SQLmap – A Comprehensive Guide For Begineers

SQLmap is a powerful open-source penetration testing tool used to detect and exploit SQL injection vulnerabilities in web applications. It provides a comprehensive set of features that assist both security professionals and beginners in identifying and assessing database vulnerabilities. In this blog post, we will delve into the world of SQLmap and provide a step-by-step guide for beginners to effectively use this tool to secure web applications.

What is SQL injection 

SQL injection is a type of attack in which an attacker can inject malicious code into a SQL query. This can be done by entering specially crafted input into a web application that is not properly sanitized. The malicious code can then be executed by the database server, which can allow the attacker to gain access to sensitive data, modify data, or even take control of the database server.

For example, consider a web application that allows users to search for products by category. The application might have a search box where users can enter the name of a category. The application then uses this input to construct a SQL query to search the database for products in the specified category.

SELECT * FROM products WHERE category = '?'

If the application does not properly sanitize the input, an attacker could enter a malicious string like this:

' OR 1 = 1

This string will cause the SQL query to become:

SELECT * FROM products WHERE category = '' OR 1 = 1

The OR operator will always return true, so this query will return all of the products in the database, regardless of the category that the user entered.

SQL injection can be a very serious security vulnerability. It can allow attackers to gain access to sensitive data, modify data, or even take control of a database server. To prevent SQL injection, it is important to properly sanitize all user input before using it to construct SQL queries.

Here are some tips for preventing SQL injection:

• Use prepared statements instead of dynamic SQL.
• Sanitize all user input before using it in a SQL query.
• Use a web application firewall (WAF) to help protect against SQL injection attacks. 

What is SQLmap 

SQLmap is a powerful open-source penetration testing tool that specializes in detecting and exploiting SQL injection vulnerabilities in web applications. SQL injection is a common attack technique where an attacker can manipulate the SQL queries sent to a database through user input fields on a website. By exploiting these vulnerabilities, attackers can gain unauthorized access to the database, extract sensitive information, modify data, or even execute arbitrary commands.

SQLmap automates the process of identifying and exploiting SQL injection vulnerabilities, making it easier for security professionals and penetration testers to assess the security of web applications. It supports a wide range of database management systems, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and others.

Key Features of SQLmap

• Detection of SQL Injection: SQLmap automatically detects SQL injection vulnerabilities in web applications by analyzing the response from the application server.
• Exploitation: Once a SQL injection vulnerability is identified, SQLmap can exploit it to extract information from the database, such as usernames, passwords, and sensitive data.
• Fingerprinting: SQLmap can determine the type and version of the database management system being used, which helps in selecting appropriate exploit techniques.
• Enumeration: SQLmap can retrieve information about the database structure, tables, columns, and data types, allowing testers to gain a deeper understanding of the target application’s database.
• Brute Forcing: SQLmap includes the capability to perform automated brute forcing attacks to guess usernames and passwords in the database.
• Post-exploitation: Once access to the database is gained, SQLmap enables further exploitation by executing arbitrary commands or uploading malicious files to the server.

Using SQLmap responsibly and ethically is crucial, as it can be misused for unauthorized activities. It is recommended to obtain proper authorization and consent before performing any security assessments using SQLmap or any other penetration testing tool.

Prerequisites For SQLmap 

When using SQLmap, there are a few prerequisites that need to be met. Here are the common prerequisites for using SQLmap:

• Operating System: 

1. SQLmap is compatible with multiple operating systems, including Windows, Linux, and macOS. 
2. Ensure that you are using a supported operating system.

• Python: 

1. SQLmap is written in Python, so you need to have Python installed on your machine.
2. Check if Python is installed by opening a command prompt or terminal and typing python –version or python3 –version. If Python is not installed, download and install the latest version from the official Python website (https://www.python.org).

• Internet Connectivity: 

1. SQLmap relies on internet connectivity to fetch the latest updates, exploit techniques, and perform certain tasks.
2. Ensure that your machine has a stable internet connection while using SQLmap.

SQLmap Installation

SQLmap can be installed using the pip package manager, which is bundled with Python.

STEP 1

Open a command prompt or terminal

STEP 2

Install python by running following command : 

sudo apt install python3

And 

sudo apt install python

STEP 3

Type the following command to install SQLmap using pip:

OR

pip3 install sqlmap

STEP 4 

After the installation is complete, you can verify the SQLmap installation by typing sqlmap –version in the command prompt or terminal.

