Scribd
Upload
97 views

Sqlmap For Dummies V2: by Theanonmatrix

This document provides an introduction to using the SQLMap tool for SQL injection attacks. It begins with requirements and setup instructions for SQLMap, covering installing proxychains or TOR for anonymity. It then discusses basic information gathering techniques like searching Google for SQL injection vulnerabilities. The document provides an overview of SQLMap commands for fingerprinting a site, selecting databases and tables, and dumping table contents. It aims to explain SQLMap usage for beginners in a tutorial format.

Uploaded by

Tuấn Việt
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
97 views

Sqlmap For Dummies V2: by Theanonmatrix

This document provides an introduction to using the SQLMap tool for SQL injection attacks. It begins with requirements and setup instructions for SQLMap, covering installing proxychains or TOR for anonymity. It then discusses basic information gathering techniques like searching Google for SQL injection vulnerabilities. The document provides an overview of SQLMap commands for fingerprinting a site, selecting databases and tables, and dumping table contents. It aims to explain SQLMap usage for beginners in a tutorial format.

Uploaded by

Tuấn Việt
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

SQLMAPForDummiesv2TheAnonMatrix

[email protected]
Feelfreetocommentthedocandpostquestions.

SQLMAPForDummiesv2
U mad oldfags?

By TheAnonMatrix
http://www.twitter.com/TheAnonMatrix

1
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

Requirements
1.TutorialIntroduction
1.2Disclaimer

2.Settingupforthetutorial
2.1Proxychains
2.2TOR

3.InformationGathering

4.BasicSQLMAPIntroduction
4.1Fingerprinting
4.2UsingSQLMAPtocreatadump.
4.3LevelandRisk.

5.Outputvariations
5.1SchemaandColumn
5.2Othervariations

6.ChangeLog

Todo:

1. AddTips&Tricksalongwithotherusefulsettings.
2. AddPOSTattacksusingcookiesanddata
3. Actuallylearntheosxcommandsandfindaredlinehowitsdone.
4. HowtousegoogledorksinsideSQLMAP
5. Fileuploadingtothebackenddatabase/server

Requirements

RecommendedOS:Backtrack5R1
SQLMAP1.0dev(r4690)
Metasploit(optional)
Proxychains(optional)
TOR(optional)

2
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

1.TutorialIntroduction

ThistutorialismadeforexplainingtheusageofSQLMAPforbeginners.Idoknowthereis
somethingcalleddocumentation(youknowthathoption?),buthonestly:Howmuchwouldn't
youpaytohaveanicetutorialexplaininghowthedifferentoptionsrelatetooneanotherforevery
programthereis?PeoplewillarguethatskidsreadthistodofuckedupthingsontheInternet
andhelpontheirepeenego,iamjustgoingtostatethatifskidsmanagetorunsqlmapinacmd
(windows)orterminal(linux)theyshouldbecapableoflearningthisnomatterwhat,whichitwhy
iamnotexplaininghowtorunBacktrackoranyotherlinuxdistro,andtellthemwhattowritein
theCMD/Terminal....THATwouldbehelpingskids.
Someshitaboutmyself:
MynickisMatrixyoucanmainlyfindmeonanonopsorotherrandomircasTheAnonMatrix.
Idogotasociallife.
Myageisasirrelevant.
Taketheredpill.
Simplepythonprogrammer.
Ihateretardedquestions...imeanretarded,notcleverones.
Iplayguitar.
Igotaweirdsenseofhumor.
Idontknoweverything,andwouldnevereverclaimtodo.

Now,idoconsidermyselfahackerforonesolereason,ifyoudomanagetogetacertainlevelof
accesstoaplace/systemyoushouldn'thave,youarebymydefinitionahacker.Skidsarejust
thoseretardedpeoplewholearnshittoshowepeenandargueonwhatahackeris.
Now,idohopeyouenjoymytutorialonSQLMapandcaretoaddacommentonhowmuchyou
lovemeifyoufindthisinteresting:)
Sharingiscaring,theonlythingirequiresissourcetoleadbacktothissiteandcreditstomeas
iworkmyassofftofigurethesethingsandexplainthem.

HappyHacking!

1.2Disclaimer
Idonottakeanyresponsibilityforwhatretardedpeoplemightmanagewiththeinformationiwrite
orstateinthistutorial.Thisprogramwasnotmeanttobeusedforillegalactivities,butatoolto
checkforvulnerabilitiesonyourownwebsite.Neverusethistooloranyothertoolsonawebsite
youdonotown.Iamserious.

