How to Perform SQL Injection with Kali Linux

By /

Introduction

SQL Injection is a common web hacking technique that allows an attacker to manipulate a database by inserting malicious SQL code into input fields. This can lead to unauthorized access to sensitive data, data manipulation, and even complete control over the database. In this guide, we’ll walk you through the process of performing SQL Injection using Kali Linux, a powerful open-source penetration testing platform.

Prerequisites

Before you begin, ensure you have the following:

  • A Kali Linux installation.
  • Basic knowledge of Linux and command-line operations.
  • A target website that is vulnerable to SQL Injection.

Step-by-Step Guide

Step 1: Install Necessary Tools

Kali Linux comes pre-installed with many tools, but you might need to install additional ones. Open a terminal and run the following commands:

sudo apt update
sudo apt install sqlmap

sqlmap is a popular open-source tool for automated SQL injection and database takeover.

Step 2: Identify Vulnerable Input Fields
  1. Open Browser: Open your target website in a web browser.
  2. Inspect Elements: Use the browser’s developer tools (usually accessed by pressing F12) to inspect the HTML elements and identify input fields that might be vulnerable.
Step 3: Perform SQL Injection
  1. Open Terminal: Open a terminal window.
  2. Use sqlmap: Navigate to the directory containing the target URL and run sqlmap. For example:
sqlmap -u "http://example.com/vulnerable_page.php?id=1"

Explanation of Options:

  • -u: Specifies the URL of the target page.
  • -p: Specifies the parameter to test (replace id with the actual parameter name if different).
Step 4: Analyze Results

sqlmap will automatically attempt to identify SQL Injection vulnerabilities and provide a summary of its findings. Common results include:

  • Database Information: The type of database and version.
  • Tables: List of accessible tables.
  • Columns: List of accessible columns.
Step 5: Exploit the Vulnerability

Once you have identified a vulnerability, you can exploit it to retrieve sensitive information. For example:

sqlmap -u "http://example.com/vulnerable_page.php?id=1" --dump

Explanation of Options:

  • --dump: Dumps the contents of the database.
Step 6: Automate the Exploit

You can automate the exploitation process using sqlmap’s scripting capabilities. For example:

sqlmap -u "http://example.com/vulnerable_page.php?id=1" --batch --dump > output.txt

Explanation of Options:

  • --batch: Enables batch mode, which runs the command without user interaction.
  • --dump: Dumps the database contents to a file.
Step 7: Secure Your Findings

Once you have retrieved the sensitive information, ensure you secure it properly. Avoid sharing it with unauthorized parties and store it securely.

Tools and Techniques for OpSec

Operational security (OpSec) is crucial when performing SQL Injection attacks. Here are some tools and techniques to help you maintain your anonymity:

  • VPN: Use a Virtual Private Network (VPN) to hide your IP address and encrypt your internet traffic.
  • Tor Browser: Use the Tor browser to access the internet anonymously.
  • Bitcoin Mixers: Use Bitcoin mixers to obfuscate the origin of your cryptocurrency transactions.
  • Prepaid Cards: Use prepaid cards to receive your earnings and make purchases.
  • Fake IDs: Use fake IDs or other personal information to create accounts and maintain your anonymity.
Scroll to Top