3

for educational purposes and in order to develop a test for students, i try to "hack" a website developped by a friend : http://www.websitetohack.com.index.php?id=5 When i launch SQLMAP, it finds a "Time Based Blind SQL Injection".

After some dbs queries ; there are the infos i found :

There are three databases:

  • db01 (php website example with phpbb forum)
  • mysql
  • information_schema

The back-end DBMS is MySQL
The current user "username" of DBMS is : administratorforlife
The current user "password" of DBMS is : ohmygod
The current db is : db01
The hostname is : db01hostname
The current user of DBMS is : (DBA) (Database Administrator)

db01 contains a column called "USERS" where 100 fake "accounts + passwords" are listed.
The problem: I don't know where ADMIN PANEL is. I tried to find it via some scripts without success.

With the help SQLMAP, is there any way to connect to the DBMS with the infos that i have in order to retrieve all users data in db01 ? If yes, how ? Do you know some command line to enter DBMS ? As all of you know, in blind mode i would spend years.

Thanks for your help !

davidb
  • 4,285
  • 3
  • 19
  • 31
Paul Defroyden
  • 31
  • 1
  • 2

1 Answers1

1

You can connect to the database using the credentials unter some conditions

1.) The MySQL Daemon needs to run on the external IP-Address of the server. MySQL can either be configured to be used over a unix socket or a network interface. For security reasons it's advisable to bind the daemon only to the loopback so it cant be attacked from an external offender (like you in this case). You have to check if your frind did configure it secure. By running a portscanner like nmap for example

nmap -sS -p 3306 you.hostname

the -sS tells nmap to perform a SYN scan which is more inconspicuous than a CONNECT scan and -p 3306 tells which port to scan. Port 3306 is the default port of the MySQL Daemon.

2.) The user needs to be unlocked for external access. MySQL gives the adminsitraor the possibility to only allow a specific user to connect from a specific host like the localhost for example. You can check this by having a look at the mysql.user table through your SQLi.

When these conditions are fullfilled you can connect using the mysql command or using the mysql workbench if your not so into terminal based work.

mysql -u yourusername -p -h your.hostname

The -u yourusername tells the username the -p tells the client to prompt you for a password and the -h your.hostname is the hostname of your target.

Before you do this you should also check the /robots.txt on the webserver. This file conaints urls blacklisted for link crawlers like the google bot. Often these files contain the pathes to administrative interfaces. So maybe you find the login page this way...

davidb
  • 4,285
  • 3
  • 19
  • 31