Part 1 of this post outlined the setup of sqlmap and finding the databases on a backend. We were able to discover that there were 2 databases lying on the backend namely information_schema and webscantest as shown below,

screen-shot-2017-01-11-at-22-58-21

Let’s try to find out what tables are present in the webscantest database. We will execute the following the command to do so,

screen-shot-2017-01-12-at-23-56-21

Once again, after spewing a lot of output, it presents us with the list of the following tables,

screen-shot-2017-01-12-at-23-56-48

Now, just stop here at a second and reflect on the fact that we started with a web app with sql storage and now we are seeing how the data in the app is structurally stored. Our next step should obviously be to find the data in the accounts table, guessing by the name of which, should be storing user account details, via the following command,

screen-shot-2017-01-13-at-00-04-38

And Voila, We have the keys to the castle :).

screen-shot-2017-01-13-at-00-05-10

We will not cover breaking the password hash in this writeup, but I’ll add a hint: Sqlmap can help you with that too.

This covers how sqlmap actually works and what is needed to break into a vulnerable sql storage. Of course, this was done on a test web app but all the techniques still hold good for all the vulnerable sql implementations out there.

A word of caution: Sqlmap is a powerful tool and with great power comes great responsibility. Sqlmap should be used with caution and for responsible disclosure only.

Advertisements