Sqlmap Tutorial

Getting started with sqlmap

Using sqlmap can be tricky when you are not familiar with it. This sqlmap tutorial aims to present the most important functionalities of this popular sql injection tool in a quick and simple way. Before using sqlmap you must first get the latest release of the tool and install a Python interpreter. Most Linux distributions have python installed by default. If it’s not the case or if you are not using linux, you will need to download and install python. Finally, you will need a vulnerable website to test. In this tutorial we are using our simulation environment (hosted on the local machine  and available on port 8888).

Lauching sqlmap

Once sqlmap is extracted, move to its directory and execute the command below to make sure everything is working fine.

Syntax to Show sqlmap help.

python sqlmap.py --help

If you do not see sqlmap help make sure you did not forget a step in the setup instructions.

Test GET Parameters

You are now ready to test a vulnerable GET parameter. Run sqlmap as indicated below. Make sure you specify the URL through -u parameter (or --url) and specify the complete URL of the page you want to test, including GET parameters and a random value for each one.

General syntax

python sqlmap.py -u "http(s)://target[:port]/[...]/[page]?param=val[&...]"

 

Test GET parameter with Sqlmap

python sqlmap.py -u "http://127.0.0.1:8888/cases/productsCategory.php?category=1"

Test POST Parameters Using Sqlmap

By default sqlmap tests only GET parameter but you can specify POST parameters you would like to verify. Sqlmap will then test both GET and POST parameters indicated. In order to do so, add the --data option like shown below.

General syntax

python sqlmap.py --data "param=val[&...]" -u "http(s)://target[:port]/[...]/[page]"

 

Test POST parameter with sqlmap

python sqlmap.py --data "username=xyz&password=xyz&submit=xyz" -u "http://127.0.0.1:8888/cases/login.php"

One common mistake when testing POST parameter is to forget indicating the submit parameter. If it is not specified, sqlmap will not be able to do a correct scan. You will most likely end up with a report indicating that no vulnerabilities were found in the script even if it is vulnerable. Always specify the submit parameter name and its default value.

Parse Forms

Sqlmap has a built-in functionality to parse all forms in a webpage and automatically test them. Even though in some cases the scan may not be as efficient as it is when manually indicating all parameters, it is still handy in many situations. Here is the syntax:

General syntax

python sqlmap.py --forms -u "http(s)://target[:port]/[...]/[page]"

 

Parse Forms with sqlmap

python sqlmap.py --forms -u "http://synapse:8888/cases/productsCategory.php"

Level of Tests

By default sqlmap will test all GET and POST parameters specified, however in some cases you might want to test additional entry points such as HTTP headers. It is possible to specify it with specific options, but the most straight forward technique is to use the --level option. There is 5 levels available in sqlmap (default being level 1). Level 2 adds HTTP Cookie header testing, level 3 adds HTTP User-Agent/Referer headers.

General synthax

python sqlmap.py -u "http(s)://target[:port]/[...]/[page]" --level 5

URL Paths

There are some cases where parameters may be included inside URI paths. Sqlmap allows you to specify exactly where to try SQL injection in these cases. Let’s take an example where mod_rewrite is used and http://host/page/param-value/ points to http://host/page.php?id=param. Here is how sqlmap should be used in this case.

General synthax

Append an asterisk (*) after each segment to test.

 

Sqlmap syntax to test URI segments.

python sqlmap.py -u "http://host/page/param-value*/"

Extracting Information With Sqlmap

Things get really interesting in this sqlmap tutorial when it comes to extracting information. It is a fastidious task to recover information stored in the database from a SQL injection point, especially when no result is returned directly in the vulnerable webpage. Fortunately, sqlmap allows the tester to extract precious piece of information without the hassle of manual techniques. Below is a quick overview of those options, you simply have to add the options (without parameter) in your call to sqlmap.

Recover Session User using sqlmap.

--current-user

 

Detect Current Database using sqlmap.

--current-db

 

Find Out If Session User Is Database Administrator using sqlmap.

--is-dba

 

List database system users using sqlmap.

--users

 

List databases using sqlmap.

--dbs

Enumerating Tables

When the session user has read access to system tables containing information about databases’ tables, sqlmap will be able to enumerate tables.

Option to enumerate tables with sqlmap.

--tables

The following options are handy with table enumeration:

  • -D database_name to restrict result to the specified database.
  • --exclude-sysdbs to exclude system tables.

Enumerating Columns

Sqlmap can also enumerate columns. Here again, the session user will need to have read access to system tables containing information about databases’ tables.

Option to enumerate columns with sqlmap.

--columns

In addition to -D database_name and --exclude-sysdbs you can add option -T table_name to limit data to the specified table.

Dump Table

It is even possible for the attacker to dump entire tables or database using the following options.

Option to dump database content with sqlmap.

--dump

Here again options -T table_name, -D database_name and --exclude-sysdbs can be used to limit extracted data.

Complete Sqlmap Tutorial

To get more information about sqlmap usage you can consult the official sqlmap wiki on github.