If the SQLmap version is displayed, it means SQLmap is installed successfully.

Running SQLmap 

You can start SQLmap by running following command :

sqlmap -h

where h Flag is used for help , it will show you all commands and flags that you can use in this tool 

here you will counter with some flags you can use lets understand it’s meaning in next heading .

Understanding SQLmap 

when you start sqlmap you will counter with many options that you are not familiar with , so we will understand all the options in detail so we will not face any understanding problems in our scanning phase:

• Verbosity : 

In SQLMap, the ‘-v’ option is used to control the level of detail in the output generated by the tool. It allows you to adjust the verbosity or the amount of information displayed during the scanning process. 

The ‘-v’ option accepts an integer value ranging from 0 to 3, with 0 being the lowest level of verbosity and 3 being the highest. Here’s a breakdown of the levels:

• Level 0: Only critical information and minimal output are displayed.
• Level 1: Displays basic information, such as HTTP requests and the target URL.
• Level 2: Provides more detailed information, including payload data and the results of each request.
• Level 3: Shows extensive debugging information, such as the HTTP headers and payload sent.

To set the verbosity level, you would use the -v option followed by the desired level. For example: 

sqlmap -v 2

This command would set the verbosity level to 2, which provides a moderate amount of detail during the scanning process. You can adjust the value to your preference, depending on the amount of information you need for analysis or debugging purposes.

• Giving Target URL :

In SQLMap, the ‘-u’ option is an abbreviated form of ‘–url’. It is used to specify the target URL of the web application you want to scan for SQL injection vulnerabilities.

When utilizing the ‘-u’ option, you provide the complete URL of the target web application, including the protocol (e.g., http:// or https://) and the specific page or endpoint you wish to test. Here’s an example: 

sqlmap -u http://example.com/login.php

In the above command, SQLMap is instructed to scan the ‘login.php’ page of the ‘example.com’ website for SQL injection vulnerabilities.

Similarly to the ‘–url’ option, the ‘-u’ option can also accept additional parameters in the URL, such as query strings or form data, if applicable to your testing scenario. For example:

sqlmap -u "http://example.com/search.php?query=test&page=1"

In this case, SQLMap is targeting the 'search.php' page of the 'example.com' website, with the 'query' and 'page' parameters being part of the URL's query string.

• Using Google Dorks :

In SQLMap, the ‘-g’ option is used to automatically parse a provided Google search result page and extract potential URLs for SQL injection testing. It allows SQLMap to scrape search engine results and use the identified URLs as targets for SQL injection vulnerability analysis. 

When using the ‘-g’ option, you provide a specific search query enclosed in double quotes. SQLMap will then perform a Google search using the provided query and retrieve the search results. It will parse the search result page and extract URLs for further testing. Here’s an example:

sqlmap -g "inurl:index.php?id="

In the above command, SQLMap performs a Google search with the query ‘inurl:index.php?id=’. It identifies search results that include URLs containing ‘index.php?id=’ and automatically extracts those URLs for SQL injection testing.

The ‘-g’ option can be a convenient way to automate the process of finding potential targets for SQL injection testing by leveraging search engines. However, it’s important to use this option responsibly and respect search engine usage policies to avoid any potential issues.

• Sending Data strings through post requests :

In SQLMap, the ‘–data’ option is used to specify the data parameters to be sent in the request body when performing ‘HTTP POST’ requests during the SQL injection testing process. It allows you to provide the necessary data for simulating form submissions and testing for SQL injection vulnerabilities in ‘POST-based’ scenarios.

When using the ‘–data’ option, you provide the data parameters in the form of key-value pairs, similar to how you would construct a form submission. The data is typically URL-encoded. Here’s an example:

sqlmap -u http://example.com/login.php --data="username=admin&password=12345"

In the above command, SQLMap is instructed to target the ‘login.php’ page of the example.com website using an HTTP POST request. The ‘–data’ option provides the data parameters ‘username=admin’ and ‘password=12345’, which simulate a form submission for the login functionality.

By including the –data option with the appropriate parameter values, SQLMap can interact with the web application and perform SQL injection testing in scenarios where POST requests are involved.

• Customized Cookie :

In SQLMap, the ‘–cookie’ option is used to provide a specific cookie value to be included in the HTTP requests sent during the SQL injection testing process. It allows you to simulate authenticated sessions or provide session-specific information to SQLMap.

