Sqlmap

SQLMap
By :
Rushikesh Kulkarni

SQL Injection
(1) Web Hacking Technique that is capable of
destroying your database.
(2) SQL is a language which is used to carry out
operations like insert/create/alter/delete on
your database.
(3) Makes use of SQL Queries on the website that
will run on the server side once the code is
executed.

Topics to cover :
(1)Basics of SQL Injection
(2)Using manual sql injection to
attack
(3)Understanding get and post
requests
(4)Using sqlmap on Kali Linux
(5)Understanding parameters in Kali
(6)Attacking sites using sqlmap

Basic SQL Queries
(1) Select * from table_name
(2) Select * from table_name where
column_name=value and column2_name=value2
(3) Select column1,column2 from table_name
(4) Select * from table_name order by column_name
(5) Delete from table_name where
column_name=value
(6) Insert into table_name
values(value1,value2,value3)
(7) Update table_name set column1=value1
,column2=value2 where column1=value3
(8) Select column1,concat(column2,column3) as
column_name from table_name

The
significance
of /* in SQL ?

/* is used to start a
multi line
comment in SQL
This is important because the query might have several ‘and’ conditions and those
get commented due to /*

The beauty
behind:
‘ or 1=1-- -

Trying manual attack on a site :
Procedure :
https://www.exploit-db.com/papers/13045/
http://www.webscantest.com/datastore/search_get_by_id.php?id=4
(1) Check if vulnerable by adding ‘ at the end of the url.
(2) Try finding the number of columns by using order statement in sql. Stop when it shows
error.
(3) Using union operator to combine the result and then finding the vulnerabilities. If
numbers are displayed on screen, then UNION worked.
(4) Finding version number then the name of all the tables in the database using select
statement.
(5) Tables names information_schema.tables
(6) Column names from information_schema.columns

What is sqlmap?
SQLMap is a penetration testing tool.
It automates the process of detecting and
exploiting SQL injection flaws and taking over
database servers.
It is open source.

How is it built and installed ?
SQLMap is written using Python.
To install it , download the zip file from sqlmap.org .
Unzip the file and launch the .py file from command
prompt.

Difference between manual and automated SQL Injection :
(1) Manual way is tedious . It requires you to remember all the
queries explicitly. In an automated tool , it does all the work for
you.
(2) The automated tool has a wider range of options such as tor and
proxy.
(3) The automated tool is capable of cracking your hashes provided
a table with hashes is found. Hence it drastically reduces user’s
effort.
(4) Let’s face it, who doesn’t love to work on tools that do all the
work for you.

Features of SQLMap:
Full support of six SQL Injection Techniques:
(1)Boolean based blind
(2)Time based blind
(3)Error-based
(4)Union Query based
(5)Stacked queries
(6)Out of band

(1) Error based SQLi : Technique that relies on studying the error
messages that have been thrown by the database and using that
to inject further. This is only possible if the developer has
enabled displaying of the error messages.
(2) Union Query based : It is used to join the result of multiple
queries. Among the queries inserted, some are forged and some of
them are legit. With the help of the forged ones, you carry the
injection process.
(3) Boolean-based blind : Used in sites with search boxes
where a boolean expression like 1=1-- - is used to query the data
from the database.
www.hexonline.co.uk/Product.php?cid=63

Exploitation of different databases
(1)MySQL
(2)Oracle
(3)PostGreSQL
(4)Microsoft SQL Server
(5)SQLite
(6)Microsoft Access
(7)Many more

Understanding GET and POST Requests.
GET Request : A type of HTTP Request which requests a specified
resource from a site. The request is transmitted through the given URL.
Requests using get should only retrieve data from a site
and have no other effect.

POST Requests - A post request is used to
send data to a server
This information might be details of a form,login details, a file upload, etc.
Requests using post alter / create new data on the server.

Getting Started With
SQLMap in Kali
Type sqlmap in your terminal.

Type -h for basic help.
And -hh for advanced options.

Injecting into sites ending with .php?id=
Command is as follows :
sqlmap - u
http://example.php?id=
sqlmap is used to start the service.
-u indicates that the next parameter is a url.
Can also be given as --url=URL

Finding sites to inject
https://www.darkmoreops.com/2014/08/28/use-sqlmap-sql-injection-hack-website-database/

Understanding parameters
--dbs → List all the database names from the given server.
--tables → List all the tables from a given database.
--dump → Print all the data from a given database or table.
-D → To tell sqlmap that the next parameter is the name of a
database.
-T → To tell sqlmap that the next parameter is the name of a table in
the database.

Simple procedure to inject.
(1) Find a site ending with .php?id=. Best way, GOOGLE SEARCH.
(2) Put a ‘ at the end to check if it’s injectable. If it shows error ,it is vulnerable to SQL
Injection.
(3) Insert the command in the terminal to start injecting using sqlmap.
(4) End the command with --dbs to list all the databases on the given server.
(5) Once the databases are listed , use -D to select a database and end the command with --
tables to list all the tables in a given database.
(6) Use -T to select a table from a given database.
(7) Use --columns to select the columns from a given table.
(8) Use --dump to print all the data from the given database/table.

Demo on an actual site
www.f10products.co.za/index.php?id=3
www.bible-history.com/subcat.php id=22
https://ssy.org/inner.php?id=219

Some other useful parameters
--threads : Speeding up your process by creating several instances
--tor :
--proxy :
--start and --stop : Limits for number of records
--users :
--pass :

Sources :
● W3schools.org
● Links mentioned in specific slide

Sqlmap

In this document

More Related Content

What's hot

Similar to Sqlmap

Recently uploaded

Sqlmap