Step 1: Find a Vulnerable Website
This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.
| Google Dork string Column 1 | Google Dork string Column 2 | Google Dork string Column 3 |
|---|---|---|
| inurl:item_id= | inurl:review.php?id= | inurl:hosting_info.php?id= |
| inurl:newsid= | inurl:iniziativa.php?in= | inurl:gallery.php?id= |
| inurl:trainers.php?id= | inurl:curriculum.php?id= | inurl:rub.php?idr= |
| inurl:news-full.php?id= | inurl:labels.php?id= | inurl:view_faq.php?id= |
| inurl:news_display.php?getid= | inurl:story.php?id= | inurl:artikelinfo.php?id= |
| inurl:index2.php?option= | inurl:look.php?ID= | inurl:detail.php?ID= |
| inurl:readnews.php?id= | inurl:newsone.php?id= | inurl:index.php?= |
| inurl:top10.php?cat= | inurl:aboutbook.php?id= | inurl:profile_view.php?id= |
| inurl:newsone.php?id= | inurl:material.php?id= | inurl:category.php?id= |
| inurl:event.php?id= | inurl:opinions.php?id= | inurl:publications.php?id= |
| inurl:product-item.php?id= | inurl:announce.php?id= | inurl:fellows.php?id= |
| inurl:sql.php?id= | inurl:rub.php?idr= | inurl:downloads_info.php?id= |
| inurl:index.php?catid= | inurl:galeri_info.php?l= | inurl:prod_info.php?id= |
| inurl:news.php?catid= | inurl:tekst.php?idt= | inurl:shop.php?do=part&id= |
| inurl:index.php?id= | inurl:newscat.php?id= | inurl:productinfo.php?id= |
| inurl:news.php?id= | inurl:newsticker_info.php?idn= | inurl:collectionitem.php?id= |
| inurl:index.php?id= | inurl:rubrika.php?idr= | inurl:band_info.php?id= |
| inurl:trainers.php?id= | inurl:rubp.php?idr= | inurl:product.php?id= |
| inurl:buy.php?category= | inurl:offer.php?idf= | inurl:releases.php?id= |
| inurl:article.php?ID= | inurl:art.php?idm= | inurl:ray.php?id= |
| inurl:play_old.php?id= | inurl:title.php?id= | inurl:produit.php?id= |
| inurl:declaration_more.php?decl_id= | inurl:news_view.php?id= | inurl:pop.php?id= |
| inurl:pageid= | inurl:select_biblio.php?id= | inurl:shopping.php?id= |
| inurl:games.php?id= | inurl:humor.php?id= | inurl:productdetail.php?id= |
| inurl:page.php?file= | inurl:aboutbook.php?id= | inurl:post.php?id= |
| inurl:newsDetail.php?id= | inurl:ogl_inet.php?ogl_id= | inurl:viewshowdetail.php?id= |
| inurl:gallery.php?id= | inurl:fiche_spectacle.php?id= | inurl:clubpage.php?id= |
| inurl:article.php?id= | inurl:communique_detail.php?id= | inurl:memberInfo.php?id= |
| inurl:show.php?id= | inurl:sem.php3?id= | inurl:section.php?id= |
| inurl:staff_id= | inurl:kategorie.php4?id= | inurl:theme.php?id= |
| inurl:newsitem.php?num= | inurl:news.php?id= | inurl:page.php?id= |
| inurl:readnews.php?id= | inurl:index.php?id= | inurl:shredder-categories.php?id= |
| inurl:top10.php?cat= | inurl:faq2.php?id= | inurl:tradeCategory.php?id= |
| inurl:historialeer.php?num= | inurl:show_an.php?id= | inurl:product_ranges_view.php?ID= |
| inurl:reagir.php?num= | inurl:preview.php?id= | inurl:shop_category.php?id= |
| inurl:Stray-Questions-View.php?num= | inurl:loadpsb.php?id= | inurl:transcript.php?id= |
| inurl:forum_bds.php?num= | inurl:opinions.php?id= | inurl:channel_id= |
| inurl:game.php?id= | inurl:spr.php?id= | inurl:aboutbook.php?id= |
| inurl:view_product.php?id= | inurl:pages.php?id= | inurl:preview.php?id= |
| inurl:newsone.php?id= | inurl:announce.php?id= | inurl:loadpsb.php?id= |
| inurl:sw_comment.php?id= | inurl:clanek.php4?id= | inurl:pages.php?id= |
| inurl:news.php?id= | inurl:participant.php?id= | |
| inurl:avd_start.php?avd= | inurl:download.php?id= | |
| inurl:event.php?id= | inurl:main.php?id= | |
| inurl:product-item.php?id= | inurl:review.php?id= | |
| inurl:sql.php?id= | inurl:chappies.php?id= | |
| inurl:material.php?id= | inurl:read.php?id= | |
| inurl:clanek.php4?id= | inurl:prod_detail.php?id= | |
| inurl:announce.php?id= | inurl:viewphoto.php?id= | |
| inurl:chappies.php?id= | inurl:article.php?id= | |
| inurl:read.php?id= | inurl:person.php?id= | |
| inurl:viewapp.php?id= | inurl:productinfo.php?id= | |
| inurl:viewphoto.php?id= | inurl:showimg.php?id= | |
| inurl:rub.php?idr= | inurl:view.php?id= | |
| inurl:galeri_info.php?l= | inurl:website.php?id= |
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string and one of the search result shows a website like this:
Just add a single quotation mark at the end of the URL. (Just to ensure, is a double quotation mark and is a single quotation mark).
