Lesson 6 of 9
In Progress

Using sqlmap for the first time

Christophe April 14, 2021

Whenever I download new command-line tools, there are a few things I like to do:

  1. Open up the tool’s documentation – which is usually on GitHub, at least for open source tools
  2. Use -h in my terminal

-h typically gives a good overview of some of the most popular and useful commands or options that we can use with this particular tool, and it’s usually in an easily digestible format which makes it easier to start with.

Combining that with the tool’s documentation, which can sometimes be hit or miss, and we can be off to a good start within a matter of minutes.

sqlmap Documentation

Luckily, sqlmap’s documentation is actually really good for this type of open source project, so props to the authors Bernardo & Miroslav!

sqlmap authors

Let’s start by looking over the Introduction section of the tool’s documentation on GitHub.

On this page, they give us a very simple example of what a target URL might look like for SQL injection:

http://192.168.136.131/sqlmap/mysql/get_int.php?id=1Code language: JavaScript (javascript)

We have a target IP, a path to an endpoint, and a query parameter of id=1.

To check for SQL injection, we might alter the parameter value from being 1 to being something different, like 1+AND+1=1, or 1+AND+1=2, and watching for the result on the webpage or via the HTTP request. This is something that we can do manually and that we can use a tool such as ZAP or Burp to help with.

But, this is also something that sqlmap can help with!

By passing in that same target to sqlmap:

http://192.168.136.131/sqlmap/mysql/get_int.php?id=1Code language: JavaScript (javascript)

The tool will:

  • Identify the parameters to test (in this case id)
  • Identify which SQL injection techniques can be used to try and exploit that parameter
  • Fingerprint the back-end database management system (to gather information about what technologies we’re dealing with)
  • And, depending on what it finds, attempt to exploit vulnerabilities

So that’s great, and that sounds awesome, but how do we go beyond concepts and actually put this into practice?
Well, we can head over to the Usage section of this documentation, which includes a massive comprehensive list of all sqlmap options and how to use them, but that can be overwhelming to beginners, so instead, let’s go back over to our Kali installation and let’s use the -h option to get us started.

-h options

Scrolling to the top, we right away can see a list of options for Target.

Target

As we saw with the prior example, we want to be able to tell sqlmap which target to go after, and we can use the very first option of -u or --url in order to specify that. This is where we will enter our URL to go after, which I will show in just a moment.

Request

Then, we see a section for Request which lets us specify how we want sqlmap to connect to our target URL.

This is important to understand because different requests and targets require different approaches. If it’s a GET request, that’s different than if it’s a POST request. If it’s a POST request, we’ll need to pass in --data=DATA where the all-caps DATA is a string to be sent through the POST request.

We may also need to pass in --cookie=COOKIE where the all-caps COOKIE is an HTTP Cookie header value, because if we’re going after an application that requires authentication and the authentication uses cookies, then our sqlmap requests won’t go through and will get rejected by the application unless we provide that cookie information.

Enumeration

Another important set of options to know about is under the Enumeration category. These options basically tell sqlmap what to do and what to return if it finds a vulnerability that it can exploit, or if it finds information that is not properly concealed. 

For example, you can ask it to retrieve the current Database Management System user with --current-user, you can ask for a list of the database’s tables with --tables, the entire database schema with --schema and more.

This is a really powerful set of options that we will definitely use in this course and that we use in the more advanced version of this course as well!

Wizard (--wizard)

Finally, before completing this lesson and moving on to the next where we will issue our first command, let’s take a quick look at the --wizard option that’s provided by sqlmap. 

This option is really only useful when you’re first getting started with sqlmap, because once you have more experience, you can work faster and issue more powerful commands without using the wizard. But, this option basically spoon-feeds you what it needs to properly attack a target. 

Let’s try it, even though we don’t have an environment running yet, just to see what it does:

Please enter full target URL (-u): http://localhost/

POST data (--data) [Enter for None]: Enter

Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1

Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1

sqlmap is running, please wait..Code language: JavaScript (javascript)

It fails because we have no environment running on our localhost, but we get to see how it asks us questions to determine what it is that we need. Again, this is just a simpler way of using the same options and commands that we would issue via the terminal instead.

Conclusion

Now that we’ve taken a look at the main available options to get us started in using sqlmap, let’s complete this lesson and move on to the next where we will apply what we just learned in order to issue our first sqlmap command and find as well as exploit our first SQL injection with sqlmap.

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.