Penetration Testing Step by Step: Database Enumeration

Database Enumeration

Enumeration With SQLmap

SQLmap is noisy as hell.

Here is the official options/examples page: https://github.com/sqlmapproject/sqlmap/wiki/Usage. For example, save a captured header as an input file for SQLmap:

Load HTTP request from a file

Option: -r

One of the possibilities of sqlmap is loading of raw HTTP request from a textual file. That way you can skip usage of a number of other options (e.g. setting of cookies, POSTed data, etc).

Sample content of a HTTP request file:

POST /vuln.php HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/4.0

id=1

Note that if the request is over HTTPS, you can use this in conjunction with switch --force-ssl to force SSL connection to 443/tcp. Alternatively, you can append :443 to the end of the Host header value.
https://github.com/sqlmapproject/sqlmap/wiki/Usage

For a simpler example see this tutorial:
https://www.securesolutions.no/enumeration-with-sqlmap/.

Find a page with a form you can attack, preferably using GET strings. This should let you enumerate databases:

./sqlmap.py -u http://www.example.com/page.php?id=1

Now list tables:

./sqlmap.py -u http://example.com --tables

 

 

Leave a Reply