If you're new to the program, SQLmap flags and commands can seem complicated and overwhelming, but when you learn how the tool works, you’ll find it very intuitive.
SQLmap is a powerful tool in any ethical hacker’s arsenal. It can find and exploit SQL Injection, inject commands, open interactive shells, and more.
In this article, we’ll walk you through becoming proficient in using it.
In this SQLmap tutorial for beginners, we’ll examine the tool’s injection basics, demonstrate practically how it works and how to use it, decode database fingerprinting, data retrieval intricacies, and more. After reading this article, you'll master SQLmap confidently and be able to probe, exploit, and secure systems effectively.
Are you ready? Let's delve into it.
What Is SQLmap?
SQLmap is a potent tool in cyber security professionals' arsenal. It’s particularly adept at testing SQL injection vulnerabilities.
Once started, it can automatically find and exploit these vulnerabilities within web apps that interact directly with databases.
SQLmap thoroughly checks web apps, examining inputs for potential SQL injection entry points. Once discovered, it allows pen testers to leverage these vulnerabilities, potentially extracting sensitive information, modifying databases, or even gaining unauthorized system access.
What Is an SQL Injection?
SQL injection is a huge issue for web applications.
This vulnerability allows hackers to access databases through user input fields like login forms or search boxes. Afterwards, they injected them with malicious queries to make SQL code run without permission.
The hackers can then see private data on databases or even get to control the whole system.
It's a common vulnerability because web apps automatically trust user-supplied input. If inputs aren't checked properly or sanitized, attacker-made SQL commands can sneak in and cause severe damage.
That's the core of SQL injection: attackers manipulate user input to get access to the database. Sensitive data like passwords, credit cards, or admin logins can all be exposed.
Beyond data theft, SQL injection can completely undermine a system. Compromise data security may cause organizations to suffer reputational damage, financial losses, and legal repercussions.
Securing your web app with input validation, sanitization, and limiting query access is vital. But now, let’s get more practical!
Getting Started With Our Kali Linux SQLmap Tutorial
SQLmap is essential for finding and exploiting SQL injection vulnerabilities in web apps. We'll look at how SQLmap works—from setup to advanced exploitation techniques.
Starting SQLmap Help Menu
Before testing with SQLmap, we need to know its commands and options. Typing “sqlmap --help” in the terminal shows a list of commands, flags, and descriptions. This help menu guides us in using SQLmap's features for penetration testing.
SQLmap's help menu contains many commands and flags for different penetration testing needs. Each command has a detailed description explaining what it does.
For example, “--url
” specifies the target URL to scan for SQL injection vulnerabilities.
The “-p
” flag lets you pick vulnerable parameters in the URL.
Commands like “--data
” allow testing web forms by providing POST data, which is useful for dynamic web apps.
Basic Usage of SQLmap
The basic syntax of SQLmap looks like this:
sqlmap -u <url> -p <attack parameter> -<flags>
- The
-u
option allows you to specify the URL you’ll be targeting. For example, "sqlmap -u https://example.com/login.php
" tells SQLmap to look at the login.php page on example.com for SQL injection vulnerabilities.
SQLmap will automatically try various SQL code inputs on the URL to identify and test any vulnerabilities it finds.
SQLmap provides many options to customize its scanning process.
- The "
-o
" option quickly exports scan results to a file of your choice.. - The "
--tor
" option lets you stay anonymous while scanning. - The “
--wizard
” option—perfect for beginners—gives you an interactive interface of the tool that easily guides you through the scanning process.
Learning these basic uses helps uncover SQL injection vulnerabilities and better protect websites.
Most Common SQLmap Commands and Flags to Know
SQL injection testing involves understanding SQLmap's commands and flags well, especially the database-related ones.
