Getting started with sqlmap
Using sqlmap can be tricky when you are not familiar with it. This sqlmap tutorial aims to present the most important functionalities of this popular sql injection tool in a quick and simple way. Before using sqlmap you must first get the latest release of the tool and install a Python interpreter. Most Linux distributions have python installed by default. If it’s not the case or if you are not using linux, you will need to download and install python. Finally, you will need a vulnerable website to test. In this tutorial we are using our simulation environment (hosted on the local machine and available on port 8888).
Once sqlmap is extracted, move to its directory and execute the command below to make sure everything is working fine.
Syntax to Show sqlmap help.
python sqlmap.py --help
If you do not see sqlmap help make sure you did not forget a step in the setup instructions.
Test GET Parameters
You are now ready to test a vulnerable GET parameter. Run sqlmap as indicated below. Make sure you specify the URL through -u parameter (or --url) and specify the complete URL of the page you want to test, including GET parameters and a random value for each one.
python sqlmap.py -u "http(s)://target[:port]/[...]/[page]?param=val[&...]"
Test GET parameter with Sqlmap
python sqlmap.py -u "http://127.0.0.1:8888/cases/productsCategory.php?category=1"
Test POST Parameters Using Sqlmap
By default sqlmap tests only GET parameter but you can specify POST parameters you would like to verify. Sqlmap will then test both GET and POST parameters indicated. In order to do so, add the --data option like shown below.
python sqlmap.py --data "param=val[&...]" -u "http(s)://target[:port]/[...]/[page]"
Test POST parameter with sqlmap
python sqlmap.py --data "username=xyz&password=xyz&submit=xyz" -u "http://127.0.0.1:8888/cases/login.php"
One common mistake when testing POST parameter is to forget indicating the submit parameter. If it is not specified, sqlmap will not be able to do a correct scan. You will most likely end up with a report indicating that no vulnerabilities were found in the script even if it is vulnerable. Always specify the submit parameter name and its default value.
Sqlmap has a built-in functionality to parse all forms in a webpage and automatically test them. Even though in some cases the scan may not be as efficient as it is when manually indicating all parameters, it is still handy in many situations. Here is the syntax:
python sqlmap.py --forms -u "http(s)://target[:port]/[...]/[page]"
Parse Forms with sqlmap
python sqlmap.py --forms -u "http://synapse:8888/cases/productsCategory.php"
Level of Tests
By default sqlmap will test all GET and POST parameters specified, however in some cases you might want to test additional entry points such as HTTP headers. It is possible to specify it with specific options, but the most straight forward technique is to use the --level option. There is 5 levels available in sqlmap (default being level 1). Level 2 adds HTTP Cookie header testing, level 3 adds HTTP User-Agent/Referer headers.
python sqlmap.py -u "http(s)://target[:port]/[...]/[page]" --level 5
There are some cases where parameters may be included inside URI paths. Sqlmap allows you to specify exactly where to try SQL injection in these cases. Let’s take an example where mod_rewrite is used and http://host/page/param-value/ points to http://host/page.php?id=param. Here is how sqlmap should be used in this case.
Append an asterisk (*) after each segment to test.
Sqlmap syntax to test URI segments.
python sqlmap.py -u "http://host/page/param-value*/"
Extracting Information With Sqlmap
Things get really interesting in this sqlmap tutorial when it comes to extracting information. It is a fastidious task to recover information stored in the database from a SQL injection point, especially when no result is returned directly in the vulnerable webpage. Fortunately, sqlmap allows the tester to extract precious piece of information without the hassle of manual techniques. Below is a quick overview of those options, you simply have to add the options (without parameter) in your call to sqlmap.
Detect Current Database using sqlmap.
Find Out If Session User Is Database Administrator using sqlmap.
List database system users using sqlmap.
List databases using sqlmap.
When the session user has read access to system tables containing information about databases’ tables, sqlmap will be able to enumerate tables.
Option to enumerate tables with sqlmap.
The following options are handy with table enumeration:
- -D database_name to restrict result to the specified database.
- --exclude-sysdbs to exclude system tables.
Sqlmap can also enumerate columns. Here again, the session user will need to have read access to system tables containing information about databases’ tables.
Option to enumerate columns with sqlmap.
In addition to -D database_name and --exclude-sysdbs you can add option -T table_name to limit data to the specified table.
It is even possible for the attacker to dump entire tables or database using the following options.
Option to dump database content with sqlmap.
Here again options -T table_name, -D database_name and --exclude-sysdbs can be used to limit extracted data.
Complete Sqlmap Tutorial
To get more information about sqlmap usage you can consult the official sqlmap wiki on github.