Hacking MySQL Online Databases with Sqlmap

-

Welcome back, my amateur hackers!
In this tutorial,  In that tutorial, I showed you the basics of running a MySQL server on BackTrack. In addition,  if you are not familiar with databases and DataBase Management Systems (DBMS). Since MySQL is SO important in so many web applications, I will be doing more MySQL tutorials in the future. The more you know about MySQL, the better you can hack MySQL!
Generally, MySQL is teamed up with PHP and an Apache web server (often referred to as LAMPP or XAMPP) to build dynamic, database driven web sites. Such development packages as Drupal, Joomla, Wordpress, Ruby on Rails and others all use MySQL as their default database. Millions of websites have MySQL backends and very often they are "homegrown" websites, without much attention on security.
In this tutorial, we will looking to extract information about an online MySQL database before we actually extract information from the database. Once again, I'll repeat, the more we know, the more successful we will be in hacking and the less chance you will be detected.
Here, we will be using one of the best database hacking tools available, sqlmap. Sqlmap can be used for databases other than MySQL, such Microsoft's SQL Server and Oracle, but here we will focus its capabilities on those ubiquitous web sites that are built with PHP, Apache and MySQL.

Step 1Start Sqlmap

First, fire up BackTrack and go to BackTrack, then Information Gathering, then Database Analysis, then MySQL Analysis and finally, sqlmap as shown in the screenshot below.

Step 2Find a Vulnerable Web Site

In order to get "inside" the web site and ultimately, the database, we are looking for web sites that end in "php?id=" where XXX represents some number. Those who are familiar with google hacks/dorks can do a search on google by entering:
  • inurl:index.php?id=
  • inurl:gallery.php?id=
  • inurl:post.php?id=
  • inurl:article?id=
...among others.
This will bring up literally millions of web sites with this basic vulnerability criteria. If you are creative and ambitious, you can find numerous web sites that list vulnerable web sites. You might want to check these out.
For our purposes here and to keep you out of the long reach of the law, we will be hacking a website designed for this purpose, www.webscanhost.org. We can practice on this web site and refine your skills without worrying about breaking any laws and having to make bail money for you.

Step 3Open Sqlmap

When you click on sqlmap, you will be greeted by a screen like that below. Sqlmap is a powerful tool, written as a Python script (we will be doing Python tutorial soon) that has a multitude of options. We will just be scratching the surface of its capabilities in this tutorial.

Step 4Determine the DBMS Behind the Web Site

Before we begin hacking a web site, we need to gather information. We need to know WHAT we are hacking. As I have said many times before, most exploits are very specific to the OS, the application, services, ports, etc. Let's begin by finding out what the DBMS is behind this web site.
The start sqlmap on this task, we type:
  • ./sqlmap.py -u "the entire URL of the vulnerable web page"
or this case:
When we do so, sqlmap will return results like that below. Notice where I highlighted that the web site back-end is using MySQL 5.0

Step 5Find the Databases

Now that we know what the database management system (DBMS) is MySQL 5.0, we need to know what databases it contains. sqlmap can help us do that. We take the command we used above and append to it --dbs, like this:
search_get_by_id.php?id=4" --dbs
When run this command against www.webscantest.com we get the results like those below. Notice that I have highlighted the two available databases, information schema and scanme. Information schema is included in every MySQL installation and it includes information on all the objects in the MySQL instance, but not data of interest. Although it can be beneficial to explore that database to find objects in all the databases in the instance, we will focus our attention on the other database here , scanme, that may have some valuable information. Let's explore it further.

Step 6Get More Info from the Database

So, now we know what the DBMS is (MySQL 5.0) and the name of a database of interest (scanme). The next step is to try to determine the tables and columns in that database. In this way, we will have some idea what data is in the database, where it is and what type of data (numeric or string). All of this information is critical and necessary to extracting the data. To do this, we need to make some small revisions to our sqlmap command. Everything else we have used above remains the same, but now we tell sqlmap we want to see the tables and columns from the scanme database. We can append our command with --columns -D and the name of the database, scanme such as this:
search_get_by_id.php?id=4" --dbs --columns -D scanme

When we do so, sqlmap will target the scanme database and attempt to enumerate the tables and columns in the scanme database.
As we can see below, sqlmap successfully was able to enumerate three tables; (1) accounts, (2) inventory, and (3) orders, complete with column names and datatypes. Not Bad!

Note that the orders table below includes credit card numbers, expiration dates and CVV. The hacker's "Golden Fleece"!!

As you can see, sqlmap can be very versatile and useful tool for MySQL, as well as SQL Server and Oracle database hacking. We will plan on coming back to sqlmap in the near future to explore more of its extensive database hacking capabilities.
Keep coming back, my amateur hackers, for more adventures in Hackerland!

Comments

Post a Comment

Popular posts from this blog

Automate Brute-Force Attacks for Nmap Scans

-
Image
Using Hydra , Ncrack , and other brute-forcing tools to crack passwords for the first time can be frustrating and confusing. To ease into the process, let's discuss automating and optimizing brute-force attacks for potentially vulnerable services such as SMTP, SSH, IMAP, and FTP discovered by Nmap, a popular network scanning utility. BruteSpray , developed by Jacob Robles and Shane Young , is a Python script capable of processing an Nmap scan output and automating brute-force attacks against discovered services using Medusa , a popular brute-forcing tool. BruteSpray is the much-needed nexus that unifies Nmap scans and brute-force attacks. Step 1 Set Up BruteSpray & Medusa An older version of BruteSpray can be found in the Kali repositories. To avoid potential confusion, any version of BruteSpray which may already be installed should be removed using the below command. apt-get autoremove brutespray Next, cl...
Read more

How To Unlock Windows Computer from Android or iPhone

-
Image
Learn How To Unlock Windows Computer from Android or iPhone: How to unlock your computer with the help of your android smartphone, you will need a Rohos Logon Key software installed both on your Android and Computer to gain access you computer. T here is numerous article on the internet concerning how to secure your PC while you are not at the computer, Some of us even try to search that is there any procedure to unlock your PC with the help of the smartphone? But let’s tell you there is an easy method out there by which you can easily Unlock your computer with the help of your Android smartphone. How To Unlock Windows Computer for Android or iPhone With this method, you need your smartphone to unlock your computer after logging in into your windows login screen and for that, you have to connect your smartphone with your PC to identify the right authentication to PC to unlock it. So read out the below steps proceed. It is possible to access your computer withou...
Read more

How To Change Serial Number Of Your Android

-
Image
How To Change Serial Number Of Your Android Set the custom serial number on your Android mobile to hide its identity over the network and over the various app servers that use your device serial number to work with the help of xposed module. Android Serial number of every mobile device is its identity to recognize that network on the cellular network and to accept the licenses that have been made for that device, and this identity is by default set by the phone’s manufacturer. You can’t change the IMEI number to detect over the cellular network, but you can change this on your device for the temporary time for the apps and the devices licenses. And this fakes your device identity, and you can use this in a very cool way of faking some recharge apps to get the bonus. So, in this guide, we will be discussing the same. So have a look at complete guide explained below to proceed. How To Change Serial Number Of your Android The method is quite simple...
Read more