Hello dear forum users. I am new to programming and hacking. Please excuse me for a frank request to help me with hacking. I know that this is punishable and I am ready to bear responsibility for it myself. Please excuse me if I created the topic in the wrong thread. Please also excuse me for the long text. I tried to explain in more detail. So essence of this topic:
I want to hack a certain forex broker. I want to get data (passwords from personal accounts, numbers and passwords of trading accounts) of users. I know that it is difficult to do or even impossible. But I want to try it. Using the service Web-sites on a single IP, I found out the ip address of the broker’s website. This site is located on Cloudflare. With the help of this service, I found out neighboring sites too.I decided not to directly attack the broker’s site, but to find vulnerabilities on neighboring sites. I ran a scan in burp suite to one of the neighboring sites. Burp suite found sql injection on this site .Sql injection was in the json cookie parameter in the GET request. After reading a little about sql injection, I was able to send queries using the burp suite. Query results did not appear directly on the page, but only through query errors, i.e. there was an error based sql injection. Some queries cloudflare blocked. In this case, I made bypass requests and they were successful. With the help of queries, I found out the username under which I made the queries, the database version (mysql 5.7.28), table names of the information.shema tables and the site database tables.Cookie in GET request in burp suite was in this format: parameter={“parameter1”:“value1”,“parameter2”:“value2”,“vulnerableparameter”:“value”, etc }.Burp suite found sql injection by putting " characters after the value in the vulnerable parameter, i.e. the cookie was like this in the request in burp suite : parameter={“parameter1”:“value1”,“parameter2”:“value2”,“vulnerableparameter”:“value”" , etc. }. I sent requests by substituting requests in the cookie file after " characters and the requests were successfully completed. I decided to use sqlmap to automate the process. But to my regret, I could not correctly inject the vulnerable json parameter using sqlmap.
I ran sqlmap with the options -r httprequest.txt --level=5 --risk=3 --dbms=mysql. In httprequest.txt I copied the entire of the request from burpsuite and put * in the place where I needed to inject, but result was unsuccessfull.I ran sqlmap with the options -u “websiteurl” --cookie=“dataofcookie” --level=5 --risk=3 --dbms=mysql too but result again was unsuccessfull. In both cases sqlmap did not found the vulnerable json parameter in the cookie and was injected into the url which is wrong in this case.I have gathered some info about this and found that for sqlmap to find this vulnerable json parameter I must write python script and ran sqlmap with option --tamper=scriptname.py.So my questions are:
- What needs to be written in the python script code to solve the problem of finding the vulnerable json parameter in cookie file by sqlmap? If this is not a small code, then at least an approximate direction.
2)During my experiment, the admin found counteraction against my experiment. He cut the rights of the user under which I made requests. Now my queries that I did to get the tables show nothing, no error message appears. If a certain query is successfully executed, there was message : execute command denied to user ‘username’ for routine ‘site_database’ appears. But the SQL injection itself is still present on the site. How to continue my experiment with this sql injection after admin had cut rights? Or i must find another ways of hacking this neighbor site ?
In order to advance further in hacking broker, it is important for me to know the answer to my 1st question.
Thanks in advance for your replies and help.