Sqlmap

Written in Python by Miroslav Stamper, Sqlmap is probably the best automated tool to detect and exploit SQL Injection.

Sqlmap fully supports many databases as MySQL, Microsoft SQL Server, PostgreSQL, Oracle (and many more) and is able to detect the following injection types : Boolean based blind, Error based, Union based, Stacked queries, Time based blind, Inline queries. Depending of the target status, sqlmap is also able to :

  • prompt an interactive sql shell
  • download/upload files
  • prompt a web shell
  • crack hashed password using a dictionnary attack
  • and a lot more…

Below some examples of the main functions using bWAPP

Basic usage

sqlmap basic usage

In this example sqlmap has detected that the GET parameter title of the search function is vulnerable to sql injection. Well done! Plus it found that 4 different types of injection can be used for exploitation. Note that sqlmap has also detected that the parameter is vulnerable to XSS attacks which is unfortunatly very common these days…

To perform test on POST field you should write: --data="title=sqlitest&action=search"

In the next example, I’ll turn off the verbose mode.


Information gathering

Who am I ? Where am I ? What can I do ? Once you found an injection point, the next step is to gather as much information as possible about the running environment.  This task is very easy with sqlmap which provides a great list of options.

--hostname

sqlmap hostname

--current-user

sqlmap current user

--privileges

sqlmap privileges

And many more… All collected informations are stored in log files in the ~/.sqlmap directory. To get fresh results ignoring the results previously recorded you’ll then have to use --fresh-queries or --flush-session or simply remove the corresponding directory.

Enumeration

The next step of the exploitation is to enumerate available databases, tables and columns. Again this is pretty simple with sqlmap.

Databases: --dbs

sqlmap databases

Tables: -D bwapp --tables

sqlmap tables

Columns: -D bwapp -T users --columns

sqlmap columns

Check the official documentation to see the list of all available options.

Getting datas

Now you know the structure of the tables, you can grab all datas you want. To perform that task, I like to use the interactive sql prompt:

sqlmap datas

You can also dump a table or a database with the option --dump on the command line. If sqlmap detects hashed strings, it will ask you to crack them or not via a dictionnary based attack. The default wordlist is +1M length, it’s up you to fill it or provide your own list.

sqlmap crack

Manage files

Depending of the sql user privileges , the injection type and the filesystem permissions, you maybe could be able to play with the server.

Read file:

sqlmap file read

Write file:

sqlmap file write

The option --os-shell allows you to upload an ASP/JSP/PHP script on the remote server which will render an upload form. Then you’ll use it to upload whatever file you want, usually a backdoor to perform a POC for your client.

Usefull

Below my favorite options of sqlmap, the ones I always use in all pentest.

--threads=10 : to speed up sqlmap

--tor --tor-type=socks5 : to anonymize the traffic, must be used carefully while performing time based tests

--random-agent : a different User-Agent for each session

In this time where security is the heart of our job, day after day more and more network admins like to implements WAF, IPS or IDS. Sqlmap has an option to bypass basic configuration of those systems: --tamper allows you to trick the requests by applying a filter on the SQL string like random case.

Going further

Sqlmap is a very very powerful tool. After months I still don’t know all options but here are some extra functionnalities who look interesting:

Interaction with Metasploit framework

Smartphone impersonation

Website crawling

Windows registry access

Fail at CTF h1-212 - The Evil Job

Hackerone recently released a CTF created by [Jobert Abma](https://twitter.com/jobertabma){:class="flashlink" target="_blank"}. Even if I...… Continue reading

« An extremely buggy web app !

Published on January 28, 2016

File transfer with ping »

Published on October 26, 2015