Database Hacking, Part 4: Extracting Data with sqlmap

Hacking

Welcome back, my aspiring White Hat Hackers!

In my previous tutorials in this series, I taught you the basics of SQL injection (the most common method of hacking online databases) and then how to use it against a MySQL database. In this tutorial, we will look at how to now extract the key data from that database, our ultimate goal!

Step #1: Do Reconnaissance to Acquire the Necessary Info

The first step, of course, is to do reconnaissance on the database by using sqlmap through the web application. To successfully extract the data, we need;

1. the type of database management system (DBMS)

2. the name of the database

3. the name of the tables

4. the name of the column whose data we want to extract

In our previous tutorial, we acquired all that info from a website named www.webscantest.com.

You can follow the steps below or go back to Hacking Databases, Part 3.

Then we pulled the tables and columns from the database as seen below.

In the orders table, we can see that credit card info is stored for every order the company received. That’s what we want!

Step #2: Extracting the Data

Now that we have all the key information we need, it’s time to extract that credit card information. Let’s go back to the help screen for sqlmap. Simply enter;

kali > sqlmap –help

As you can see above, we need to use the –dump option in sqlmap along with the column and table name. Such as;

–dump

-C billing_CC_number

-T orders

-D webscantest

Let’s put all that info together and see whether we can extract that credit card data from the database.

kali > sqlmap -u “http://www.webscantest.com/datastore/search_get_by_id.php?id=4” –dump -C billing_CC_number -T orders -D webscantest

As you can see above, sqlmap has extracted and then dumped the data to my Kali system in a .csv format and saved it to;

/root/.sqlmap/output/www.webscantest.com/dump/webscantest/orders.csv

Now, we have all the credit card data in a .csv file format that can be opened in Excel, a text editor or any spreadsheet program.

Of course, if we need more data such as expiration dates or first name and last name, we can extract that data by simply replacing the credit card column name in our sqlmap command with the appropriate column name (e.g. billing_firstname) in the table.

Conclusion

Now, we have successfully compromised a back-end database from a web application using SQL Injection techniques and, most importantly, we were able to extract key data from the database. In following tutorials we will examine additional ways to compromise and extract data from online databases, so keep coming back!

For more on Database Hacking, check out our upcoming training, Database Hacking, part of the Subscriber PRO training package.