Use Sqlmap Sql Injection to hack a website and database in Kali Linux
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). Sql Injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.
What is SQLMAP
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Features
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
- Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
- Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
- Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
- Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
- Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
- Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
- Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
- Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
[Source: www.sqlmap.org]
Be considerate to the user who spends time and effort to put up a website and possibly depends on it to make his days end. Your actions might impact someone is a way you never wished for. I think I can’t make it anymore clearer.
So here goes:
Contents [hide]
- What is SQLMAP
- Features
- Step 1: Find a Vulnerable Website
- Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
- Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
- Microsoft SQL Server
- MySQL Errors
- Oracle Errors
- PostgreSQL Errors
- Step 2: List DBMS databases using SQLMAP SQL Injection
- Step 3: List tables of target database using SQLMAP SQL Injection
- Step 4: List columns on target table of selected database using SQLMAP SQL Injection
- Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection
- Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection
- Step 7: Cracking password
- Step 7.a: Identify Hash type
- Step 7.b: Crack HASH using cudahashcat
- Conclusion
- To share or not to share! Well, just share then!!
- Related
Step 1: Find a Vulnerable Website
This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.
| Google Dork string Column 1 | Google Dork string Column 2 | Google Dork string Column 3 |
|---|---|---|
| inurl:item_id= | inurl:review.php?id= | inurl:hosting_info.php?id= |
| inurl:newsid= | inurl:iniziativa.php?in= | inurl:gallery.php?id= |
| inurl:trainers.php?id= | inurl:curriculum.php?id= | inurl:rub.php?idr= |
| inurl:news-full.php?id= | inurl:labels.php?id= | inurl:view_faq.php?id= |
| inurl:news_display.php?getid= | inurl:story.php?id= | inurl:artikelinfo.php?id= |
| inurl:index2.php?option= | inurl:look.php?ID= | inurl:detail.php?ID= |
| inurl:readnews.php?id= | inurl:newsone.php?id= | inurl:index.php?= |
| inurl:top10.php?cat= | inurl:aboutbook.php?id= | inurl:profile_view.php?id= |
| inurl:newsone.php?id= | inurl:material.php?id= | inurl:category.php?id= |
| inurl:event.php?id= | inurl:opinions.php?id= | inurl:publications.php?id= |
| inurl:product-item.php?id= | inurl:announce.php?id= | inurl:fellows.php?id= |
| inurl:sql.php?id= | inurl:rub.php?idr= | inurl:downloads_info.php?id= |
| inurl:index.php?catid= | inurl:galeri_info.php?l= | inurl:prod_info.php?id= |
| inurl:news.php?catid= | inurl:tekst.php?idt= | inurl:shop.php?do=part&id= |
| inurl:index.php?id= | inurl:newscat.php?id= | inurl:productinfo.php?id= |
| inurl:news.php?id= | inurl:newsticker_info.php?idn= | inurl:collectionitem.php?id= |
| inurl:index.php?id= | inurl:rubrika.php?idr= | inurl:band_info.php?id= |
| inurl:trainers.php?id= | inurl:rubp.php?idr= | inurl:product.php?id= |
| inurl:buy.php?category= | inurl:offer.php?idf= | inurl:releases.php?id= |
| inurl:article.php?ID= | inurl:art.php?idm= | inurl:ray.php?id= |
| inurl:play_old.php?id= | inurl:title.php?id= | inurl:produit.php?id= |
| inurl:declaration_more.php?decl_id= | inurl:news_view.php?id= | inurl:pop.php?id= |
| inurl:pageid= | inurl:select_biblio.php?id= | inurl:shopping.php?id= |
| inurl:games.php?id= | inurl:humor.php?id= | inurl:productdetail.php?id= |
| inurl:page.php?file= | inurl:aboutbook.php?id= | inurl:post.php?id= |
| inurl:newsDetail.php?id= | inurl:ogl_inet.php?ogl_id= | inurl:viewshowdetail.php?id= |
| inurl:gallery.php?id= | inurl:fiche_spectacle.php?id= | inurl:clubpage.php?id= |
| inurl:article.php?id= | inurl:communique_detail.php?id= | inurl:memberInfo.php?id= |
| inurl:show.php?id= | inurl:sem.php3?id= | inurl:section.php?id= |
| inurl:staff_id= | inurl:kategorie.php4?id= | inurl:theme.php?id= |
| inurl:newsitem.php?num= | inurl:news.php?id= | inurl:page.php?id= |
| inurl:readnews.php?id= | inurl:index.php?id= | inurl:shredder-categories.php?id= |
| inurl:top10.php?cat= | inurl:faq2.php?id= | inurl:tradeCategory.php?id= |
| inurl:historialeer.php?num= | inurl:show_an.php?id= | inurl:product_ranges_view.php?ID= |
| inurl:reagir.php?num= | inurl:preview.php?id= | inurl:shop_category.php?id= |
| inurl:Stray-Questions-View.php?num= | inurl:loadpsb.php?id= | inurl:transcript.php?id= |
| inurl:forum_bds.php?num= | inurl:opinions.php?id= | inurl:channel_id= |
| inurl:game.php?id= | inurl:spr.php?id= | inurl:aboutbook.php?id= |
| inurl:view_product.php?id= | inurl:pages.php?id= | inurl:preview.php?id= |
| inurl:newsone.php?id= | inurl:announce.php?id= | inurl:loadpsb.php?id= |
| inurl:sw_comment.php?id= | inurl:clanek.php4?id= | inurl:pages.php?id= |
| inurl:news.php?id= | inurl:participant.php?id= | |
| inurl:avd_start.php?avd= | inurl:download.php?id= | |
| inurl:event.php?id= | inurl:main.php?id= | |
| inurl:product-item.php?id= | inurl:review.php?id= | |
| inurl:sql.php?id= | inurl:chappies.php?id= | |
| inurl:material.php?id= | inurl:read.php?id= | |
| inurl:clanek.php4?id= | inurl:prod_detail.php?id= | |
| inurl:announce.php?id= | inurl:viewphoto.php?id= | |
| inurl:chappies.php?id= | inurl:article.php?id= | |
| inurl:read.php?id= | inurl:person.php?id= | |
| inurl:viewapp.php?id= | inurl:productinfo.php?id= | |
| inurl:viewphoto.php?id= | inurl:showimg.php?id= | |
| inurl:rub.php?idr= | inurl:view.php?id= | |
| inurl:galeri_info.php?l= | inurl:website.php?id= |
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string
inurl:item_id= and one of the search result shows a website like this:http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark
' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark).So now your URL will become like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.
Examples of SQLi Errors from Different Databases and Languages
Microsoft SQL Server
Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.MySQL Errors
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12
