Easy way to Hack Database using Wizard switch in Sqlmap

Sqlmap provides wizard options for beiggner  and save your much time. So start your kali Linux and open the terminal and now the following command to use wizard interface of sqlmap.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --wizard

Type 1 for normal; to select the injection difficulty. Now again type 1 for basic enumeration.


It will automatically dump the basic detail of backend server. Here you can see from the given screenshot it shown that web application technology is nginx , PHP 5.3.10 and operating system is Linux Ubuntu and many more things. 


Now change level for penetration testing of web with sqlmap wizard. Again type the same command.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" –wizard
Type 2 for medium; to select the injection difficulty. Now again type 2 for intermidate enumeration.


 Wonderful!!!  We have got database name and all table names with columns.

Now again change level for penetration testing of web with sqlmap wizard. Repeat the same command.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" –wizard

Type 3 for hard; to select the injection difficulty. Now again type 3 for All enumeration.


Awesome within three steps we have got entire information of acurat database. You can see the result from the screenshot.


Here we have all tables with its field details and column details.

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Today we are going to perform penetration testing with part II of previous lab, download it from here. Now install the iso image in VM ware and start it. In this lab task level is intermediate and challenge is to gain access of administration console and then upload a PHP webshell.


Start Kali Linux then open the terminal and type netdiscover command for scanning network. Here 192.168.1.102 is my target IP which is shown in the screenshot. Now explore this IP in browser.


When you will open target IP in browser you will get a web page having heading My Awesome Photoblog. On the top of left side it contains some tags: home; test; ruxcon; 2010; all pictures; admin. Now Click on test.

The given URL: http://192.168.1.102/cat.php?id=1 will run sql query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding(‘) apostrophe at last of URL:
http://192.168.1.102/cat.php?id=1as it is not vulnerable. I didn’t get any error message like I have got in its part 1then I try to find out whether the other IDs is vulnerable or not but here also I found nothing. 


Now use nikto to scan the target for any vulnerability and type following command.

Nikto –h 192.168.1.102

Look over the highlighted part in screenshot; from the result, it tells that X-Content-Type-Option header is not set.


Then I had used acunetix to scan the target which has declared the level of threat is high for blind sql injection.

Hence it is clear that exploit the target through sql injection.


Now type the following command for blind sql injection using sqlmap

 sqlmap -u "http://192.168.1.102/cat.php?id=1" --headers="X-Forwarded-For: *" --dbs –batch

Now try sql injection for header; the target application might be designed with X-Forwarded-For header which is used to run application behind a reverse-proxy.


Our assumption is correct above header is vulnerable to sql injection and I have got database name photoblog.


Now let’s fetch entire data under photoblog database through following command:
sqlmap -u "http://192.168.1.102/cat.php?id=1" --headers="X-Forwarded-For: *" –D photoblog –dump-all --batch


Here Task was to gain access of administration console for which we required the login: password of his account. Through sqlmap command we have got login as admin and password as P4ssw0rd.


Now try to use above credential to access administration console, again open target IP: 192.168.1.102 in browser and click on admin tab present on the top of left side and type login as admin and password as P4ssw0rd.



Congrats!!! The first task is completed.
Now last task is to upload a PHP webshell. Under administration console you will notice a link Add a new picture for uploading an image in this web server. Click on Add a new picture to upload image.


Here we can upload image through Add option now I will try to upload PHP webshell


I try to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.

Then I had used exiftool for hiding the malicious code inside the png image. For this step you need to download an image and save it on desktop now prepare a php file by typing following malicious code in a text file to create command injection vulnerability and save it with .php extension as I have saved with raj.php on the desktop.


Now type command for exiftool to hide malicious code of php file inside the png image

Cd Desktop
Exiftool “-comment<=raj.php” 1.png
Exiftool 1.png

From screenshot you can perceive I have three files on desktop one for php as raj.php another for downloaded image as 1.png original and third php webshell as 1.png


Now I had browse 1.png to add it as new image which is our php webshell.

 Our malicious file successfully uploaded on web server. You can see a new row is added as webshell php which contains our backdoor raj.php, now click on webshell php.


Here is our malicious image; now right click on it and click view image tag.

Here this image will get opened in separate window and if you remembered its contains malicious code of command injection.