When using the –cookie option, you provide the cookie value in the format of key-value pairs, similar to how cookies are typically represented in HTTP requests. Here’s an example:

sqlmap -u http://example.com/login.php --cookie="sessionid=abc123; user=admin"

In the above command, SQLMap is instructed to target the login.php page of the example.com website and include a specific cookie in the HTTP requests. The –cookie option provides the cookie value sessionid=abc123; user=admin, which is used to simulate an authenticated session with the provided session ID and user information.

By utilizing the –cookie option, you can provide session-specific information to SQLMap, which may be necessary to accurately test SQL injection vulnerabilities in authenticated or session-dependent scenarios.

• Randomized User Agent : 

In SQLMap, the –random-agent option is used to randomize the user agent string in the HTTP headers of the requests sent during the SQL injection testing process. It allows SQLMap to mimic different user agents, making the requests appear more diverse and potentially evading detection or bypassing certain security measures. 

When using the –random-agent option, SQLMap will automatically select a random user agent string from a predefined list and include it in the requests it sends. This can help disguise the identity of SQLMap and make it appear as if the requests are originating from various web browsers or clients. Here’s an example:

sqlmap -u http://example.com/login.php --random-agent

In the above command, SQLMap is instructed to target the login.php page of the example.com website and enable the –random-agent option. This will result in SQLMap randomly selecting a user agent string from its list and using it in the requests sent during the SQL injection testing.

By using the –random-agent option, SQLMap enhances its ability to avoid detection or bypass certain security mechanisms that might be specifically targeting default user agent strings associated with automated scanning tools.

• Using Proxies :

In SQLMap, the –proxy option is used to specify a proxy server through which the HTTP requests will be routed during the SQL injection testing process. It allows SQLMap to pass the requests through a proxy server, which can be helpful for various purposes such as capturing and analyzing network traffic, bypassing network restrictions, or testing security controls. 

When using the –proxy option, you provide the details of the proxy server in the form of <proxy type>:<proxy address>. Here’s an example:

sqlmap -u http://example.com/login.php --proxy="http:127.0.0.1:8080"

In the above command, SQLMap is instructed to target the login.php page of the example.com website and use the proxy server located at 127.0.0.1 on port 8080. The proxy type specified is http, indicating that an HTTP proxy server should be used.

By specifying the –proxy option, SQLMap will route its HTTP requests through the specified proxy server, allowing you to capture and analyze the traffic, apply additional security controls, or bypass network restrictions that may be in place.

• Using TOR : 

In SQLMap, the –tor option is used to route the tool’s HTTP requests through the Tor network during the SQL injection testing process. It allows SQLMap to leverage the Tor network’s anonymity features to anonymize its requests and potentially bypass certain network restrictions or enhance privacy. 

When using the –tor option, SQLMap will automatically configure its requests to be routed through the Tor network. This helps to obfuscate the source of the requests and makes it harder to trace them back to the original IP address. Here’s an example:

sqlmap --url=http://example.com/login.php --tor

In the above command, SQLMap is instructed to target the login.php page of the example.com website and enable the –tor option. This will ensure that SQLMap’s requests are routed through the Tor network.

By leveraging the Tor network, SQLMap can potentially bypass IP-based restrictions or filtering mechanisms that may be in place. It also adds an extra layer of anonymity to the SQL injection testing process, making it more difficult to track the origin of the requests.

It’s important to note that using the –tor option requires that you have Tor installed and running on your system. Additionally, the effectiveness of the Tor network in anonymizing your requests can vary depending on various factors, such as the configuration and security measures implemented by the target website.

• TestParameters :

In SQLMap, the -p option is used to specify the parameter(s) to be tested for SQL injection vulnerabilities. It allows you to identify and target specific parameters within the target URL or data payload for vulnerability testing.

When using the -p option, you provide the name of the parameter(s) you want to test. Here’s an example:

sqlmap -u http://example.com/login.php -p username,password

In the above command, SQLMap is instructed to target the login.php page of the example.com website and test the username and password parameters for SQL injection vulnerabilities.

By using the -p option, you can focus SQLMap’s testing efforts on specific parameters rather than scanning the entire target URL or data payload. This is useful when you have identified particular parameters that may be more susceptible to SQL injection or want to narrow down the scope of the vulnerability analysis.

It’s important to note that the parameter names provided with -p should correspond to the actual parameter names used in the target URL or data payload. Additionally, you can specify multiple parameters by separating them with commas, as shown in the example above.

