Skip to main content

Hacking MySQL Online Databases with Sqlmap

In this tutorial, we will follow up on a previous tutorial on MySQL. In that tutorial, I showed you the basics of running a MySQL server on BackTrack. In addition, you might want to take a look at my tutorial on the basics of databases, if you are not familiar with databases and DataBase Management Systems (DBMS). Since MySQL is SO important in so many web applications, I will be doing more MySQL tutorials in the future. The more you know about MySQL, the better you can hack MySQL!

Generally, MySQL is teamed up with PHP and an Apache web server (often referred to as LAMPP or XAMPP) to build dynamic, database driven web sites. Such development packages as Drupal, Joomla, Wordpress, Ruby on Rails and others all use MySQL as their default database. Millions of websites have MySQL backends and very often they are "homegrown" websites, without much attention on security.
In this tutorial, we will looking to extract information about an online MySQL database before we actually extract information from the database. Once again, I'll repeat, the more we know, the more successful we will be in hacking and the less chance you will be detected.
Here, we will be using one of the best database hacking tools available, sqlmap. Sqlmap can be used for databases other than MySQL, such Microsoft's SQL Server and Oracle, but here we will focus its capabilities on those ubiquitous web sites that are built with PHP, Apache and MySQL.

Step 1Start Sqlmap

First, fire up BackTrack and go to BackTrack, then Information Gathering, then Database Analysis, then MySQL Analysis and finally, sqlmap as shown in the screenshot below.

Step 2Find a Vulnerable Web Site

In order to get "inside" the web site and ultimately, the database, we are looking for web sites that end in "php?id=" where XXX represents some number. Those who are familiar with google hacks/dorks can do a search on google by entering:
  • inurl:index.php?id=
  • inurl:gallery.php?id=
  • inurl:post.php?id=
  • inurl:article?id=
...among others.
This will bring up literally millions of web sites with this basic vulnerability criteria. If you are creative and ambitious, you can find numerous web sites that list vulnerable web sites. You might want to check these out.
For our purposes here and to keep you out of the long reach of the law, we will be hacking a website designed for this purpose, www.webscanhost.org. We can practice on this web site and refine your skills without worrying about breaking any laws and having to make bail money for you.

Step 3Open Sqlmap

When you click on sqlmap, you will be greeted by a screen like that below. Sqlmap is a powerful tool, written as a Python script (we will be doing Python tutorial soon) that has a multitude of options. We will just be scratching the surface of its capabilities in this tutorial.

Step 4Determine the DBMS Behind the Web Site

Before we begin hacking a web site, we need to gather information. We need to know WHAT we are hacking. As I have said many times before, most exploits are very specific to the OS, the application, services, ports, etc. Let's begin by finding out what the DBMS is behind this web site.
The start sqlmap on this task, we type:
  • ./sqlmap.py -u "the entire URL of the vulnerable web page"
or this case:
When we do so, sqlmap will return results like that below. Notice where I highlighted that the web site back-end is using MySQL 5.0

Find the Databases

Now that we know what the database management system (DBMS) is MySQL 5.0, we need to know what databases it contains. sqlmap can help us do that. We take the command we used above and append to it --dbs, like this:
search_get_by_id.php?id=4" --dbs
When run this command against www.webscantest.com we get the results like those below. Notice that I have highlighted the two available databases, information schema and scanme. Information schema is included in every MySQL installation and it includes information on all the objects in the MySQL instance, but not data of interest. Although it can be beneficial to explore that database to find objects in all the databases in the instance, we will focus our attention on the other database here , scanme, that may have some valuable information. Let's explore it further.

Step 6Get More Info from the Database

So, now we know what the DBMS is (MySQL 5.0) and the name of a database of interest (scanme). The next step is to try to determine the tables and columns in that database. In this way, we will have some idea what data is in the database, where it is and what type of data (numeric or string). All of this information is critical and necessary to extracting the data. To do this, we need to make some small revisions to our sqlmap command. Everything else we have used above remains the same, but now we tell sqlmap we want to see the tables and columns from the scanme database. We can append our command with --columns -D and the name of the database, scanme such as this:
search_get_by_id.php?id=4" --dbs --columns -D scanme

Comments

  1. My ex ruined me broke due to his incessant extravagant spending , I found myself in a big mess. I talked to a loan company and I was told that they can't lend me loan . I was devastated, that's put me into a lot of debt. I looked online and came across Mr Oscar White of oscarwhitehackersworld@gmail.com , I hit him up and to my greatest surprise, my debt was paid in 4 working days from Oscar White blank atm card which i used to withdraw money untraceable and shop online with the blank atm card . I was so amazed and it didn't cost me too much to get the card and today have made up to $50,000.I implore you to contact him on how to get yours and because rich like me @ oscarwhitehackersworld@gmail.com or whats-app +1(323)-362-2310.No doubt he's the best out there and your problems will be solved!

    ReplyDelete

Post a Comment

Popular posts from this blog

Mobile Hack Tricks

Encrypt your Internet. Use  Top Secure VPN  For Online Privacy Call Forging: To call someone from their own number or any number. 1. Go to  http://www.mobivox.com  and register there for free account. 2. During registration, remember to insert Victim mobile number in “Phone number” field as shown below. 3. Complete registration and confirm your email id and then login to your account. click on “Direct WebCall”. 4. You will arrive at page shown below. In “Enter a number” box, select your country and also any mobile number(you can enter yours). Now, simply hit on “Call Now” button to call your friend with his own number. 5. That’s it. Your friend will be shocked to see his own number calling him. I have spent last two days simply playing this cool mobile hack prank. Note: This trick will only knowledge purpose… Just try this trick only known person. Trace Mobile Location: Click On Below Link To Trace Unknown Number -> Trace Mobile Location

What Is a Keylogger and Key Logging Software?

A  keylogger  is a hardware device or a software program that records the real time activity of a computer user including the keyboard keys they press. Use Cases for a Keylogger Keyloggers are used in  Information Technology (IT)  organizations to troubleshoot technical problems with computers and business networks. Keyloggers can also be used by a family (or business) to monitor the network usage of people without their direct knowledge; they are sometimes used as part of home parental controls. Finally, malicious individuals may use keyloggers on public computers to steal passwords or credit card information. What Information a Keylogger Can Collect The capabilities of keyloggers vary, but when installed on a device they can generally do the following: capture any passwords entered by users on the device take screen captures of the device at periodic intervals record the  URLs  that were visited via Web browsers, and possibly also take screen captures of th