Tag Archives: SQL injection

SQL injection with SQLMap

sqlmap, included in the Kali distro, is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and even accessing the underlying file system and executing OS commands via out-of-band connections.

Dump Table Contents

The first step is to allow sqlmap to scan for the OS, web server, and database version information. Note that this is for a specific page! So it may be a better idea to use a program like the OWASP-ZAP scanner to find pages that might be susceptible to SQL injection, then use this program to scan THAT PAGE. sqlmap CAN crawl a website, but it would be more efficient to use another program first to find potential targets.

sqlmap -u http://www.example.com

This will tell you whether or not a server is vulnerable to SQL injection. Once you’ve found a page that is, you can use sqlmap to get the names of the databases on the server. To do this, type

sqlmap -u http://www.example.com –dbs

This gives you a list of the available databases on the system.

Once you have this list of databases, you can then narrow it down even further to find the tables of a certain database. Using the example database name “database_name”:

sqlmap -u http://www.example.com –tables -D database_name

sqlmap will now give you the tables it can find in that database! Pretty cool. With this info, we can narrow it down even further to get the columns of that table. With the example table name of “table_name”:

sqlmap -u http://www.example.com –columns -D database_name -T table_name

We can now also dump the contents with all this information:

sqlmap -u http://www.example.com –dump -D database_name -T table_name

Crawl a Website

sqlmap can crawl a webpage to look for pages that are vulnerable to SQL injection. You also have the ability to set the level of the crawl (distance from starting page). The batch option below tells sqlmap to run in non-interactive mode and to take the default action whenever user input would be requested.

sqlmap -u http://www.example.com –batch –crawl=3

Execute SQL queries

On these servers that are vulnerable to SQL injection we can attempt to execute our own SQL queries. Notable things to do would be to add users. We can do this using the –sql-shell parameter. This will give us an interactive SQL shell on the remote machine. If this doesn’t work, you can try sending specific SQL queries with the –sql-query parameter. Both are shown below.

sqlmap -u http://www.example.com –sql-shell

sqlmap -u http://www.example.com –sql-query “SELECT ‘foo'”

Shell on the Remote OS

This works very rarely. But it’s a good thing to test for on your server! If it works, you’ve completely taken over the server, so make sure you aren’t vulnerable! This is only possible when the back-end database management system is either MySQL, PostgreSQL, or Microsoft SQL Server, and the session user has the needed privileges to abuse specific functionalities and weaknesses.

sqlmap -u http://www.example.com –os-shell

sqlmap -u http://www.example.com –os-cmd