Love this prototyping software …brilliant!
Here, we will be using one of the best database hacking tools available, sqlmap. Sqlmap can be used for databases other than MySQL, such Microsoft’s SQL Server and Oracle, but here we will focus its capabilities on those ubiquitous web sites that are built with PHP, Apache and MySQL.
Step 1: Start Sqlmap
First, fire up BackTrack and go to BackTrack, then Information Gathering, then Database Analysis, then MySQL Analysis and finally, sqlmap as shown in the screenshot below.
Step 2: Find a Vulnerable Web Site
In order to get “inside” the web site and ultimately, the database, we are looking for web sites that end in “php?id=” where XXX represents some number. Those who are familiar with google hacks/dorks can do a search on google by entering:
This will bring up literally millions of web sites with this basic vulnerability criteria. If you are creative and ambitious, you can find numerous web sites that list vulnerable web sites. You might want to check these out.
For our purposes here and to keep you out of the long reach of the law, we will be hacking a website designed for this purpose, www.webscanhost.org. We can practice on this web site and refine your skills without worrying about breaking any laws and having to make bail money for you.
Step 3: Open Sqlmap
When you click on sqlmap, you will be greeted by a screen like that below. Sqlmap is a powerful tool, written as a Python script (we will be doing Python tutorial soon) that has a multitude of options. We will just be scratching the surface of its capabilities in this tutorial.
Step 4: Determine the DBMS Behind the Web Site
Before we begin hacking a web site, we need to gather information. We need to know WHAT we are hacking. As I have said many times before, most exploits are very specific to the OS, the application, services, ports, etc. Let’s begin by finding out what the DBMS is behind this web site.
The start sqlmap on this task, we type:
- ./sqlmap.py -u “the entire URL of the vulnerable web page”
or this case:
- ./sqlmap.py -u “http://www.webscantest.com/datastore/ search_get_by_id.php?id=4″
When we do so, sqlmap will return results like that below. Notice where I highlighted that the web site back-end is using MySQL 5.0
Step 5: Find the Databases
Now that we know what the database management system (DBMS) is MySQL 5.0, we need to know what databases it contains. sqlmap can help us do that. We take the command we used above and append to it –dbs, like this:
- ./sqlmap.py -u “http://www.webscantest.com/datastore/
When run this command against www.webscantest.com we get the results like those below. Notice that I have highlighted the two available databases, information schema and scanme. Information schema is included in every MySQL installation and it includes information on all the objects in the MySQL instance, but not data of interest. Although it can be beneficial to explore that database to find objects in all the databases in the instance, we will focus our attention on the other database here , scanme, that may have some valuable information. Let’s explore it further.
Step 6: Get More Info from the Database
So, now we know what the DBMS is (MySQL 5.0) and the name of a database of interest (scanme). The next step is to try to determine the tables and columns in that database. In this way, we will have some idea what data is in the database, where it is and what type of data (numeric or string). All of this information is critical and necessary to extracting the data. To do this, we need to make some small revisions to our sqlmap command. Everything else we have used above remains the same, but now we tell sqlmap we want to see the tables and columns from the scanme database. We can append our command with –columns -D and the name of the database, scanme such as this:
- ./sqlmap.py -u “http://www.webscantest.com/datastore/
search_get_by_id.php?id=4″ –dbs –columns -D scanme
When we do so, sqlmap will target the scanme database and attempt to enumerate the tables and columns in the scanme database.
As we can see below, sqlmap successfully was able to enumerate three tables; (1) accounts, (2) inventory, and (3) orders, complete with column names and datatypes. Not Bad!
Note that the orders table below includes credit card numbers, expiration dates and CVV. The hacker’s “Golden Fleece”!!
As you can see, sqlmap can be very versatile and useful tool for MySQL, as well as SQL Server and Oracle database hacking. We will plan on coming back to sqlmap in the near future to explore more of its extensive database hacking capabilities.
Keep coming back, my amateur hackers, for more adventures in Hackerland!
two things are needful fot holding image data on mysql
1/. A BLOB field so that the data is held truly 8 bit clean
2/. A way to inject it without trying to use tools designed for text.
I’ve used two methods. Both work.
(a) use the ‘load file’ command t tp transfer an image on disk to Msql.
It does however need special mysql privileges that are not always
available or safe..
2/. From PHP environment, I turn the image data into an enormous
hexadecimal number. MySQL seems able to understand that as niray data OK.
ie in PHP this is a valid way to include binary data in an UPDATE query
$query=sprintf(“update objects set thumbnail=0x%s, type=’%d’, uri=’%s’,
alt_text=’%s’, privilege_level=’%d’, filename=’%s’, size=’%d’,
content=0x%s, modified_by=’%d’, modified_on=now(), etag=md5(content)
where id=’%d'”, bin2hex($thumbnail), $mime,
$size, bin2hex($code), $login_id,$id);
My aim was to display data from a mysql table onto a wordpress page. I could do it using wpdb class as mentioned in the codex.But i didn’t know the file where i should write this php code that contains wpdb class functions to retrieve data from mysql table.
Hence i installed Exec-PHP plugin.(The Exec-PHP plugin executes PHP code in posts, pages and text widgets)
Now you are free to write your php code in the page editor and get the retrieved data on your page.
Steps to retrive data and display it on a wordpress page:
Create a table in mysql database(assumed that you create a table in the wordpress database itself.) In my case database_name: test, table_name:it_testtable contains 2 columns: id(number(3)) and name(varchar).
In wordpress, create a page and in the visual editor write the code(make sure you read the documentation of Exec-PHP plugin and do the required configuration mentioned,you will have to ‘disable the visual editor while writing’ option under Users section):
Here is the code to retrieve data from it_testtable and display it on this page.(wpdb class is used for wordpress database,hence you need not mention the connection parameters as wpdb already has it configured to the ‘test’ database with the username and password):
/* wpdb class should not be called directly.global $wpdb variable is an instantiation of the class already set up to talk to the WordPress database */
$result = $wpdb->get_results( “SELECT * FROM it_testtable “); /*mulitple row results can be pulled from the database with get_results function and outputs an object which is stored in $result */
//echo “<pre>”; print_r($result); echo “</pre>”;
/* If you require you may print and view the contents of $result object */
echo “ID”.” “.”Name”.”<br><br>”;
foreach($result as $row)
echo $row->id.” “.$row->name.”<br>”;
/* Print the contents of $result looping through each row returned in the result */
These tools include
- HavijAdvanced SQL Injection – http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/index.html#tabset-tab-2
- SQLDict – http://ntsecurity.nu/toolbox/sqldict/
- SQLSmack – http://www.securiteam.com/tools/5GP081P75C.html
- SQLPing 2 – http://www.sqlsecurity.com/downloads/sqlping2.zip?attredirects=0&d=1
- SQLMap – http://sqlmap.org/
A colleague of mine working on MySQL database asked me How it is possible to disable a MySQL database . He is in situation where the client has 2 databases and application and is not sure which of the two databases the application uses. Therefore the…