0% found this document useful (0 votes)
193 views18 pages

Automate SQL Injection With Sqlmap

Sqlmap is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. The document provides steps to setup an environment with XAMPP, DVWA, and install necessary tools like sqlmap and python. It then outlines the process of using sqlmap to scan for SQL injection vulnerabilities on a DVWA server, identify databases and tables, dump data, and crack hashed passwords to identify user credentials.

Uploaded by

pham dat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
193 views18 pages

Automate SQL Injection With Sqlmap

Sqlmap is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. The document provides steps to setup an environment with XAMPP, DVWA, and install necessary tools like sqlmap and python. It then outlines the process of using sqlmap to scan for SQL injection vulnerabilities on a DVWA server, identify databases and tables, dump data, and crack hashed passwords to identify user credentials.

Uploaded by

pham dat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Automate SQL Injection with SqlMap

1. Introduction
SQLMAP is a tool that exploits the corruption of SQL databases. This tool is
considered to be the best SQL mining tool available today. The security and hacker
use often. For Kali users, SQLMAP is built into the operating system. For
Windows, we have to install more python and SQLMAP to use.

2. Preparation
- Computer running windows operating system. Require to disable the firewall on
the system.
- The source code management mysql - phpmyadmin
https://www.phpmyadmin.net/downloads/
- XAMPP download by following link:
https://downloadsapachefriends.global.ssl.fastly.net/xampp-files/5.6.31/xampp-
win32-5.6.31-0-VC11-installer.exe?from_af=true
- DVWA download the following link:
http://www.dvwa.co.uk/
- The browser software chrome, firefox 10.0, 7zip, Notepadd ++.
- Install python 2.7
- Download the sqlmap toolkit

3. Implementation steps
- Turn on xampp and go to 192.168.100.15/DVWA. Login with user: admin. Pass:
password. Here 192.168.100.15 is ipv4 machine running dvwa
- Login successfully choose dvwa security> Select low and submit

- We select SQL INJECTION


- Type : 1 and submit

- Open notepad > Coppy link and paster into notepad


- We select XSS Reflected. Type code:
<script>alert(document.cookie)</script>
- We see a message box. I coppy the notification line about paste into
notepad

- After paste we get a link SQL injection and line 2 is cookie


We type : sqlmap –u “link” --cookie=“cookie” –b --current-db --current-user
(Cookies here let phpsessions in front. Security = "low" in the following as
picture )
- I run and select N as in the picture

- Select Y as a picture
-
- Select N as a picture
- After running, we get the message as shown in the image including current
user and current database
- Type : sqlmap –u “link” --cookie=“cookie” --string=“Surname” --users –
password

- Select y as a picture into crack pass of sqlmap


- Select Y as in the picture
- Select 1 as shown in the picture. And then we run the command to see the
database: sqlmap -u "link" --cookie = "cookie" -dbs
- After running we get the database as picture
We will see the tables in the databse admin123: Type the command: sqlmap -u
"link" --cookie = "cookie" -D admin123 --tables
(Some of you leave the database name dvwa instead of admin123 to dvwa)

- We see 2 tables. We want to see the columns available in the tables users:
Type: sqlmap -u "link" --cookie = "cookie" -D admin123 -T users -
columns
- We see columns in table users. We want to see the information columns:
Type: sqlmap -u "link" --cookie = "cookie" -D admin123 -T user -dumps
- We choose Y same image to crack sqlmap pass pass

- We select 1 as the default sqlmap wordlist


- Choose y to crack pass and wait for sqlmap to finish running

- After running to find tha contains a table containing the info. We have user
and pass. Pass was crack in the next pass md5

You might also like