3
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

2.Settingupforthetutorial

So,tohideyourassirecommendtwosolutions.ProxychainsorsettingupTOR.Bothusesthe
TORproxybutgotavariationinuse.IamassumingyouareusingBacktrack5R1,thusican
skipsomeexplanations.IdorecommendusingtherandomagentswitchinSQLMAP,elseyou
canseetheuseragentcontainsSQLMAP,thatisnotacleveridea.

2.1Proxychains

Proxychainsissimpleintheuse,aswecanstatewhateverwewannadoaftertheprogram
name.However,itdoespostalineforeveryconnectionwemake.UsingSQLMapthiscanpretty
muchcovertheterminalwithinformationyouhonestlydon'tneedthatmuch.Soipreferto
removeit.

Openit,scrolldowntoandfindquiet_mode,andmakesurethatlinedonothavea#.Fixedand
readytogo!

4
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

2.2TOR
(BecauseofsomereportsofTORbeingfuckedwithSQLMAP,runTORChecktoverifyit
worksanduseatownrisk.Ihoweverrecommendusingproxychains.)

Firstfind/etc/apt/sources.listopenitandadd

debhttp://deb.torproject.org/torproject.orglucidmain

Opentheterminalandusethiscommands:

gpgkeyserverkeys.gnupg.netrecv886DDD89
gpgexportA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89|sudo
aptkeyadd

Morecommandsranasroot:

aptgetupdate
aptgetinstalltortorgeoipdb
aptgetinstallpolipo

Starttor:
/etc/init.d/torstart

Grabthecopyofthisconfigfile:

Newlink:http://www.pcfreak.net/files/polipo.conf

Goto/etc/polipoconfigandreplacethefilewiththeoneabove.restartpolipo:
/etc/init.d/poliporestart
Congratz!nowyoucanrunSQLMAPwithTORbyusingtheTORoption!

5
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

3.InformationGathering

FindingaSQLVulnerabilityisaseasyasitcanget.ImagenwegotthisURL:

http://localhost/index.php?id=1337

AnSQLInjectionisbasicallyhopingthedesignerofthepagewasdumbenoughtoletsomething
slip.AddingthesignbehindtheidvariableintheurlwouldsendaninvalidrequestintotheSQL
Database,andsendbackanerror.Howthiserrorishandledmightreturnusanerrormessage
onthewebsite,thisiswhatwewanttoseeandwhattheadminwanttohide.

http://localhost/index.php?id=1337

Letssaywegotluckyandfoundavulnerabilityonthissite.Theerrormessagecouldbe
displayedlikethissomewhereonthesite:

You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '\' order by Sort
DESC Limit 0,12' at line 1

Sometimesevenachangeinthepagewouldbeenough.Aslongasitsnota404error,thenyou
aredoingitright.
FindingthesekindsofURLscanbedoneinmanyways,onewaycouldbeusinggoogle.Yes,
google.
Typethisintosearch:

inurl:index.php?id=

ThiswoulddisplaypagesonlyiftheycontainthatintheirURL,orsomewhereontheirwebpage.
Therearetonsofdorks,soyoushouldfindalist(http://pastebin.com/dfVwSDpN)andstart
googlingyourway!

AcunetixgotanonlinewebpagewhereyoucantestSQLinjection.Ichallengeyoutofindthe
vulnerability,anduseitasthetestpageduringthistutorial!
http://testasp.vulnweb.com/

6
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

4.BasicSQLMAPIntroduction

4.1Fingerprinting

u TheURLinput

Fingerprint argflagtellingSQLMAPtodoafingerprint

Tor tellsSQLMAPwewanttouseaTORproxy

RandomAgent tellsSQLMAPwewanttohavearandomselectedagentintheheader

Threads Value:(1)10.Addsmultiplethreads.BasicallyspeedsupSQLMAP.

Doingafingerprintonawebsitehelpsyoudeterminwhatkindofbackendsystemthewebsiteis
running.Databasesystemoperatingsystemandapplicationtechnology.Pleasenotethat
SQLMAPalreadywillstartlookingforvulnerabilitiesinthepagetofetchtheinformation.
Thiscouldbeourresult:

7
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

4.2UsingSQLMAPtocreateadump.

DBS Fetchestheavailable
databases.

D Selectsonethelisteddatabases

Tables Fetchesthetablesinthe
DatabaseifspecifiedwithD,if
notdumpallthetables.Ifa
Databasehavebeenused
before,itwillusethatdatabase.

T Fetchestheentriesinsidethe
giventable.RequiresDand
Dump

Dump Dumpsthegiventable,specified
withT

Dumpall DumpseverythinginsideD,if
itsnotspecifieditwilldump
everything.

