In this tutorial we will try SQL Injection with the built in tool sqlmap from Kali Linux.
Finding a target can be done with Google Dorks, searching through google for a vulnerable site. (Remember SQL Injection is illegal, and should never be performed on a website without the owners approval)
On google you can find large lists of ‘Dorks’, but here’s a few;
So lets say we find a site called www.cybersec.dk/index.php?id=4 how do we know if it’s vulnerable? Type in a ‘ after the last character in the URL like index.php?id=4′
This will tell us if the site is vulnerable, by giving us an error message looking like this one;
Now we know the site is vulnerable by giving us this Database error, which could be the one above or a similar error. It doesn’t necessarily have to be on a blank page the error occurs, but could be on a text field anywhere on the site.
Next thing is opening a terminal in Kali Linux, and typing in;
sqlmap -u www.site.com/index.php?id=5 –dbs
This first command will initiate the attack, and show the databases of the site. In some cases a redirect to another site will be asked, always press ‘n’ for no, because that site may not be vulnerable.
When it’s finished a list of the the databases would appear looking like;
We want to check out whats inside of the site_db database doing this command;
sqlmap -u www.site.com/index.php?id=5 -D site_db –tables
A list of tables could look like the one above, with the most interesting part being users.
For looking into the users table we’ll issue this command;
sqlmap -u www.site.com/index.php?id=5 -D site_db -T users –columns
In the columns of the table users we have firstname, lastname, city, username, password and so on, all available for being ‘dumped’, which we will try;
sqlmap -u www.site.com/index.php?id=5 -D site_db -T users -C email –dump
The output of this command would be a text of all the emails in the site_db database of that users table, in the email column
If you want a to add more columns, just simply add a comma between the column names like, firstname,lastname,username in the command etc.