Hacking Databases with SQLmap

Hello NullSec, Joker here with another tutorial or cheatsheet depending on how much in detail I go. This time I am gonna go over one of my favorite tools that I at first overlooked the potential. SQLmap is officially a automatic database takeover tool. I’ve been able to successfully “hack” databases with SQLmap with different flags enabled. Of course I won’t go over every little flag, but enough to at least allow you to get a good handle on SQLmap.

#SQLmap

SQL Injections or SQLi, is where arbitrary code is injected into a website via its URL to force the database to reveal information. A simple SQLi possible URL could be, (url)/index.php?id=1 and to test if it is vulnerable just add a simple ’ to the end of the URL. If the website returns a error, than most likely the URL is vulnerable.

One way to find vulnerable sites is to craft certain search queries with certain keywords. A simple query in Google could be, .com index.php?id= in the search bar. Of course if you are very specific, you can just type in your targeted site into the search query with a common possible SQLi like, index.php?id= or just .php?. You could also use Google Dorking. Please check out this link for more explanation. Since there’s already a tutorial, I am not gonna cover Google Dorking with this post.

After searching far and wide for a vulnerable site or a possible vulnerable site, it is time to use SQLmap.

In a terminal, type in:
sqlmap -u (url)

This is the first command that is needed to test for a possible sqli. The -u flag stands for --url and of course, after the flag type in the full URL or just copy and paste it in (whatever floats your boat). The next step is nothing special because this is after all a automatic takeover tool, but of course waiting for sqlmap to finish is crucial to the whole process. If a SQLi is found than we can continue with the taking over.

To dump passwords, type in:
sqlmap -u (url) --passwords

Most likely SQLmap will fail with dumping the passwords, but if you’re lucky, sqlmap will attempt to crack the passwords. The only issue with cracking the password is that most of the time the password is stored as a hash with a salt… that’s where the issue lies. Without the salt it’s pretty close to impossible to crack the password, but still possible.

To dump tables and columns, type in:
sqlmap -u (url) --dump-all

To dump just tables, type in:
sqlmap -u (url) --tables

To dump just columns, type in:
sqlmap -u (url) --columns

Of course there are many other flags that can be used, but these are the very basic ones.

Simple? Indeed.

#Conclusion:

These are just the basics, sqlmap is a very handy tool for beginners since it also tells you what to do, like literally. I am not gonna go over details since Google is your friend. If you are interested please use Google instead of expecting me to reinvent the wheel. A good site to start at is the official sqlmap site.

Anyways, this is more of cheatsheet. Nothing more and nothing less.

~Cheers!

5 Likes

Great cheatsheet :slight_smile:
My go to command for sqlmap is

$ sqlmap --level 5 --depth 3 --dump-all

Takes fair amount of time TBH, but does the job :smiley:

5 Likes

SQLmap is indeed a nice tool. What i like best is to have Burp proxy on intercepting mode, copy the request to a new file(e.g. REQUEST.txt) and then simply use this command:

sqlmap -r REQUEST.txt -p param