Whenever I download new command-line tools, there are a few things I like to do:
- Open up the tool’s documentation – which is usually on GitHub, at least for open source tools
- Use
-h
in my terminal
-h
typically gives a good overview of some of the most popular and useful commands or options that we can use with this particular tool, and it’s usually in an easily digestible format which makes it easier to start with.
Combining that with the tool’s documentation, which can sometimes be hit or miss, and we can be off to a good start within a matter of minutes.
sqlmap Documentation
Luckily, sqlmap’s documentation is actually really good for this type of open source project, so props to the authors Bernardo & Miroslav!
Let’s start by looking over the Introduction section of the tool’s documentation on GitHub.
On this page, they give us a very simple example of what a target URL might look like for SQL injection:
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1
Code language: JavaScript (javascript)
We have a target IP, a path to an endpoint, and a query parameter of id=1
.
To check for SQL injection, we might alter the parameter value from being 1
to being something different, like 1+AND+1=1
, or 1+AND+1=2
, and watching for the result on the webpage or via the HTTP request. This is something that we can do manually and that we can use a tool such as ZAP or Burp to help with.
But, this is also something that sqlmap can help with!
By passing in that same target to sqlmap:
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1
Code language: JavaScript (javascript)
The tool will:
- Identify the parameters to test (in this case
id
) - Identify which SQL injection techniques can be used to try and exploit that parameter
- Fingerprint the back-end database management system (to gather information about what technologies we’re dealing with)
- And, depending on what it finds, attempt to exploit vulnerabilities
So that’s great, and that sounds awesome, but how do we go beyond concepts and actually put this into practice?
Well, we can head over to the Usage section of this documentation, which includes a massive comprehensive list of all sqlmap options and how to use them, but that can be overwhelming to beginners, so instead, let’s go back over to our Kali installation and let’s use the -h option to get us started.
-h
options
Scrolling to the top, we right away can see a list of options for Target
.
Target
As we saw with the prior example, we want to be able to tell sqlmap which target to go after, and we can use the very first option of -u
or --url
in order to specify that. This is where we will enter our URL to go after, which I will show in just a moment.
Request
Then, we see a section for Request
which lets us specify how we want sqlmap to connect to our target URL.
This is important to understand because different requests and targets require different approaches. If it’s a GET
request, that’s different than if it’s a POST
request. If it’s a POST
request, we’ll need to pass in --data=DATA
where the all-caps DATA
is a string to be sent through the POST
request.
We may also need to pass in --cookie=COOKIE
where the all-caps COOKIE
is an HTTP Cookie header value, because if we’re going after an application that requires authentication and the authentication uses cookies, then our sqlmap requests won’t go through and will get rejected by the application unless we provide that cookie information.
Enumeration
Another important set of options to know about is under the Enumeration
category. These options basically tell sqlmap what to do and what to return if it finds a vulnerability that it can exploit, or if it finds information that is not properly concealed.
For example, you can ask it to retrieve the current Database Management System user with --current-user
, you can ask for a list of the database’s tables with --tables
, the entire database schema with --schema
and more.
This is a really powerful set of options that we will definitely use in this course and that we use in the more advanced version of this course as well!
Wizard (--wizard
)
Finally, before completing this lesson and moving on to the next where we will issue our first command, let’s take a quick look at the --wizard
option that’s provided by sqlmap.
This option is really only useful when you’re first getting started with sqlmap, because once you have more experience, you can work faster and issue more powerful commands without using the wizard. But, this option basically spoon-feeds you what it needs to properly attack a target.
Let’s try it, even though we don’t have an environment running yet, just to see what it does:
Please enter full target URL (-u): http://localhost/
POST data (--data) [Enter for None]: Enter
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1
sqlmap is running, please wait..
Code language: JavaScript (javascript)
It fails because we have no environment running on our localhost, but we get to see how it asks us questions to determine what it is that we need. Again, this is just a simpler way of using the same options and commands that we would issue via the terminal instead.
Conclusion
Now that we’ve taken a look at the main available options to get us started in using sqlmap, let’s complete this lesson and move on to the next where we will apply what we just learned in order to issue our first sqlmap command and find as well as exploit our first SQL injection with sqlmap.
Solid lesson to help me understand this tool that will one day bring me gold.
Clearly Understood
Glad it was clear! Thanks for the feedback!
Muy claro y bien explicado todo..
Gracias!
very comprehensive
Awesome! Love to see this
Great