Hello everyone. We’ve come up with another another topic of How to dump a database of a website connected to the sqlmap tool. As you may recall, we explained the whole procedures to dump a web application’s database using sqlmap in a prior article, and I believe you should review that article for a better understanding.
However, in this essay, we will go over all of the useful aspects of this application. We assume you’re already familiar with the SQL injection issue, so let’s get right to it.
Let’s take a closer look!!
In a recent article, we discussed how to use Google Dork to discover a web application SQL injection issue. However, we will use the following web application, which was created specifically for penetration testing. We simply added a single quote after the “cat=” option and received a MySQL syntax error, indicating that the web application is vulnerable to SQL injection.
How to dump a database of a website
Our previous article gave you a fast overview of how to utilise SQLite and the various tools it offers. If you’d like to read more about those tools, check out our earlier article. The command to dump the database is as follows. Currently, we’re using testphp.vulnweb.com for demo
Usage 🙂 !! sqlmap -u “<URL>>” –dbs
All of the database’s names that appear in the web app can be seen here.
For a complete database listing, use the following command. To use a new feature, simply add it to the command and run it.
Usage !! sqlmap -u “<URL>>” -D < database name > –dump-all –batch
Done !! The result is in front of you and you can see that it has dumped all the tables in the “acurate” database at once.
Let’s start your burpsuite tool, as it will be critical in obtaining the current user’s cookies. Now intercept the request and copy the highlighted text in its entirety, as shown in the accompanying image.
Go back to the terminal and just add the URL, add the cookie with the copy text and execute the command with the database.
Usage 🙂 !! sqlmap -u “<URL>>” –cookie < cookies > –dbs
Nice 🙂 !! As you can see it has dumped all the databases after meeting the requirements of this tool.
HTTP Request File
When we use this feature, we will try to dump the whole database into a file called HTTP response. If someone asks, we’ll stop them and write them down in a text file, and use the sqlmap tool to attempt to find and exploit the vulnerability.
After copying the HTTP request, include it in a text file using any tool.
Check the below command which contains the file that we created ourselves and also gave the command to dump the database.
Usage 🙂 !! sqlmap -r < HTTP file > –dbs –dump-all –batch
After you run the command, you can see that all of the databases in the web application have been wiped out.
We don’t need to run dork on Google on its own because it comes with the sqlmap tool. In order to use this, we only need to add the “G” option in our dork. It will automatically find any websites that are linked to dork and ask us if we want to do sql injection on them.
Nice 🙂 !! After selecting the Yes option, it tries to detect the SQL injection vulnerability in the web application and dumped the database if they are vulnerable to SQL injection vulnerability.
Automatically change the user agent after specified period of time to a randomly selected one, thus hiding your real user agent. This will help us in making ourselves anonymous.
The level tells you how many payloads will be done, and if SQLMap can’t find the injection, the risk should be increased. Both work by default at level 1. You can change the level from 1 to 5 and the risk from 1 to 3.
Great 🙂 !! After increasing both the level and the risk, it completely dumps all the databases that exist in the web application.
Now if you want to dump all the databases, their tables and columns at once, you can add the “all” option to your command.
That’s Nice 🙂 !! As you can see, even this has dumped the passwords of the users which are stored in the database.
We can get the current version of the database running on the remote host machine by adding “B” option to our command.
Nice 🙂 !! Finally it has given us the details of the database running on remote host.
Some important things to look for when we want to get useful information from a database are the following: Execute the command below to get the list of users in the web application.
Let us consider the image below in which we have successfully dumped the current available database into a web application.
If you only want to get the passwords of the users available in the web application, you can add the “password” option to your command.
Sqlmap provides tor service to make us completely anonymous. However, you can take advantage of this service when you have pre-installed tor in your linux machine.
We can perform multiple scans at once time in this tool. But let’s see how it’s possible ? !! So first we will create a file which contains all the URLs that we want to use.
Then we will add the location option of the created file by adding “m” option and try to dump the database.
Nice 🙂 !! We finally got the database name of the first web application.
Done 🙂 !! Similarly, we can take help of this facility which will definitely help in saving our time.
As we know that privileges means what the user is allowed to do and we can check it by following command.
Hmm 🙂 !! As you can see what privileges are available to shubham user.
Through the following features we can read the sensitive files present in the web application if we have the information of the root folder of the web application.
Usage 🙂 !! sqlmap -r < HTTP File > –file-read=< Location >
Great 🙂 !! As you can see we have received the sensitive user file without entering the remote host’s database properly.
Our malicious php files can now be uploaded, and we can get the entire web server through a tool called sqlmap, which we will show you how to use. The first thing you need to do is make a malicious php file. In our case, we will use the code below to get the cmd shell of the target web server.
Let’s understand the below command, see “–file-write” option in which we have placed our malicious PHP file and see “–file-dest” option in which we add the path of the web server where we are on the target web server Want to upload your php file.
Usage 🙂 !! sqlmap -r < HTTP File > –file-write < Your File > –file-dest < Upload Location > –dbs
OMG 🙂 !! Finally our malicious PHP file is successfully uploaded to the target web server and now we can access the web application server’s database through the browser and execute arbitrary commands.