• Force Back-End DBMS :

In SQLMap, the –dbms option is used to specify the database management system (DBMS) that the target web application is using. It allows SQLMap to tailor its SQL injection tests and payloads to the specific DBMS, increasing the effectiveness and accuracy of the vulnerability analysis. 

When using the –dbms option, you provide the name of the DBMS as the argument. Here’s an example:

sqlmap --url=http://example.com/login.php --dbms=mysql

In the above command, SQLMap is instructed to target the login.php page of the example.com website and assumes that the web application is using the MySQL DBMS.

By specifying the correct DBMS with –dbms, SQLMap can optimize its techniques and payloads to exploit known vulnerabilities and specific behaviors associated with that particular DBMS. It allows for more accurate and targeted testing, increasing the chances of discovering SQL injection vulnerabilities.

• Level and Risk :

In SQLMap, the –level and –risk options are used to control the intensity and aggressiveness of the SQL injection testing process.

The –level option determines the depth of the SQL injection tests and the number of techniques used. It ranges from 1 to 5, with 1 being the least aggressive and 5 being the most aggressive. Higher levels increase the testing coverage and the likelihood of discovering vulnerabilities but can also result in increased false positives. Here’s an example: 

sqlmap --url=http://example.com/login.php --level=3

In the above command, SQLMap is instructed to target the login.php page of the example.com website and use a moderate testing level of 3.

The –risk option determines the likelihood of triggering false positives during the SQL injection tests. It ranges from 1 to 3, with 1 being the least risky and 3 being the most risky. Higher risk levels increase the chances of detecting SQL injection vulnerabilities but may also generate more false positives. Here’s an example:

sqlmap –url=http://example.com/login.php –risk=2

In the above command, SQLMap is instructed to target the login.php page of the example.com website and use a medium risk level of 2.

By adjusting the –level and –risk options, you can fine-tune the SQL injection testing process based on the specific requirements and risk tolerance of the testing scenario. It allows you to balance the thoroughness of the tests with the potential for false positives.

• Techniques : 

In SQLMap, the –technique option is used to specify the SQL injection technique(s) to be employed during the testing process. It allows you to select specific techniques that SQLMap will use to identify and exploit SQL injection vulnerabilities. 

When using the –technique option, you provide the name of the technique(s) as the argument. Here’s an example:

sqlmap --url=http://example.com/login.php --technique=UNION

In the above command, SQLMap is instructed to target the login.php page of the example.com website and employ the UNION-based technique to test for SQL injection vulnerabilities.

SQLMap offers multiple techniques to detect and exploit SQL injection vulnerabilities, such as UNION-based, Boolean-based, time-based, error-based, and more. By specifying the appropriate technique(s) with –technique, you can focus the testing efforts on specific techniques known to be effective against the target application.

sqlmap --url=http://example.com/login.php --technique=UNION,BLIND

In the above command, SQLMap will use both the UNION-based and BLIND-based techniques during the SQL injection testing process.

It’s important to note that the choice of technique(s) depends on the characteristics and behavior of the target application. It may require some experimentation and trial and error to determine the most effective technique(s) for a specific scenario.

• Enumeration :

Here’s a brief explanation of the options in SQLMap along with an example for each:

‘-a’ (or –all): Executes all tests and enumeration available. It performs a comprehensive analysis of the target. Example :

sqlmap -u http://example.com/login.php -a

‘-b’ (or –banner): Retrieves the DBMS banner from the target, providing information about the database management system. Example :

sqlmap -u http://example.com/login.php -b

‘–current-user’: Retrieves the username of the current database user. Example :

sqlmap -u http://example.com/login.php --current-user

‘–current-db’: Retrieves the name of the current database. Example :

sqlmap -u http://example.com/login.php --current-db

‘–passwords’: Retrieves password hashes from the target database. Example:

sqlmap -u http://example.com/login.php --passwords

‘–dbs’: Enumerates the names of the databases on the target server. Example:

sqlmap -u http://example.com/login.php --dbs

‘–tables’: Enumerates the names of the tables within a specified database. Example: 

sqlmap -u http://example.com/login.php -D dbname --tables

‘–columns’: Enumerates the names of the columns within a specified table. Example: 

sqlmap -u http://example.com/login.php -D dbname -T tablename --columns

‘–schema’: Dumps the database schema of a specified database. Example: 

sqlmap -u http://example.com/login.php -D dbname --schema

‘–dump’: Dumps the contents of a specified table. Example: 

