♥ Extracting Information Using SQLMAP ♥

[Solo]

I've been away from MPGH for almost a year now, and I'm returning in hope of sharing the information I've gaining in the field of hacking with my old buds. This tutorial was made by me originally for another site, but I felt like sharing it here would certainly benefit this section. If you have any questions/feedback please post below. Enjoy!

♦NOTICE♦: Before reading this tutorial, it's STRONGLY encouraged that you at LEAST know how to perform a Union & String based SQL Injection. Always remember that a tool should never replace your mind.

What is SQLMap?
In short, SQLMap is a Exploitation tool used for SQL Injections. It is coded in python and is in a command line UI. It comes with a variety of extremely useful features, such as tor integration. SQLMap is currently able to exploit the following SQL databases: MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxD. For more information on SQLMap, visit sqlmap: automatic SQL injection and database takeover tool

Setting Up
Before you can start exploiting, there are a few things that you should configure. As mentioned before, SQLMap has tor integrated so you can stay anonymous. For a tutorial on setting up tor with SQLMap, Just visit Coresec.org – Information Security Blog » Stay invisible with SQLmap and TOR

Because SQLMap is coded in python, it's also recommended that you have either a linux PC or virtual machine. You may be able to run it on windows, but I'm not sure of this as I've never tried myself. If you don't have a linux system I advise you to download BackTrack 5. BackTrack is Ubuntu 10.4 with many different pen-testing tools pre-installed, Including SQLMap. This can be found here: Downloads

The final and most obvious thing you'll need is a site Vulnerable to SQLi.

EXPLOITING!
To get SQLMap ready for use in BackTrack, simply click on Applications --> BackTrack --> Exploitation Tools --> Web Exploitation Tools --> sqlmap
If your using another distro/version of linux, I'm assuming you know how to cd into a directory.

Now your ready to start typing away. For this tutorial, I will just go through some of the basic commands that I use to Exploit databases.

Finding databases
Like if we were doing this manually, we first must find the databases of the website that we want to inject. In my case I will be injecting FORZEN

To find the databases of a site simply enter the following command:

Code:

./sqlmap.py -u your_vulnerable_link_here --dbs

If you set up tor, it would be the same exact thing except with --tor added. The same this will go for the rest of the commands that I will use later on during the tutorial.

Code:

./sqlmap.py -u your_vulnerable_link_here --tor --dbs

Screen:


Once you enter the command, SQLMap will begin testing various possible methods of SQLi, and choose the appropriate one for the site you are injecting. When its done, you will be able to see your sites databases above the command line. In my case, I received one database (not counting information_schema).
Screen:


Finding Tables
Now that we know which database we want to inject, we can start searching for it's tables.

To find the Tables of a site simply enter the following command:

Code:

./sqlmap.py -u your_vulnerable_link_here -D your_database_here --tables

Screen:


When this command is executed, SQLMap will find the tables and print them in the log above the command line.
Screen:


Finding Columns
First choose the table that you want to inject. In my case, I'll be injecting forzen_ysmember, as this is most likely the table which contains the admin login credentials.

To find the Columns of a site simply enter the following command:

Code:

./sqlmap.py -u your_vulnerable_site_here -D your_database_here -T your_table_here --columns

Screen:


This command will find the columns of your desired table and then once again print them above the command line.
Screen:



Final Step: Finding Data
As this is the final step, we must incorporate all the information we have gathered before into our command. This includes a database, table, and column.

To exploit Data from a site simply enter the following command:

Code:

./sqlmap.py -u your_vulnerable_site_here -D your_database_here -T your_table_here -C your_column_here --dump

Screen:


When SQLMap is done, you will be able to see the Data from your column above the command line.
Screen:


If your looking for the admin login, you'll have to do this with both the password column and the username column.

Done

Optional: Cracking hashes with SQLMap
SQLMap also has the ability to crack hashes when it finds one. To do this simply enter a command like you would normally, and if SQLMap finds a hash, it will ask you if you would like to crack it.
Screen:


Thanks for reading, I hope this helps some people here!

[demonnator]

Nice tut, Really detailed and easy to understand.

You know what your talking about