- The
-d
flag helps you get database names, tables, and columns. - The
-T
flag lets you target specific database tables for deeper analysis and data extraction. This makes exploitation more precise. - The
-D
flag allows specifying a particular database within the target application. This streamlines exploitation by focusing SQLmap's efforts on relevant data. For example, with the -D flag together with the--tables
flag, we can dump a database’s tables, as you can see from the following image:
Beyond the basics, SQLmap has additional options and settings to improve vulnerability detection and exploitation. For example:
- The
"--level
" and "--risk
" flags adjust how intense and aggressive SQLmap's scanning techniques are. Higher levels instruct SQLmap to use more aggressive methods, potentially revealing deeper vulnerabilities in the target application. This allows users to tailor the penetration testing approach based on the application's robustness and vulnerability level.
What's more, SQLmap's skills go beyond just URL scanning. It helps with many HTTP requests and authentication techniques, too, like:
- The "
--method
" flag, which allows you to choose the HTTP method for the scan so you can test different app endpoints (more in-depth). SQLmap works with basic, digest, and NTLM auth, making it compatible with many web apps and systems.
Additionally, SQLmap offers features for managing and persisting sessions, which are vital for a complete penetration testing on a target environment like VulnWeb.
- The
--resume
flag lets you continue a previous SQLmap session, ensuring continuity in testing efforts and enabling team collaboration.
- The
--save
flag allows saving the current session state to a file. This provides a sort of "snapshot" of scan progress and results for future reference.
You can find even more groundbreaking commands and flags, from data retrieval and manipulation to advanced exploitation techniques, in our free SQLmap Cheat Sheet.
Discovering Vulnerabilities With SQLmap
Discovering security vulnerabilities with SQLmap is a multi-step process, particularly when examining webapps.
We already saw basic commands like "sqlmap -u https://example.com/page.php
" but, along with basic commands, more advanced tactics are crucial for identifying and exploiting SQL injection vulnerabilities effectively.
One advanced tactic involves using the --tamper
flag. This flag applies code scripts to bypass web app firewalls and filters that try to detect and block SQL injection attempts.
By leveraging tamper scripts like space2comment, charencode, or randomcase, SQLmap can disguise its payloads, evading these defenses. This increases the chance of successful exploitation.
As we navigate SQL injection testing, it's essential to leverage SQLmap's advanced database management commands effectively. We’ll look at this in more depth in the following sections.
The --dump
feature helps you dump (i.e., see and copy) all the data in the database of your target. This could include usernames, passwords, secret info, and system settings.
Database Fingerprinting and Data Retrieval with SQLmap
Getting database information using SQLmap is crucial in SQL injection testing. For fingerprinting with SQLmap, these steps are a must:
- Identify accessible database names;
- Determine database versions;
- Recognize underlying database management system;
- Extract database table names and column details.
Through fingerprinting, penetration testers uncover sensitive data structure insights, guiding exploitation strategies. Mindlessly attacking without fingerprinting risks missing valuable information since fingerprinting shows the database’s architecture comprehensively.
For this part of the tutorial, we’ll use VulnWeb, an intentionally vulnerable website.
1.Identify the target URL: Start by identifying the URL of the vulnerable web application hosted on the target server. In this case, our URL will be http://testphp.vulnweb.com/listproducts.php?cat=1. You can find it by going to VulnWeb's home page, clicking on “browse categories,” and then going to “posters.” This URL will be the starting point for our SQLmap's database fingerprinting process.
2. Initiate database fingerprinting: Once we’re sure we have our target URL in mind, we can start the database fingerprinting process by adding the --dbs
flag to the basic command we previously saw (which was “sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
”).
This flag instructs SQLmap to enumerate the available databases within the target application. Remember that before running the command, we can do some basic manual tests as well and try to replace the number “1” in the “cat” parameter with something else, like an asterisk (*).
When we do, we should see (in this case) the following error, indicating a possible SQLi vulnerability:
So now the full command will be “sqlmap
” followed by the necessary flags and options. Ensure that you include the “-u
” flag followed by the URL of the vulnerable web application and, lastly, add the database flag:
Now, from the output following the above command, we can see the backend information and two database names, “acuart
” and “information_schema
”:
3.Explore database contents: Once SQLmap has identified the databases within the target application, you can explore their contents further by selecting a specific database for enumeration—in our case, “acuart
”.
