2015-08-17

SQL_Inj3cT0r by Incredible


Description:


Basically SQL_Injector is a php script integrated with ‘Sqlmap’ and  uses working functionality of  ‘Sql map’.
A worthy thing for those guys who use  mobile phone internet .  :P
If  you already have hacked server, just upload the script on that server. and sqlmap will use bandwidth of website for exploitation :D , means you can use bandwidth of the server in  order to inject your target.

You can download the script from here ” https://github.com/incredibleindishell/Panda-sql-injector/blob/master/SQL-Injector%20v1.php”

NOTE:  If the server has set to ‘ safe_mode on ‘  the script will not going to work. You need to set safe_mode  to off. In order to do this you can try with ‘ php.ini ’

How to use it ????

Okay, using ‘SQL_Injector’  includes few and very  simple steps, as follows :
1.As mentioned above ‘SQL_Injector ’ is integrated with ‘Sqlmap’, you need to provide path or location of ‘Sqlmap’ on your system. If you don’t have ‘sqlmap’ no need to worry, ‘SQL_Injector’ has functionality to download ‘Sqlmap’. You can refer follower snapshot :



If  you already have sqlmap then set location of sqlmap.py script.  You can refer snapshot:


2.Next step is to provide vulnerable URL to ‘SQL_Injector’.
Suppose your target  URL is  “ website.com/page.php?parameter=something ” . Just paste this vulnerable URL in the ‘injectable url’ section and hit  ‘extract databases’ button.
I am performing it on my localhost for demonstration. Following snapshot can be taken as reference:



In next few moments you will get the results in a text area which will be the names of present databases on the server. Check out the snapshot :


3. Next step is to extract  tables present in the selected database . Enter ‘database’ name of which you want to extract all the tables and hit ‘extract tables’. In my case will proceed with database named “security”.
Refer following snapshot:



In next few moments you will get the name of all the tables present within the database. Eg:


4.In next step we will exploit for columns. Choose any table from the list and proceed for columns  of that table. Enter the name of column in ‘extract columns ’ section. I will proceed with table 'users'.


    After some time you will get all the columns name from entered table.

                                 


5.Now its time to dump the data from columns. You can extract data from columns either one by one or all the data at once. Simply enter the names of columns, separating them with a comma ( , ) for multiple column data.
Refer following snapshot :

(i) For single column data, enter any column name in 'column name' section and hit ' Extract data' button. I will go with column 'username'. Checkout next snapshot for refenence:



SQL_Injector result for column 'username' will show in a text area as shown on the screen :  


(ii) For multiple column data, enter column names as given in the following image: 


Result for all the columns will something like shown in next image:



So… this is SQL_Injector version-1,  with basic functionality. I am working on it to add more features. I will release version-2 very soon..  


Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top