Sqlmap tutorial for beginners – hacking with sql injection

As I discussed in my previous post that we can exploit Union Based SQL Injection with the help of manual SQL queries. now we will do the same exercise with a Python based tool SQLMAP.

Note:- This tutorial is being carried out on demo test site provided by ACUNETIX, You can also try on the same website.

Sqlmap

Sqlmap is arguably the most popular and powerful sql injection automation tool available and it is completely open-source. All it needs is the vulnerable URL in case of get request or a text file in case we want to perform it on a post request.

Sqlmap can exploit the application’s database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions.

Sqlmap can also give the shell access of the server under certain circumstances. We will discuss all possible scenarios one by one.

Sqlmap comes as a package in OS like Kali, backtrack etc. We need to install in other machines as well. You can check my post on installing it on windows machines.

Once we have sqlmap installed and running we can proceed further to see how this tool can be utilized.

Some basic Options:

-h, –help Show basic help message and exit
-hh Show advanced help message and exit
-v VERBOSE Verbosity level: 0-6 (default 1)

Target:At least one of these options has to be specified to set the source to get target urls from

-d DIRECT Direct connection to the database
-u URL, –url=URL Target url
-l LOGFILE Parse targets from Burp or WebScarab proxy logs
-m BULKFILE Scan multiple targets enlisted in a given textual file
-r REQUESTFILE Load HTTP request from a file
-g GOOGLEDORK Process Google dork results as target urls
-c CONFIGFILE Load options from a configuration INI file

Other Key Options to use:

–cookie Set authentication cookie used for maintaining access
–dbs Enumerate databases
-technique Specify which SQL injection technique is to be used
–dbms Specify DBMS name if you already know it (your time is precious, save it)
-p TESTPARAMETER Specify if you already know testable parameter(s)

The options to use with SQLMap are totally dependent on what the attacker has in mind to perform on the database. Basic flow of SQLMap is as follows:

  • enumerate database information such as name, version, other details,
  • select a particular database to enumerate tables,
  • select tables and enumerate columns,
  • select columns and enumerate rows to extract data,
  • further exploitation if required.

Finding vulnerable URLs for GET Requests

Lets suppose we have a URL like below where with the help of “pic” parameter we trying to get some details.

http://testphp.vulnweb.com/product.php?pic=1

If this particular URL is vulnerable to SQL injection or not we can test like below.

http://testphp.vulnweb.com/product.php?pic=1'

We just added a single quote in the parameter. If this url throws an error or reacts in an unexpected manner then it is clear that the database has got the unexpected single quote which the application did not escape properly. So in this case this input parameter “pic” is vulnerable to sql injection.

Let’s exploit it with Sqlmap

We just need to run the below command to cross-check once again about the possiblity of SQL Injection.

sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1"

With the above command sqlmap sends different kinds of sql injection payloads to the input parameter and checks the output. It also tries to identify the remote system os, database name and version. The possible output will look like below.

So it identified the version of web application framework, back-end DBMS. Looks awesome but if we have a tool like sqlmap no pint of getting satisfied with only this result.

Lets move towards more deep dives.

sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --dbs

“- -dbs” will try to get the list of database present.

So the above output shows the existing databases on the remote system.

Find tables in a particular database

Now its time to find out what tables exist in a particular database. In this case I am more interested in database “acuart”. So we will run the below command.

sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --tables -D acuart

“- -tables” suggests to fetch the table names from “-D acuart”.

We have 8 tables present in the database, and I am more interested in “users”.

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of some important table.

sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --columns -D acuart -T users

“- -columns” suggests to fetch the column names from “-D acuart -T users”.

Wow ! Everything working great.

Get data from a table

The most exciting part begins just now, that is to dump all the data of this table.

sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --dump -D acuart -T users

Awesome ! We get everything what we needed. In addition to tat as you can see in first two lines you can also keep hashes(if present) for further attacks. We will surely discuss this as well in later blog posts.

Sqlmap keep storing all the Output files in a CSV format in yur machine which we can browser later.

So today we have learnt the most basic usage of sqlmap, we will discuss further in next posts. Stay tuned.

Note: Just to make sure you run this tool only when you have proper permissions from the owner of the application. (No unethical activities please. :P)

One comment