So now your URL will become like this:
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.
Examples of SQLi Errors from Different Databases and Languages
Microsoft SQL Server
Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.
MySQL Errors
Oracle Errors
PostgreSQL Errors
Step 2: List DBMS databases using SQLMAP SQL Injection
As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.
Run the following command on your vulnerable website with.
In here:
= Name of sqlmap binary file
= Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
= Enumerate DBMS databases
= Name of sqlmap binary file
= Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
= Enumerate DBMS databases
See screenshot below.
This commands reveals quite a few interesting info:
So, we now have two database that we can look into. is a standard database for almost every MYSQL database. So our interest would be on database.
Step 3: List tables of target database using SQLMAP SQL Injection
Now we need to know how many tables this database got and what are their names. To find out that information, use the following command:
Sweet, this database got 8 tables.
and of course we want to check whats inside table using SQLMAP SQL Injection as that table probably contains username and passwords.
Step 4: List columns on target table of selected database using SQLMAP SQL Injection
Now we need to list all the columns on target table of database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:
This returns 5 entries from target table of database.
AHA! This is exactly what we are looking for … target table and .
Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection
SQLMAP SQL Injection makes is Easy! Just run the following command again:
Guess what, we now have the username from the database:
Almost there, we now only need the password to for this user.. Next shows just that..
Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection
You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.
TADA!! We have password.
But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that.
That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.
I have covered how to decrypt password extensively on this Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux post. If you’ve missed it, you’re missing out a lot.
I will cover it in short here but you should really learn how to use hashcat.
Step 7: Cracking password
So the hashed password is . How do you know what type of hash is that?
Step 7.a: Identify Hash type
Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:
Excellent. So this is DES(Unix) hash.
Step 7.b: Crack HASH using cudahashcat
First of all I need to know which code to use for DES hashes. So let’s check that:
So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.
I saved the hash value in file. Following is the command I am running:
Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.
Anyhow, so here’s the cracked password: abc123.
Sweet, we now even have the password for this user.
Conclusion
Thanks for reading and visiting my website.
There’s many other ways to get into a Database or obtain user information. You should practice such techniques on websites that you have permission to.
Please share and let everyone know how to test their websites using this technique.
Nice post...
ReplyDeleteWe are providing the best master data services around the world....visit our website for more information....
Material Master Data Management
Master Data Dictionary
Master Data Problems
Vendor Master Data Management
Customer Master Data Management
Service Master Data Management
master data management in sap
data cleansing tools
Master Data Governance
Data Cleansing Services
Have I killed that topic? A Anti Aging may to all appearances be all right and yet not have enough skin cream. This won't help you with that. In other words, don't be forgotten. That is how to develop practical working relationships with Skin Care experts but still, I guess you comprehend where I stand on this issue. Think about how significant Botox treatment is in our lives.
ReplyDeletehttps://www.nutraplatform.com/
Super site! I am Loving it!! Will return once more, Im taking your food likewise, Thanks.
ReplyDeletedownload showbox
To build a heart-healthy meal, reach for: whole grains, such as oatmeal, whole-grain cereals, or whole-wheat toast. lean
ReplyDeleteprotein sources, such as turkey bacon or a small serving of nuts or peanut butter. low-fat dairy products, such as low-fat
milk, yogurt, or cheese. fruits and vegetables.
Read More : https://www.uchearts.com/
Great tips and very easy to understand. This will definitely be very useful for me when I get a chance to start my blog.
ReplyDeletefocus groups near me
cool stuff you have and you ke
ReplyDeleteminecraft 0.15.0 apk download freeep overhaul every one of us
Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle.
ReplyDeleteis gb whatsapp safe
Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject!
ReplyDeleterice purity tests
You have done a amazing job with you website showbox 4.96 apk
ReplyDeleteHere is deep description about the article matter which helped me more. mobdro apk premium
ReplyDelete