SQLmap Tutorial

Running sqlmap yourself is not difficult. Read through this tutorial and you will get an introduction to a powerful sql injection testing tool. Of course this is the same tool we use on our online sql injection test site.

One thing to keep in mind is that Sqlmap is a python based tool, this means it will usually run on any system with python however we like Ubuntu, it simply makes it easier to get stuff done. Python comes already installed in Ubuntu. To get started with sqlmap it is a matter of downloading the tool, unpacking it and running the command with the necessary options. Lets not get ahead of ourselves, there may be some Windows users amongst you so let me start off with getting an Ubuntu install up and running. It is easy to get started on an Ubuntu Linux system even if the thought of Linux sends into shivering spasms of fear. Who knows you may even like it.

If you are running Microsoft Windows as your main operating system you will likely find it the most convenient and simple to run an install of Ubuntu Linux in a virtual machine. You can then play with sqlmap, nmap, nikto and openvas along with a hundred other powerful open source security tools. If you would like to perform remote scanning such as that provided by hackertarget.com you could pay for a cheap Ubuntu based VPS from one of hundreds of providers, paying anything from $10 per month to $100 or so. Linode is great for this, providing high quality and solid systems for the price.

Step 1: Install Virtualbox

Virtualbox is a free and easy to use virtual machine manager, you could of course use VMware or Parallels but we will use virtualbox.

Select Bridge for your adapter, you could do NAT or Host Only of course just depends on your requirements. By using bridge mode your VM will have an IP address on your local network this makes it easier when you are playing with network based security testing tools. Security testing is fun, just ensure you only test on systems you own / operate or have permission to scan.

Step 2: Ubuntu Installation

Download the latest Ubuntu iso from http://www.ubuntu.com, select the ISO as the boot media for your guest and start the virtual machine. Select the install option and Ubuntu will be installed onto the virtual hard disk on the machine.

Step 3: SQLmap Installation

Python is pre-installed in Ubuntu so all you need to do is download sqlmap from sourceforge, unpack it into a directory and start your testing.

wget from http://sqlmap.sourceforge.net/#download

You can unpack it with a GUI based tool (double click on it) or use tar and gzip together with this command.

tar zxvf sqlmap-0.9.tar.gz

cd sqlmap

python sqlmap.py

This should be your results when you run the sqlmap.py script from a working installation:

    sqlmap/0.9 - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

Usage: python sqlmap.py [options]

sqlmap.py: error: missing a mandatory parameter ('-d', '-u', '-l', '-r', '-g', '-c', '--wizard' or '--update'), -h for help

The error is merely telling us we did not fill in the necessary parameters for a test to take place. You can repeat the command using the (-h) to get a full list of options or see the excellent online help and tutorials on the sqlmap project page.

For a simple test we will use the HTTP GET testing option against a single uri.

python sqlmap.py -u 'http://mytestsite.com/page.php?id=5'

This will run a bunch of sql injection tests against that URL with the parameter (id) being tested for SQL Injection.

SQLmap can be used to not only test but also to exploit SQL Injection, doing things such as extracting data from databases, updating tables and even popping shells on remote hosts if all the ducks are in line. All these options and examples are available on the excellent sourceforge project page. So now you have a working installation get on over there and start testing.