8
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

Nowletsstartgettingserious!Wehavefingerprintedtheserver,findingthevulnerabilityinthe
process.Typingtheaboveinformationshouldgiveusaresultofdatabases.Inourtutorialwewill
assumethesystemdatabaseinformation_schemaispresent.Intheory,itcouldbeeverything
fromadminaccountstouserinformationandforumsposts.

Asyoucansee,wegot2databases(oneismaskedoutforsecurityreasons*cough*).
information_schemaistheonewewanttoday!Wenowwanttogetthetablesinside
information_schema.Thisisdoneusingthetablesoption.Rememberitdoesnotmatterwhere
theoptionsareplacedinthiscase.Dcanbeinfrontoftablesandvicaversa.
Moretalklaterontheargumentlineupandthewayeverythingisprocessedlater.

9
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

Asyoucanseeabovewegotthetablesinsidethedatabaseinformation_schema.Nothingto
interesting,butiguesswewannaseecloseronthetableVIEW.Thusweselectthedatabase
(Dinformation_schema)andthetablewewannasee(TVIEWS).usingTweneedtoadda
optiontellingSQLMAPwewannadumpitalltoatextfile,thusweusedump.

andtheresult:

Note:ididcancelthedumpbecauseofthenullvalues,thereisnothingthere.

Now,ifwewannaskipdoingallthisshitandjustgetrighttothedumpingwecouldjustusethe
dumpalloptionanddumpeverythingasitcomesinorder.

10
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

ThissumsupthebasicsofSQLMAPdumpingandnowwewillprogresswithsomeoftheother
optionsinsideSQLMAP,forabetterunderstandinghowwecandoinjectionsanddumpingeven
better.

4.3LevelandRisk.
SQLMAPdetectsalotofthecommonvulnerabilitiesbyusingtheguideabove.Butwhatisyou
KNOWthereisanvulnerabilitythere,andSQLMAPisnotdetectingit?ThustheLeveland
Riskswitchshouldbeused.usingtheLevelandRiskswitchthemorenoiseyouwillbe
creatingthereforifyouactuallyapplytheseswitchesyoushouldbebehindproxyorVPNfor
safety.

Level Value:1to5(Default:1)

Risk Value:0to3(Default1)

11
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

Note:Ihaduseddbms=mysqlandlevel/riskissatto5(habit,notreallynecessary)

5.Outputvariations

5.1SchemaandColumn
schemaandcolumnaretwocommandsthatwillhelpyoutofetchtheactualvalueforevery
fieldintheselectedtable.schemawillfetchthecolumninfoforthewholedatabase.column
willonlyfetchforthegiventable.

12
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

NOTEschema:Doesnotneedtobegivenatableinputaswefetchallthecolumninfoforthegiven
databasewiththisinput

NOTEcolumn:Noticewespecifyatablewhenusingcolumn.

Ifweusecolumnanddefinetables(T)asVIEWSwewouldendupwiththis:

13
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

Withschemawewouldendupwiththesameresult,butforeverytableinthedatabase.But
howdoesthishelpus?
Imagenwegotatablenamedadmin,wecouldusecolumntoviewthisandseewhat
informationwecanget.WhataboutalargertablelikeUser_credentials?Wecouldseethe
informationandselectthefieldswewannadump!Inotherwords,wecouldskiptheunusable
primarykeyvaluesandnumberofposts,andinsteadonlyselecttheusername,passwordand
mailcolumnsinthetable.
InthisexamplewewillselectthecolumnsCHECK_OPTIONandTABLE_NAME.Notetheyare
splittedusingacomma,thisappliestoallplacesinSQLMAPwherewecanselectmorethan
onedatabase(D)ortable(T).

Ourcommandlinearg.NoticethereisnospacebetweenCHECK_OPTIONandTABLE_NAME

14
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

Andthisisourresult!Imagenthepossibilitiesbyselectingthecolumnswewanttogetdumped!

5.2Othervariations
ByusingdumpandCwecouldtellSQLMAPtoonlylookforcolumnswewant,anditwill
searchforitinnallavailabledatabases.Sayyouwantthecolumnsuserandpassword,andgot
20databases...thiswillmakethesearchlesstimeconsuming.

15
SQLMAPForDummiesv2TheAnonMatrix
[email protected]
Feelfreetocommentthedocandpostquestions.

6.ChangeLog

12.02.2012
Revision1done.Needstobefilledoutandsmallpartstobeadded.Shouldworkasatutorialfor
beginnersnow!

11.02.2012
WrittenthesectionaboutInformationgatheringandBasicSQLMAPIntroduction.

10.02.2012
Writtentutorialintroductionanddisclaimer.StartingupwithProxychainsandTORsetup.

08.02.2012
Documentlaunched.Menudoneandtexttobedone.

16

You might also like