Greetings and initiate video presentation we're going to see how we go about conducting a SQL injection attack using SQL map. In a nutshell, SQL map is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over a database servers. The hardware requirement for this particular lab is a updated install of Kali and a good internet connection. To see how easy SQL map is to use. We can go into the terminal we can type in SQL map face dash H to bring up the Help menu. And this will show us all the different commands and switches that are available.

It's important that you read and understand all these different switches so that it will make sense to you as we go through the lab. So take a couple of moments to scroll through the help menu and look at all the different options that you have for running SQL map. So at my Prop, I type in SQL map space dash H, we're going to go ahead, hit Enter, and just a moment, SQL map will start up and we have the full menu of options that are available to us. The first thing we want to do is we want to load up our SQL map using the dash u, which is the swish that tells it to use the following URL. Now what we're looking for here is some information about what version of SQL they're using and some other information that we can gather, so that we can check to see if we can figure out what exploits can be run against this target.

So let's go ahead and hit Enter. And in just a moment, it's going to come back and give me some information. And it says the back end for this database is my sequel. In this version five, the web application technology is mg I nx. php five dot three At one zero, so we now know that the back end for their database is my SQL, and that is being programmed using PHP. So we got some information here that we can use to go out and look for further exploits.

As we go through the lab, you may be queried by the SQL map to answer some questions. When this happens, and you are in doubt how best to answer those questions. Always answer with Yes, or y in this case, in our next SQL command here, we're going to add another switch. And this is a dash dash DVS. We want to know what databases are available on this target server. So we're querying the server.

And we want we want it to return the information that lists all the different databases to see if there's anything we might be interested in. So I'm going to go ahead and just type typing at the end of this dash dash DVS make sure you got that space there between that first dash and the one, I'm going to go ahead and hit enter. In just a moment, it pulls up the database information off of this target. And there are two databases. One is Accu art. And the other one is information underscore schema, the one that we are going to be interested in is the Accu arc.

So we're now ready to explore the database Accu art, now you'll see that I have removed the dash dash DVS. And now I want to look at the database. So I'm going to use the dash capital V switch, what's the name of the database, we're going to follow that up with. I want to know what tables this database contains. So to do this, I've given it a space after Accu art and I've typed in dash dash tables. We're going to go ahead hit enter in just a moment it comes back and it tells us here are the tables that are listed in this database as we look through the different tables as you looked at this different tables, we see that there is one that might be of interest to us.

And that is the users table. And that's the one we're going to look at next. So we told sequel map to tell us, or to show us the Accu art database, I want to see the table, dash T for users. And now inside of the users table, I want you to show me the columns. So it's database, tables, columns, that is the path we need to get to. To get the information that we need to be able to hack into this particular database.

I'm going to go ahead and hit Enter. And in just a moment, it's going to come up and it's going to show me some information about what is available inside of that users table. Inside of these columns. We can see that there is a column for the user's name, their password, their name and their email address. address some other information in here as well. So you can pull all this information down, or you can pull down just what it is that you want to have from this particular table and its columns.

So we're to the point to where we're going to get some really good information from the accurate database by way of the users table. And what we want to see is the information that's inside the column so that I see show me the email, the name and the past. And we're going to use that dash dash dump switch to get us that information. So I'm now ready to go ahead and hit Enter. And let's see what's in here. Okay, so we have an email address, we have the name, and we have the password.

So we have the email address for this, this user called anonymous, Brazil, and the password is test. So just using SQL map, and using that dash you with the URL along with Once the switches we have used in this demonstration, you can go out and you can find the information from a vulnerable SQL Server just as easy as we did with this demonstration. Now there are lots and lots of SQL Servers out there that are vulnerable. But how do you find them? What if you're not a pen tester? What if you're actually looking for a target so that you can gather some information such as credit cards, and such?

Well, to do that, we use a little thing called Google dorks. And I'm not going to show you in a short demonstration, how to use Google dorks to gather information about vulnerable web applications. In this next part of the lab, we're going to see how we can use Google dorks to go out and find potential targets. So we can all agree on a couple of things. One, Google is probably the number one search engine in the world, and to Google is nothing more than a large database itself. So when we bring up Google and it's no different than Going on to any e commerce site.

And if I type something into the search field, that is that of a sequel expression, as we have here, we can pull up information from the SQL database just like we do from any e commerce site, or any site that has a sequel back end that is vulnerable. So what I'm asking Google here is in the URL, colon, show me URLs that contain the following information in quotes, products dot php, question mark product ID equals now, I keep it in quotes because this is exactly what I want. I don't want you to have to make any guesses or anything else. This is all I want. Right? That's why we wrapped the search in close.

So I'm gonna go ahead and hit Enter. And just a moment Google's gonna pop back up here, and it's going to show me 10,300 results of different For websites that have that information, and you can see it in the URL here. So now we have a bunch of potential targets over 10,000 of them. Now, not every target on here is going to be vulnerable. So you got a hunt attack, you got to look for those vulnerable sites. That's the Recon part.

Now, if you're a pen tester, of course, you can go out and you can get this information from your client. And you can test that client site. But if you're just wanting to explore and practice your skill set using SQL map or just SQL injection in general, then you're going to have to do the Recon. Now, we can also use SQL map to do the query for us SQL map will also take this SQL expression that we have typed into Google here, and it will also use it to go out and find a potential target for us. I'm back at my command prompt. And I'm using the same query that we did up inside a Google only I'm out I'm looking for a number one But I could change that number to a 14 to 12.

Whatever number I want to use. In this case, I'm just looking for a URL with a product ID that equals one. And anything that follows would be inside of those two double quotes. Now if I hit Enter, SQL map is going to do the legwork for me and go out and try to find a site post you when it comes up with. So it says that King commodity com products Pfister criteria, do you want to test this URL? At this point, you can go ahead and try to test it to see if it's vulnerable.

Or you can say no or quit. Now I know for a fact that this site is not vulnerable. But that's just one example of how you can use SQL map to do that legwork for you. Make sure you take the time to read everything that comes back from your SQL map query. It's very important because you're going to get a lot of information that you're going to skip That's going to give you the answers to what you're looking for. And it's probably going to be in their results, but you just have to look for it.

In this case, we have SQL map got 23 results for your search dork expression. 22 of them are testable targets. Alright, so we got a total of 22 possible targets here that we can test to see if the website is vulnerable to a SQL injection attack. Alright, so what is the word dork have to do with any of this? Well, the word dork is just something that describes an individual that did not take the time to protect the back end of the SQL Server and they allow it to be vulnerable to a SQL injection attack. That's where the word dork comes from.

Now, where can we get all of these Google dork expressions from? Well, we can go to the Google hacking database, which is online and we can find new expressions. We can get old expressions, we can find Pacific expressions when we're searching for something very specific. It might be a specific application, it might be a specific type of a page that we want to locate on a back end of a SQL Server. So if you go to the Google hacking database, you can go through there and look for whatever it is you want. And hopefully you'll be able to find it.

But you can see that this is nothing more than being able to use SQL expressions. So if that's the case, then knowing something about SQL is of a great advantage to a pen tester, and or a hacker in the lab. I've also listed a number of Google dorks. These are some of the more popular SQL expressions that you can use to go up and find additional targets using the Google search engine. So in this short video presentation, we got to see how SQL map can be used to automate a SQL injection attack against a vulnerable web application. We also got to see how we can locate potential targets using Google dorks.

So if you have any questions or you have any concerns about this short video presentation, please do not hesitate to reach out and contact your instructor and I'll see you in my next video.