Hello all users, today I found a very good tutorial on database hacking and going it to share with you how to use Sqlmap, which is included in Backtrack. I share it as it is. Hope you will find it useful.
What do we need:
Download the GNOME version that suits your OS.
It doesn't matter if you choose to download the VMWare image or the ISO.
Create a new virtual machine in VMW and put the settings at your liking.
Note :- By default, your network connection is not bridged over to your virtual machine. So at the settings you can either bridge the network connection, or duplicate the state of the physical machine. Take the last option, it gives us what we need: A working network connection.
Now start Backtrack, boot in text-mode (just hit enter it's the first option). And when it asks you to type something in, type in 'startx'. Backtrack will now boot and you will get a UI, which is nice :)
To check if we indeed have a working network connection you can either open Firefox, which is under the tab 'Internet', or WCID Network manager. I prefer the 2nd option, since we're gonna need it in case we do not have a internet connection. If all goes well and you've chosen to open Firefox, you should see the default firefox welcome page. If you've opened WCID, check what it says at the bottom of the window. If it says 'connected to wired network IP', we're good to go. If not, hit the connect button and see if that fixes your problem. It most likely will.
Before we start
Keep in mind that Sqlmap's purpose is for web developers/website security to check if a database is save against SQL Injections. It's a pentest tool (Penetration testing tool). But for the most part I believe it's being used to take over Databases. I, nor the creators of sqlmap are accountable for anything you do when following this tutorial. Just don't try Sony or Facebook etc...
What are SQL Injections?
We've all filled in a form on a website. (When you registered on this website, you filled in a form) Every form is being send to a PHP/ASP script, where the server goes to work. When a website's measures against injections is weak (or not there at all), sqlmap will help you get into their database. You see, imagine going to a website and there's a search option. When a user types something in there, that information is sent to a script, and the script will search in the database if it can come up with anything that matches your search criteria. But what if you put a SQL command in the search bar? As I said, if there's no security, you can pretty much run ANY command you want. And that's were SQLMap comes in, it checks if the website is vulnerable, and you can also do automated queries.
What does SQLMap do to check if a website is vulnerable?
It does requests to websites by altering the GET parameters. For example:
example.com/members.php?id=10&orderby=ascSQLMap will check if the id and orderby parameters are vulnerable.
How can I quickly check if a website might be vulnerable?
Sometimes, by adding a aphostrophe (') at the end of a parameter, or as the parameters value, you will get an error, something along the lines of:
You have an error in your sql syntax near line blablabla. When that happens, you know the website's database is pretty much yours to be taken. You can do alot more than just an aphostrophe, but let's keep it simple shall we :)
Let's start using SQLMap already! ^^
Today I will have a random website's database using SQLMap. I will black out the name of the website so none of you does any harm to it because of me showing the address ^^ I've never run any DELETE commando's on a website.
In Backtrack, the sqlmap tool is located under the following category:
Click on image to enlarge
If you've found your slave, put in the following line:
If you've found your slave, put in the following line:
python sqlmap.py -u LINK HEREAnd hit enter. SQLMap will now test the parameters at it's lowest level. You can set the level with the --level parameter. Example:
python sqlmap.py -u LINK HERE --level 3It will simply test more queries. The highest level is 5. It takes a long time on level 5 though.
If sqlmap says a parameter is vulnerable, you can either stop to add in more commands, or test the remains of queries it wants to do. Just hit n->enter. We've found a way in.
Here comes the fun part. Now that we're in, we can run all kinds of commands. I personally think it's fun to see what tables there are. Pressing arrow key up will bring up your last command. Simply add --tables. The database I cracked has an immense amount of tables, I quit the action by pressin CTRL+Z (Undo).
Click on image to enlarge
If sqlmap says a parameter is vulnerable, you can either stop to add in more commands, or test the remains of queries it wants to do. Just hit n->enter. We've found a way in.
Here comes the fun part. Now that we're in, we can run all kinds of commands. I personally think it's fun to see what tables there are. Pressing arrow key up will bring up your last command. Simply add --tables. The database I cracked has an immense amount of tables, I quit the action by pressin CTRL+Z (Undo).
You can specify which table you want to 'dump'. So lets say there's a table called 'users' and you want to see the content:
python sqlmap.py -u www.example.com/example.php?id=whatever -T users --dump --threads 10The -T parameter specifys the table. --dump will print it on screen and save it to a file. --threads is interesting. SQLMap works with 1 thread by default. Retrieving info with multiple threads is much faster. You can go up to 10 threads, so I suggest going full throttle!
Note: Websites often have multiple databases, there's always an information_schema. To help SQLMap, I always specify which database SQLMap has to enumerate. We do so by adding the -D parameter:
Note: Websites often have multiple databases, there's always an information_schema. To help SQLMap, I always specify which database SQLMap has to enumerate. We do so by adding the -D parameter:
python sqlmap.py -u www.example.com/example.php?id=whatever -D database -T users --dump --threads 10We can even specify which column to dump! So let's say we found a table with user information which contains a column named 'email', we can dump only those records by doing this:
python sqlmap.py -u www.example.com/example.php?id=whatever -T users -C email --dump --threads 10The -C parameter specifys which column to dump.
Now there's alot more we can with SQLMap. If stacked queries are supported, you can even run SQL Queries. Try running a simple SQL command:
python sqlmap.py -u www.example.com/example.php?id=whatever --sql-query "SELECT * FROM users" --dump --threads 10The --sql-query parameter lets you run a sql command.
Translates:
Select all from the table 'users'.
You can always type in the following to see the help file:
Translates:
Select all from the table 'users'.
You can always type in the following to see the help file:
python sqlmap.py --helpTry playing around with all the commands. If you wish to remain anonymous, use the --proxy parameter. For example:
python sqlmap.py -u www.example.com/example.php?id=whatever --proxy ip:portI hope this was helpful :)
Let me know what you think, and if you think I should add/explain anything.
P.s. English is not my first language so sorry if there's any grammar/spelling errors.
Author/Writer of this post - Tim
Would love to here from you...