Tools

Sqlmap

admin

Sql Injection using Sqlmap Tutorial

You should have a basic understanding of SQL, SQL INjection attacks, and databases before beginning the tutorial.

What is SQLMAP?

Sqlmap was first developed in Python. As you can see in the list below, SQLMAP is a tool that is most commonly used to carry out automated SQL injection attacks.

  • Boolean-based blind SQL injection
  • Time-based blind SQL injection
  • Error-based SQL injection
  • Union-based SQL injection
  • Stacked queries
  • Out-of-band attacks

Once one or more SQL injections have been detected on the target host, the user has a variety of options to choose from, such as performing a thorough back-end database management system fingerprint, retrieving DBMS session user and database, enumerating users, password hashes, privileges, databases, and more. The user can also run their own SQL query, read specific files on the file system, dump entire or user-specific DBMS tables or columns, and perform other operations.

What are SQLMAP capabilities?

  1. MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, and Drizzle are among the database management systems supported by SQLMAP
  2. It is able to identify six types of sql injection vulerabilities
  3. It crawls to the whole website and find the vulnerable parameter
  4. Backdoor attacks can be injected by the tool.
  5. run any command you want, then get the standard output.
  6. supports the use of meterpreter for privilege escalation.

Useful flags in sqlmap

First, we can use the command below to locate the sqlmap help page.

  • Sqlmap -h(For basic help)
  • Sqlmap -hh(For advance help)

As you can see in the screenshot up top, I have both help menus displayed.

There are numerous flags available today that can be used with the sqlmap tool to perform sql injection.

  1. -u >> used to specify url
  2. –dbs >> Enumerate list of all the databses
  3. -D >> pass the name of the database that we want to enumerate
  4. –tables >> used to enumerate all the tables
  5. -T >> pass the name of the table that we want ot enumerate
  6. –columns >> used to enumerate all the columns
  7. -C >> pass the name of the columns in it
  8. -r >> Used to pass the file which contains request
  9. –current-user >> used to enumerate that as a which user queries are executing
  10. –current-database >> used to enumerate current database name
  11. –batch >> when we execute the sqlmap command it generally ask the yes/No questions in between while executing the command so if we add ‘–batch’ to the command then it automatically select the default answers
  12. -a >> used to enumerate everything in the database
  13. -crawl >> used to crawl to the enpoints and find the vulnerable parameters
  14. –proxy >> used to connect to the target url through proxy.  So its main use is when we want to monitor the traffic through burpsuite if we specify the ip and port of burpsuite
  15. -p >> used to specify the parameter
  16. –cookie >> used to specify the cookie
  17. –technique >> used to specify the technique which is going to be used. There are six types of techniques that we can specify here which are (U,B,T,E,S,)

There are many more flags that are used, but the ones listed above are the ones we need to understand the most right away. Let’s begin with a practical example so we can better understand how the flags listed above are actually used.

One lab solution using sqlmap and SQL Injection

Therefore, I’m using the http://10.10.177.22/ site here for the purpose of demonstrating and using sqlmap to exploit sql injection so that You can learn how to do so.

Lets start

So let’s identify the weak point in it within it.

Let’s create a command to run.

The command for that is below since using gobuster to find vulnerabledirectory is outside the purview of this tutorial. 

gobuster dir -u http://10.10.177.22/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt –threads 100

The screenshot of the output of the aforementioned command is shown below, and we located a directory with the name “/blood”

See what we can do with it now. 

As seen in the screenshot up top, there is a drop-down menu for searching the Blood Donors list of a particular blood type. And after looking, we can see that it is not listed in the URL, indicating that a POST request is being used.

Therefore, for the post request, we intercept the request to find people with a particular blood type, save it to a file, and then use it to our advantage.

Here are some screenshots showing the process step by step as we create a file with the request..

step_1(intercept the request in burpsuite and copy that)

step_2(paste it not the file and save it as you can see below file name is search_request)

step_3(Now Executing the command with that request to enumerate the databases list)

Command to enumerate databases list Given below

Sqlmap -r search_request –dbs

We can see the list of databases in the screenshot up top, so let’s start by listing the database named “blood” in the list.

Now that we have a database with the name “Blood,” our next task is to list all of the tables within it.

So lets make the payload

sqlmap -r search_request -D blood –tables

In basic terms, the above-mentioned command searches through all of the tables in the “blood” database.

-D blood >> specify that we have to search in the blood databse

–tables >>It states that we are trying to find a list of every table.

As seen in the screenshot up top, we have a list of all the tables. 

The table we need has been named “flag” for the time being.

Now, we need the list of all the columns from it.

So lets make the payload

sqlmap -r search_request -D blood -T flag –columns

Basically, the above command looks for the flag table’s columns in the blood database.

Here is a list of every row in the flag column of the flag tables, but there is only one row in that column that contains our final flag, so this is the outcome.

Now out lab is complete

As a result, we have learned a lot about the sqlmap tool’s flags, such as -u, –dbs, –tables, and -columns. -D, -T, -C, –dump, and -r.

So, now we are learning the remaining flags in the section below.

1st(–curent-db)

As is common knowledge, -current-db is used to identify the active database. let’s look into its uses

Lets make the payload

Sqlmap -r search_request –current-db

‘Blood’ is the current database name, as you can see in the screenshot up top.

2nd(–crawl)

As we are aware, –crawl is used to identify vulnerable parameters and their URLs.

So lets make a payload

I’m demonstrating here using http://testphp.vulnweb.com

sqlmap -u http://testphp.vulnweb.com/ –crawl=2 –batch

As seen in the screenshot up top, it has found four urls. 

We can therefore use other parameters in the same manner. That concludes this tutorial.

Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *