on the website (hackers always look for sensitive data).
    The final command must be something like-
    CODE (open)
    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns


    [​IMG]

    The result would resemble this-
    [​IMG]

    Data

    Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using --dump. We will enter multiple columns and separate them with commas. The final command will look like this.

    CODE (open)
    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass --dump


    [​IMG]

    Here's the Result:

    [​IMG]

    John Smith, of course. And the password is test. Email is [email protected]?? Okay, nothing great, but in the real world web pentesting, you can come across more sensitive data. Under such circumstances, the right thing to do is mail the admin of the website and tell him to fix the vulnerability ASAP. Don't get tempted to join the dark side. You don't look pretty behind the bars. That's it for this tutorial. Try to look at other columns and tables and see what you can dig up.

    [​IMG]
     
    Last edited: May 9, 2017

Share This Page