Written in Python by Miroslav Stamper, Sqlmap is probably the best automated tool to detect and exploit SQL Injection.
Sqlmap fully supports many databases as MySQL, Microsoft SQL Server, PostgreSQL, Oracle (and many more) and is able to detect the following injection types : Boolean based blind, Error based, Union based, Stacked queries, Time based blind, Inline queries. Depending of the target status, sqlmap is also able to :
- prompt an interactive sql shell
- download/upload files
- prompt a web shell
- crack hashed password using a dictionnary attack
- and a lot more…
Below some examples of the main functions using bWAPP
In this example sqlmap has detected that the GET parameter
title of the search function is vulnerable to sql injection.
Well done! Plus it found that 4 different types of injection can be used for exploitation.
Note that sqlmap has also detected that the parameter is vulnerable to XSS attacks which is unfortunatly very common these days…
To perform test on POST field you should write:
In the next example, I’ll turn off the verbose mode.
Who am I ? Where am I ? What can I do ? Once you found an injection point, the next step is to gather as much information as possible about the running environment. This task is very easy with sqlmap which provides a great list of options.
And many more… All collected informations are stored in log files in the
To get fresh results ignoring the results previously recorded you’ll then have to use
--flush-session or simply remove the corresponding directory.
The next step of the exploitation is to enumerate available databases, tables and columns. Again this is pretty simple with sqlmap.
-D bwapp --tables
-D bwapp -T users --columns
Check the official documentation to see the list of all available options.
Now you know the structure of the tables, you can grab all datas you want. To perform that task, I like to use the interactive sql prompt:
You can also dump a table or a database with the option
--dump on the command line. If sqlmap detects hashed strings, it will ask you to crack them or not via a dictionnary based attack.
The default wordlist is +1M length, it’s up you to fill it or provide your own list.
Depending of the sql user privileges , the injection type and the filesystem permissions, you maybe could be able to play with the server.
--os-shell allows you to upload an ASP/JSP/PHP script on the remote server which will render an upload form.
Then you’ll use it to upload whatever file you want, usually a backdoor to perform a POC for your client.
Below my favorite options of sqlmap, the ones I always use in all pentest.
--threads=10 : to speed up sqlmap
--tor --tor-type=socks5 : to anonymize the traffic, must be used carefully while performing time based tests
--random-agent : a different User-Agent for each session
In this time where security is the heart of our job, day after day more and more network admins like to implements WAF, IPS or IDS.
Sqlmap has an option to bypass basic configuration of those systems:
--tamper allows you to trick the requests by applying a filter on the SQL string like random case.
Sqlmap is a very very powerful tool. After months I still don’t know all options but here are some extra functionnalities who look interesting:
Interaction with Metasploit framework
Windows registry access