Now, use the -D
flag followed by the name of the database to specify the target database for enumeration. To list the tables within the specified database, we’re going to use the flag “--tables
” at the end of this command:
This allows us to extract valuable information stored within that database:
4.Extract table data: After identifying the tables within the target database, you can extract data from specific tables using SQLmap. Use the “-T” flag followed by the name of the table to specify the target table for data extraction and then the flag “--dump” for dumping the content of the table we choose (in this case, “artists”):
You’ll then be able to see that the table “artists” has three columns:
5.Extract column data: Lastly, we can specify the column—in this case, we chose “aname”—with the -C flag and see its content with the “--dump” flag.
Our last command will look like this:
In the output we’ll see the content of that column, which will contain the nicknames of the creators of this website:
Advanced Attacks With SQLmap
SQLmap's advanced attacks enable you to deeply explore SQL injection vulnerabilities and their exploitation methods.
In this section, we'll analyze these sophisticated techniques, shedding light on their significance and real-world applications.
Determining Users With SQLmap
SQLmap's --users
flag is a robust tool for this job, helping pen testers kick off an in-depth scan and uncover users stored in the web app's database.
The basic command stays the same, but now we have to add this new flag at the end of it, like this:
Remember that SQLmap meticulously combs through the database to reveal pertinent user information, such as usernames, roles, and privileges.
We can then see in the output of the above command that we found one user called 'acuart@localhost
' for the database 'acuart
':
Password Hash Detection and Cracking
Password hashes contained inside a database can be hard to find and crack, yet they provide great opportunities for ethical hackers to exploit them.
The --passwords
function in SQLmap helps find these hashes.
So the new command will be the following:
Upon detecting password hashes, SQLmap prompts you to attempt a dictionary or brute force attack against to crack them.
For the purpose of this demo, we’re attacking another target database started locally, where we can see the output of a successful retrieval of password hashes and dictionary-based attack.
Through this process, ethical hackers can identify insecure or compromised passwords.
Command Injection With SQLmap
Command injection enables attackers to execute arbitrary commands on the target system, transcending SQL injection. SQLmap's --os-cmd
flag equips professionals with this exploitation capability, unveiling new horizons.
With this new SQLmap flag in mind, the new command will look something like this:
The VulnWeb site is not vulnerable to this attack, so we started a vulnerable database on our local machine for this demo.
The command would follow this template: sqlmap -u https://example.com --os-cmd=”uname -a”
, where example.com
is a vulnerable database and uname -a
is the command we wish to run. They display all the information about the system's kernel, and the output will look like this:
Opening a Shell With SQLmap
The pinnacle of advanced exploitation lies in the ability to spawn an interactive shell on the target system, which is made possible by SQLmap's --os-shell
flag.
This command acts as a gateway to unrestricted access, granting hackers and pentesters full control over the compromised environment.
So now our command will look like this:
We couldn’t open any shell on VulnWeb in this situation. However, we ran the attack successfully on our local host target:
The above image is a great example of why fingerprinting and enumeration of the target are so important.
To successfully create an interactive shell, we needed to indicate the language the web server uses—in this case, PHP—and may have needed to indicate the web server's root folder. Fortunately, SQLmap was able to determine it for us this time.
Advanced SQLmap attacks help cyber security experts go beyond normal penetration testing. Remember to always follow ethical guidelines when trying these advanced attacks!
Conclusion
Mastering offense and defense tactics is essential for ethical hackers.
This SQLmap tutorial for beginners explains SQL injection vulnerabilities and how SQLmap helps find and exploit them.
Now you can probe systems and exploit SQL Injection vulnerabilities.
We hope that you found this article useful and that it will assist you in CTFs, Bug Bounties, and throughout your whole WebApp pentesting career.
If you want access to courses covering SQL Injections, SQLmap, and exploiting different vulnerabilities, consider joining the StationX's Accelerator Program, where you'll get access to more than a 1000 courses and labs, career guidance, and unlimited mentorship.