top of page
Search

Ukraine/Russia CyberWar! Targeting Russian Websites with SQL Injection

  • Writer: otw
    otw
  • 7 hours ago
  • 4 min read


Welcome back, aspiring cyberwarrior!


Overwatch, in Ukraine, back again.


Today we’re diving into SQLMap, one of the most powerful tools for SQL injections. This is the first part of a four-part series where we’ll explore how to manually test and exploit vulnerable targets, go deeper with automation using Nuclei and Python dorking, learn how to pwn a server, and finally, walk through a real case of full server compromise using SQLi.




OWASP Top 10


Although it dropped to position 3 in the OWASP Top 10, injection exploits are still very much alive and widely used . In fact, many websites, including government ones, are still wide open. Sometimes you’ll come across a simple time-based injection that’s slow and boring but still leaks data. Other times, a union-based injection will let you dump entire databases fast and clean.


Error-based injections are pretty common and easy to spot. Boolean-based ones also work well and are fairly easy to control.


But here’s the thing—SQLi is unpredictable. One site might look totally vulnerable but give you nothing, and another might seem solid but leak everything with just one payload. Like alchemy, you really don’t know until you test it. And it’s always worth trying.


Simple payload


Let’s start with the basics. Often, you don’t need to go overboard as SQLMap can handle most of it for you. I usually stick with simple payloads and don’t jump straight to complex ones, because that can actually make you miss the real vulnerability. Even changing parameters like --risk or --level too early can make your payload fail.


Let’s take an example of a Russian ISP website. The command is simple. I normally go with levels 3 to 5. Lower levels didn’t give me results unless it was some very outdated website and, honestly, you don’t need to waste time on those.


Start with a risk level of 1, especially if you’re not sure whether there’s a firewall in place. Jumping straight to risk 3 isn’t a smart move unless you know the environment is wide open.




Now let’s try dumping their data with --dump. We are interested in the billing database (-D billing) and users11 table (-T users11) at the end let’s attach --columns to enumerate the columns.





You can also use --users and --passwords to dump internal data.




--users flag extracts database users and passwords. It’s useful to see if any are tied to IP restrictions. If you see a *, that means all IPs are allowed - good for us.


--passwords will dump password hashes if available. If you succeed, it opens up a new attack vector. We’ll dive deeper into that later.


Let’s now test a second example where higher risk and level work just fine and actually give better results.


Here is a furniture shop in Moscow. Even though the website seems pretty modern, the id= parameter is injectable due to poor input sanitization.





We will go with --level=4 and --risk=3 again this time.





To move further, we will need to dump the users table with usernames and hashes. But keep in mind: custom hash formats won’t be cracked by SQLMap. If it fails, don’t be surprised. Just export them and use Hashcat or John the Ripper.




Once cracked, try to log into the original website. That’s when you can do real damage by accessing admin panels, changing content, maybe even finding more entry points.



We are in! That one was easy. But now, let’s turn up the heat and look at a more interesting challenge.



Tampers


Now let’s get a little fancy. This time, we’re targeting a gov.ru website. For OPSEC reasons, I won’t say which one, but the lessons still apply.




Sometimes, regular SQLMap payloads fail, usually because of a firewall (WAF) that filters out suspicious requests. That’s where tamper scripts come in. One of my favorites is randomcase.

It randomizes the casing of your payload, which helps bypass WAFs that rely on strict pattern matching.


Another flag you might notice is --no-cast. This tells SQLMap not to cast data types. It can be useful after you find a working injection. Before that, it might get in your way.


There are tons of tamper scripts designed for different firewalls. If you manage to identify which firewall is running, you’ll have a better chance of picking the right tamper combination to bypass it.





Experiment. Over time, you’ll find the ones that work for you.



Columns


Let’s move to another target—a government-associated website for the city of Khabarovsk.

Quick history: Khabarovsk is a major city in the Russian Far East, close to China. It’s known for its military importance and some sketchy biological programs during the Soviet era. This website looks like a city archive. We’re about to dig into it.





Now, take a close look at the search function. It displays results in a clean table format. That’s your clue: you need to know how many columns are returned. If your union payload uses the wrong number of columns, it won’t work.





Use this: --union-col=4




Here we know the table returns four columns, so we match it. Also, using a union character (a random string or ID) can sometimes help stabilize your payload and avoid false positives.

Don’t forget to add tamper scripts. You can even stack them, just make sure they don’t conflict with each other.



Summary


We’ve laid the groundwork, covering the essentials of SQL injections, playing with SQLMap, understanding the role of tamper scripts, and working with real targets like Russian companies and government sites.


In the next part, we’ll take it a step further and automate the entire process using Nuclei, dorking tools, and custom workflows to scale your recon and target smarter.


See you in Part 2!




bottom of page