Here I try to execute ls command by adding /cmd.php?cmd=ls/etc at the end of the URL and from screenshot you can analysis this page is encoded.

Now last option is to use repeater under burp suite to execute the commands. Start burp suite and set manual proxy of browser then open the web page where “you are hacked image” is uploaded.
Now capture the cookies through burp suit and sent the intercepted data to repeater option by making right click on its window.

Now change the header from /show.php?id=4 into /admin/uploads/1484502823.png/cmd.php?cmd=ls now click on GO tab to send this request for getting response and when you will scroll down  (response) here I found some information through ls command.
Great!!!  We have completed both tasks.

SQL Injection Exploitation in Multiple Targets using Sqlmap

In this article we are going to perform sql injection attack on multiple target through sqlmap

In the tutorial I had used two buggy web dvwa and Acurat (vulweb.com). 


Start dvwa  and select sql injection vulnerbility here type user ID and click on submit, now copy the url.


Start kali linux then create a text file as sql.txt on desktop which will contain URL for multiple target and past copied url in text file. From the screenshot you can perceive that I had pasted above url in this text file and save as sql.txt

Repeat the same process with different web. Now open the vulnweb.com, here click on URL given for Acuart.


Now click on browse categories then click on poster


Now let verify whether the ID is vulnerable to sql injection or not. Use this apostrophe () at the end of url as shown in the screenshot. You can see I have received an error message which means the ID is vulnerable to sql injection. Copy its URL


Paste above copied URL under sql.txt, and save it again. So here I have saved two URL in a text file which means two vulnerable ID of different web is saved under sql.txt file.


Open the terminal and type following command to scan multiple targets through sqlmap for sql injection.
Sqlmap –m /root/Desktop/sql.txt –dbs --batch


So here you can see I have got database names for multiple targets.  Here I found dvwa under database names.


Later I have got another database name acurat. Now try yourself for multiple ID.

Sql Injection Exploitation with Sqlmap and Burp Suite (Burp CO2 Plugin)

Burp CO2 is an extension for the popular web proxy / web application testing tool called Burp Suite, available at Portswigger. You must install Burp Suite before installing the Burp CO2 extension. The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords.

For more details read from here burpco2.com
In this is article I will show you how to obtain sqlmap command through burp suit for sql injection.
Start burp suit andClick on Extender tag then click on BApp store which cantains burp extensions  to extend burp’s capabilities.


Now select CO2 and click on install button available on the right sideof the frame.

From the given screenshot you can see the extension CO2 has added on menu bar now click on CO2 and then choose SQLMapper tool.


Now open the DVWA in your pc and login with following credentials:

Username – admin
Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: ‘in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  


Go to burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers.

Now right click on its window and you will see a list of many actions will have been opened then select option send to SQLMapper.


When the fetched data will sent to sqlmapper it will automatically itself generates sqlmap command using referrer and cookie.


Here you can see options box at the end of burp suite frame. Now click on enumeration tag and select the checkboxes for database, tables, columns, users and passwords.

Now copy the sqlmap command from text field and run this command manually on terminal using sqlmap.


Open the terminal and paste above command in front of “sqlmap” as shown in the screenshot. Now run this command to fetch information of database.


From this tutorial it is clear how to generate sqlmap command through burp suit for sql injection. Now from last image you can see it starts dumping the data.

Brute Forcing Multiple Databases using HexorBase

HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ). HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.


To run hexorbase in kali Linux  click application > database assessment > hexorbase


Another way, open the terminal and type hexorbase.

It will open graphical interface for hexorbase as given in the screenshot. It is the collection of several database servers where you can apply brute force attack on desired server.


Now to start brute force attack, first you need to create an account. In the middle you can see administration panel here type username and password according to your wills. I had type admin: pass as username and password this will allow me to start brute force attack using hexor on desired backend server.


Now choose your database type. I have selected MY SQL for brute force attack.


Now follow few steps for brute force attack on server.

·         Type target IP: 192.168.1.104 under database connection.
·         Now click on user list for dictionary attack option and select a dictionary of username.
·         Repeat the above step for word list to select password list.
·         Finally click on lunch attack to start brute force attack.


Now it will try to match the combination of username and password on target IP. After sometime when the process is completed 100% you will get matched combination as result. You can perceive from screenshot that I have got username and password combination as msfadmin:msfadmin for MYSQL server.