sqlmap -u http://example.com/login.php -D dbname -T tablename --dump

‘–dump-all’: Dumps the contents of all tables in a specified database. Example: 

sqlmap -u http://example.com/login.php -D dbname --dump-all

‘-D’ (or –database): Specifies the target database to be used in various operations. Example: 

sqlmap -u http://example.com/login.php -D dbname --tables

‘-T’ (or –table): Specifies the target table to be used in various operations. Example:

sqlmap -u http://example.com/login.php -D dbname -T tablename --columns

‘-C’ (or –columns): Specifies the target column(s) to be used in various operations. Example: 

sqlmap -u http://example.com/login.php -D dbname -T tablename -C column1,column2

These examples demonstrate how to use the various options in SQLMap to perform tasks such as retrieving information, enumerating databases, tables, and columns, dumping data from tables, and more.

• OS Shell :

When using the –os-shell option, SQLMap will attempt to execute commands on the target system’s operating system, providing an interactive shell interface. This can be a powerful feature, as it allows you to execute operating system commands and interact with the target machine directly from within SQLMap. 

Here’s an example of how to use the –os-shell option:

sqlmap --url=http://example.com/login.php --os-shell

In the above command, SQLMap is instructed to target the login.php page of the example.com website and launch an operating system shell if a successful SQL injection exploit is detected.

Once the –os-shell option is triggered, you can interact with the target machine’s operating system using command-line commands. This can include tasks such as executing shell commands, navigating the file system, modifying files, or running system-level utilities.

• Batch Flag : 

When using the –batch option, SQLMap will automatically select default options and proceed with the testing process without any prompts for user input. It is useful for automating SQLMap as part of a larger script or for running SQLMap in non-interactive environments. 

Here’s an example of how to use the –batch option:

sqlmap --url=http://example.com/login.php --batch

In the above command, SQLMap is instructed to target the login.php page of the example.com website and run in batch mode, without requiring any user interaction.

Scanning With SQLmap 

When scanning with SQLMap, the tool utilizes various techniques to analyze the target application’s responses and behavior. It starts by probing the application for potential SQL injection points and then proceeds to exploit them by sending crafted SQL queries. SQLMap supports different types of SQL injection attacks, including error-based, union-based, and time-based techniques.

NORMAL SCANNING 

Simple HTTP-GET Based Scan

To perform a simple HTTP GET-based test with SQLMap, you can use the following command: 

sqlmap -u <target_url>

Replace <target_url> with the URL of the web application you want to test. For example:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

The command sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –batch initiates an automated SQL injection scan using SQLMap against the specified URL, running in batch mode without user prompts, and saving the results to a file.

OUTPUT

This command instructs SQLMap to send GET requests to the specified URL and check for SQL injection vulnerabilities. SQLMap will automatically analyze the responses, detect any injection points, and attempt to exploit them using various techniques.

By default, SQLMap uses a set of predefined tests and payloads to identify and exploit SQL injection vulnerabilities. It will gather information from the target database, such as the DBMS, tables, columns, and data, depending on the level of access it gains.

WAF Evasion scan 

Performing Web Application Firewall (WAF) evasion with SQLMap involves using techniques and parameters that can help bypass or overcome the security measures implemented by the WAF. Here’s an overview of some common commands and techniques used for WAF evasion in SQLMap:

• Tamper Scripts : 

SQLMap provides a variety of tamper scripts that modify the generated SQL payloads to evade detection. These scripts alter the payload’s structure, encoding, or other attributes to bypass WAF filters. The –tamper option is used to specify a tamper script. 

sqlmap -u <target_url> –tamper=<tamper_script>

For example, you can use the apostrophemask tamper script to encode single quotes in different ways:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --tamper=apostrophemask --batch

OUTPUT

DETECTION

• Randomization: 

SQLMap can randomize the order of the injected payload to evade signature-based detection. The –random-agent option is used to randomize the User-Agent header.

sqlmap -u <target_url> –random-agent

For example,

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --random-agent

OUTPUT 

• Delayed Requests :  

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --hex

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --headers="CustomHeader: testing"

sqlmap -u http://example.com/listproducts.php?cat=1 --level=3 --risk=2 --batch 

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs --batch

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --tables -D acuart

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --columns -D aquart -T users --batch

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Content-Length: 93
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://testphp.vulnweb.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://testphp.vulnweb.com/comment.php?aid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

name=hacklock&comment=hey+u+are+hacked+&Submit=Submit&phpaction=echo+%24_POST%5Bcomment%5D%3B