Monday, March 31, 2014

Hacking Website with Sqlmap in Kali Linux

A screenshot from the SQLmap official website
In the previous tutorial, we hacked a website using nothing but a simple browser on a Windows machine. It was a pretty clumsy method to say the least. However, knowing the basics is necessary before we move on to the advanced tools. In this tutorial, we'll be using Kali Linux (see the top navigation bar to find how to install it if you haven't already) and SqlMap (which comes preinstalled in Kali) to automate what we manually did in the Manual SQL Injection tutorial to hack websites.




Now it is recommended that you go through the above tutorial once so that you can get an idea about how to find vulnerable sites. In this tutorial we'll skip the first few steps in which we find out whether a website is vulnerable or not, as we already know from the previous tutorial that this website is vulnerable.

Kali Linux

First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you'll need to install Sqlmap on your own. Now if you don't have Kali Linux installed, you might want to go to this page, which will get you started on Beginner Hacking Using Kali Linux

Sqlmap


Basically its just a tool to make Sql Injection easier. Their official website  introduces the tool as -"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections."
A lot of features can be found on the SqlMap website, the most important being - "Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems." That's basically all the database management systems. Most of the time you'll never come across anything other than MySql. 

Hacking Websites Using Sqlmap in Kali linux

Sql Version

Boot into your Kali linux machine. Start a terminal, and type -
sqlmap -h
It lists the basic commands that are supported by SqlMap. To start with, we'll execute a simple command
sqlmap -u <URL to inject>. In our case, it will be-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
Sometimes, using the --time-sec helps to speed up the process, especially when the server responses are slow.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15
Either ways, when sqlmap is done, it will tell you the Mysql version and some other useful information about the database.
The final result of the above command should be something like this.
Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which have to be answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might come across-
  • Some message saying that the database is probably Mysql, so should sqlmap skip all other tests and conduct mysql tests only. Your answer should be yes (y).
  • Some message asking you whether or not to use the payloads for specific versions of Mysql. The answer depends on the situation. If you are unsure, then its usually better to say yes.

Enumeration

Database

In this step, we will obtain database name, column names and other useful data from the database.
List of  a few common enumeration commands
So first we will get the names of available databases. For this we will add --dbs to our previous command. The final result will look like -
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
 So the two databases are acuart and information schema.

Table

Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using --tables command. The final sqlmap command will be-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
The result should be something like this -
Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+
Now we have a list of tables. Following the same pattern, we will now get a list of columns.

Columns

Now we will specify the database using -D, the table using -T, and then request the columns using --columns. I hope you guys are starting to get the pattern by now. The most appealing table here is users. It might contain the username and passwords of registered users on the website (hackers always look for sensitive data).
The final command must be something like-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns
The result would resemble this-

Data

Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using --dump. We will enter multiple columns and separate them with commas. The final command will look like this.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass --dump
 Here's the result
John Smith, of course. And the password is test. Email is email@email.com?? Okay, nothing great, but in the real world web pentesting, you can come across more sensitive data. Under such circumstances, the right thing to do is mail the admin of the website and tell him to fix the vulnerability ASAP. Don't get tempted to join the dark side. You don't look pretty behind the bars. That's it for this tutorial. Try to look at other columns and tables and see what you can dig up. Take a look at the previous tutorial on Manual SQl Injection which will help you find more interesting vulnerable sites.

37 comments:

  1. hey saswat it seems you have moved to a new domain I don't see the blogspot in your url and it;s .tk domain so can you let me know how to migrate to .tk domain...I want to move it there too

    ReplyDelete
  2. nice articals...keep publishing...i will recommand your website in my youtube channel...i liked it verymuch

    ReplyDelete
  3. good :) hack the planet *_*

    ReplyDelete
  4. Can someone please revert the SQL data back to something other than Spanish profanities

    Thank you though :) Nice tutorial!!

    ReplyDelete
    Replies
    1. No longer like that... Now full of redirects to shady pr0n sites. Won't be demonstrating this one at school...

      Delete
  5. see the real hacking of admin of a website using SQL map
    It's better to see than to read and do. so click on
    https://www.youtube.com/watch?v=72Gi1oDkHdM

    ReplyDelete
  6. thanx bro teach more tutorial!........ i am waiting,,,

    ReplyDelete
  7. Why dont you teach the users advance levels of the Sql Map ? Anyways this was the simple and the best tutor i have ever seen Greets _ Alainhacker.CoM CreW !

    ReplyDelete
  8. Do you want to tell us that "We should try to be WHITE HAT HACKER not BLACK HAT HACKER"

    ReplyDelete
  9. --time-sec 15
    Could you please tell what this does? :)

    ReplyDelete
  10. WoW!
    Very nice tutorial , i like this website.

    ReplyDelete
  11. Hi any can make a video how to hack this website sopranonline.ddns.net ..

    ReplyDelete
  12. Fantastic stuff. Ran a check on a couple of websites and managed to find their entire subscribers list. I know nothing too serious but messaged them to inform them of the issues with their SQL being injectable.

    ReplyDelete
  13. if password is in this form 2384h2h2dfccd922fcs8oo2pv ?

    ReplyDelete
  14. if password is in this form 2384h2h2dfccd922fcs8oo2pv ?

    ReplyDelete
  15. Its a hashed password. Crack it with online cracking sites like crackstation

    ReplyDelete
  16. the user and password column is empty when i try to my website so please can you help me from that gab.

    thank you.

    ReplyDelete
  17. Hello!

    I'm not looking to hack a site. I'm looking to test if my website's company is vulnerable.

    So, I'm a little lost 'cause I can't find which commands to use.

    Probabily my website's company are secure, but for compliance issues, I have to execute a sql injection test in order to report if the website is secure or not.

    Where can I begin?

    ReplyDelete
    Replies
    1. Kali Linux official website, look at pentesting

      Delete
  18. What i do if a website does not have any sql vulnerabiltyvulnerabilty. I want hack a website without a sqlmap. I have tried it but does not worked

    ReplyDelete
    Replies
    1. =>If Website is not Vulnerable to Sql Injections,Try This

      https://www.owasp.org/index.php/Blind_SQL_Injection

      Delete
  19. =>Excellent job !Works Complete successfully
    =>Thanks BRO

    ReplyDelete
  20. Nice tutorial. Hacking with kali is more advanced than any other like sql injuction..etc
    A new version of kali is now available,better try it !!

    ReplyDelete
  21. Cool job you're doing in here bro 9ice tutorials i invited you to chat on google hangout. Thanks

    ReplyDelete
  22. Cool job you're doing in here bro 9ice tutorials i invited you to chat on google hangout. Thanks

    ReplyDelete
  23. when i tried sqlmap -u http://www.target.com. --time-sec 15 coomand against i got this warning GET parameter 'ID' is not injectable.

    ReplyDelete
    Replies
    1. That is because target.com is not vulnerable to an SQL injection. the url needs to have .php?= or something close to that

      Delete
  24. If you are looking for a professional hacker that specialize in school grade change ,,bank accounts and expunging criminal records...contact hackempire ASAP,he does over five school grades hack everyday...His job is secured and without trace...He helped me upgrade 3 of my courses .....He is really a programmer...you can contact him........hackempire007@gmail.com

    ReplyDelete
  25. Does anyone know how to bypass firewall of a website and then hack it?? Like the websites that have WAF or IPS/

    ReplyDelete
  26. I did what you just instructed and I am able to get the admin access. However, I have a question, how I will get the complete database? and how I will be able to extract on my computer?

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC