Before we jump in and learn how to use sqlmap, we need to have a good understanding of what it is and, just as importantly, what it’s not.
sqlmap is an automatic SQL injection and database takeover tool. It’s an open-source tool, meaning that you can view its entire codebase and this codebase is maintained by a group of contributors including the original authors. You can contribute to the project, and you could even create your own version of it if you wanted to. That’s the beauty of open source.
sqlmap is designed as a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. Once SQL injection flaws are found, this tool can help you exploit the vulnerabilities to their maximum extent by using a large number of different features. In some cases, sqlmap can help you completely take over database servers.
In terms of SQL injections, this really is a powerful tool. It includes features like:
- Database fingerprinting – gather information about what database engine, version, etc, an application is using, which is really useful for reconnaissance
- Full support for major database engines – like MySQL, Oracle, Postgres, SQL Server, SQLite, MariaDB, Redshift, and a bunch of others
- Full support for 6 SQL injection techniques – boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band
- If you’re not familiar with what these techniques are, how they work, or what they do, then be sure to check out my free Injection Attacks course where we cover all of these concepts in great detail
- Support to enumerate users, password hashes, privileges, roles, databases, tables and columns – enumeration gathers additional information from the database in order to then exploit it and hopefully (at least if you’re on the red team), reveal all of that information I just mentioned
- Support to download & upload files, and execute arbitrary commands on the database server
- Support to establish out-of-band connections between an attacker machine and the database server – which is a more advanced technique that makes connections from the database server to your own remote server in order to retrieve results or execute commands
There are other features that we didn’t mention, but those are some of the big ones.
What sqlmap isn’t
While it sounds like a magical tool, and to some degree it is pretty magical, it’s not a silver bullet. For one, while it automates a lot, it still requires human interaction and human skill to point it in the right direction and to properly configure it.
Just like any other tool, it also has its limitations. So while it’s a great tool to have in your arsenal and any web pentester should absolutely learn how to use it, it’s not a silver bullet, meaning that you can’t just run this tool, find nothing, and then call it a day. That won’t guarantee that there aren’t any SQL injections, it will just help speed up the process and potentially find vulnerabilities that you wouldn’t have manually found.
It can also be a tool that you add to your automated workflow when deploying new code, which again, can help augment your team and help as part of your DevOps pipeline.
I saw these questions when doing a quick Google search for sqlmap, so I figured we could kick off the course by answering them since you likely also have these questions:
Is sqlmap illegal?
Short answer is no – sqlmap is perfectly legal. The long answer is ‘it depends.’ Just like buying, owning, and using a knife in and of itself is perfectly legal, going and stabbing someone is not legal.
So, the moral of the story is that how we’re going to use sqlmap in this course is perfectly legal. However, if you start to try and use sqlmap against environments that you do not have explicit written permission for, then you enter illegal territory and you should not do that. Always have permission.
What is the purpose of sqlmap?
We already answered this one so I’ll skip it.
Can sqlmap be traced?
This answer also depends on what you mean by traced and also what configurations you use for sqlmap, but if we go with the typical meaning of traced in cybersecurity — meaning that someone could find out you used sqlmap against their platform — then with default sqlmap configurations, yes you would be traceable. However, there are other options you can use to mask your traces, such as using a –tor setting that tunnels your traffic through ToR which means you are just as untraceable as any other use of ToR. Privacy and anonymization is a big and complex topic outside the scope of this course, so we won’t get into that here, but that’s my answer for now.
What is sqlmap in Termux?
Termux is an Android terminal emulator and Linux environment application, so it sounds like people are wondering what sqlmap is when they’re using that…and it’s not different than what we’ve already discussed!
OK, so that’s it for this lesson on what sqlmap is. Let’s complete this lesson and move on to the next!