Finding and exploiting SQL Injections with SQLMap
As seen in the previous recipe, exploiting SQL Injections may be an industrious process. SQLMap is a command-line tool, included in Kali Linux, which can help us in the automation of detecting and exploiting SQL Injections with multiple techniques and in a wide variety of databases.
In this recipe, we will use SQLMap to detect and exploit an SQL Injection vulnerability and will obtain usernames and passwords of an application with it.
How to do it...
Go to
http://192.168.56.102/mutillidae.In Mutillidae's menu, navigate to OWASP Top 10 | A1 – SQL Injection | SQLi Extract Data | User Info.
Try any username and password, for example
userandpasswordand then click on View Account Details.The login will fail but we are interested in the URL; go to the address bar and copy the full URL to the clipboard.
Now, in a terminal window, type the following command:
sqlmap -u "http://192.168.56.102/mutillidae/index.php?page=user-info.php&username=user...
