Tuesday, 31 January 2017

SQL injection (website pen test with sql map-step by step)

Step by step instructions and explanation on SQL injection with sqlmap.

Welcome guys to another tutorial from Hacking Monks.

This time we will be hacking a website using SQL injection technique.

So lets do it.

Requirements -

* SQLmap tool (inbuilt in Kali Linux)

* A vulnerable website

But wait,

What is SQL injection ?

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

You may also need to know some other terminologies which we will be using later on like-

* Google Dork - A Google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website. Google dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries.

In short a google dork gives you a website which is vulnerable to sql injection.

An example for a google dork can be like this - ".php?id=1" or "article.php?id="

I have made a huge list of google dorks, like thousands of them. You can check them out here - Some Google dorks for you

So basically you have to search them on google to get vulnerable websites.

Steps -

* First we will search for a vulnerable website using a google dork.

Open any browser and search ".php?id="

This will give us some websites with the query .php?id

Now I will open the first website and check it out if its really vulnerable to SQL injection.

In order to check if the website is vulnerable, we just need to put this sign ' at the end of the URL and hit enter.

You can also use "?"

But here I will just use '

Now when you give that sign and hit enter, the next page which it will be showing you will decide if the website is vulnerable to SQL injection or not.

It should give you an error of some sort. Like this

This means that the website is vulnerable to SQl injection.

If the page was redirected back to the home page, it will not be vulnerable.

And be careful for WAF.

WAF - Web Application Firewall.

It could be present in the website and can track you.

Note - Please to not pen test on any website you get from the google dorks. THIS WILL BE TOTALLY ILLEGAL. I am using this website because it is already hacked and the owner doesn't care.

Be sure to be on a VPN or proxy while conducting this attack.

* Run SQLmap on your Kali Machine by typing "sqlmap -h" in a terminal.

This will show you the help menu

Now we will just run the tool

* Type in "sqlmap -u (target address) --dbs"

Be sure you put the exact URL of the target website.

Here "-u" is to specify the target,

and "--dbs" to get the target database

This will take some time.

After it completes, it will give you the databases from the website

Here you can see that it has given us some important info like

1. The backend is MySQL
2. Web App Tech is Apache 2.4.23, PHP

And the 5 available databases

In these databases you can find admin username and passwords. Other users passwords. Or you can get the data which is hidden from the website.

To see these we need to get inside these databases.

I have accessed the database "kidsdict"

And I know that there is admin info in that database.

So we will go inside that database by typing the same command but edit it like this -

"sqlmap (target address) -D (name of the database ie kidsdict) --tables"

From the command above, we will get some columns in that database.

As you can see that there is a column called "admin"

What could be there inside that column ?

Lets see. Type in "sqlmao -u (target address) -D (database name ie kidsdict) -T admin --column"

You will get something like this. And BAZINGAA we have got the right column

Now we just have to see the usernames and emails and passwords.

* To do that type in "sqlmap -u (target) -D kidsdict -T admin -C user,email,id,rsltperpg --dump"

Remember the command will vary according to your target column name, database name and the table names. Make sure you put your names, not my target name.

Patients is the key. So wait for few seconds and

There you go.

Here we found the username and the password.

You don't get passwords always in text format. If you are lucky then the password will be easy text.

Sometimes they are encrypted or hashed you can say. Mostly in md5 hashes. You can use on line md5 hash crackers to get your password.

Here is the website that I usually use for cracking hashes - Crack station

Thank this tool man. Cause sometimes it automatically decrypt the passwords itself. If you are using a windows tool such as HAVIJ. You get the option of decrypting the password in it.

* Next step would be to login as admin with these credentials for post exploitation or just for fun.

In order to login we need admin panel which will give us the login page.

Sometimes the admin panel can be found on the bottom of the webiste or in the sidebar.

Most people don't leave the user panels on the webiste. As you now can guess why?

There are tons of websites which can scan you the login panel. Just search for them on google.

Like this one here

You can also find the admin panel by adding "/login/" at the end of the target website URL

* If you have Kali running, you can use VEGA or Openvas . These can give you lots of links related to the website.

If you are using HAVIJ tool in windows. It has a tool inside it to find the admin panel.

I don't want to break your heart but, sometimes there are no login pages to a website at all.

The logins are stored in the website folders and directories in the server.

* If we want an interactive shell with the target services....

Interactive shell - will let you interact or use the features of that website.

If you have seen the help menu of the sqlmap tool, you would know by now that we can get the shell from the target website.

This will be the post exploitation process. So we will again use sqlmap to get a shell.

Type in - "sqlmap -u (target) --os-shell"

It will ask for the language. Default is PHP. Type '4'

We will use common location. Type '1'

FUCK id didn't work on this website.

It won't work all the time.

Try your luck.

That's why we use Metasploit and other tools.

And guys remember that there are other tables in the database too.

Go check them out.

Thank you guys for reading the tutorial. I hope you learn't a lot.

Here are some related posts you may want to see mate -


  1. hi, i have tried sqlmap on website but they blocked my ip now website is only accessible through TOR and VPN so what to do next to get access to database..?
    plz reply..Thank you..

    1. i will give tuts on post exploitation soon. thank you for raising the topic

  2. you can access the files and folders which have data like username and passwords of users of that website which can also be their mail passwords. Or you can get the data which the website has hidden from the user. you can deface the site or redirect that site to your website. post exploitation is the thing you want. I hope you are not doing anything illegal.