How to use the command sqlmap (with examples)
SQLMap is a penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities. It is designed to be user-friendly and efficient, providing a powerful way to test the security of web applications.
Use case 1: Run sqlmap against a single target URL.
Code:
python sqlmap.py -u "http://www.target.com/vuln.php?id=1"
Motivation: Running sqlmap against a single target URL allows you to quickly check if the website is vulnerable to SQL injection. This is useful for both security researchers and website owners, as it helps identify possible security flaws and take necessary measures to fix them.
Explanation:
python sqlmap.py: Runs the sqlmap script using Python.-u "http://www.target.com/vuln.php?id=1": Specifies the target URL that you want to test for SQL injection vulnerabilities. In this example, the URL is “http://www.target.com/vuln.php?id=1" .
Example output:
[INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[INFO] target URL appears to be UNION injectable with 7 columns
[INFO] GET parameter 'id' appears to be 'Generic UNION query (NULL) - 1 to 20 columns' injectable (with use of --string parameter)
[INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
Use case 2: Send data in a POST request.
Code:
python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1"
Motivation: Sending data in a POST request allows you to test SQL injection vulnerabilities in web forms that submit information via POST requests. This is often the case with login forms, contact forms, and other web applications that require user input.
Explanation:
--data="id=1": Specifies the data that should be sent in the POST request. In this example, the parameter “id” is set to 1. This is useful for simulating user input and testing if the application is vulnerable to SQL injection.
Example output:
[INFO] testing 'POST parameter' with value '1' and NULL characters
[INFO] testing 'POST parameter' with value '1' and ' OR '1'='1' -'
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' with NULL value
[INFO] testing 'MySQL >= 5.0.12 AND time-based blind - Parameter replace (BlueCoat like)' with ASCII function and comment
Use case 3: Change the parameter delimiter.
Code:
python sqlmap.py -u "http://www.target.com/vuln.php" --data="query=foobar;id=1" --param-del=";"
Motivation: Changing the parameter delimiter is useful when the web application uses a different character to separate parameters in the URL or POST data. By specifying the correct delimiter, you ensure that sqlmap can correctly identify and test each parameter for SQL injection vulnerabilities.
Explanation:
--param-del=";": Specifies the parameter delimiter. In this example, the delimiter is set to “;” because the web application expects parameters to be separated by this character.
Example output:
[INFO] GET parameter 'query' is not injectable
[INFO] GET parameter 'id' is 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'...
Use case 4: Select a random User-Agent.
Code:
python sqlmap.py -u "http://www.target.com/vuln.php" --random-agent
Motivation: Selecting a random User-Agent helps disguise the requests sent by sqlmap, making it more difficult for web application firewalls and other security measures to detect and block the tool. This allows for a more comprehensive and accurate testing of SQL injection vulnerabilities.
Explanation:
--random-agent: Instructs sqlmap to select a random User-Agent from a predefined list of user agents. This helps make the requests sent by sqlmap appear more like normal user traffic.
Example output:
[INFO] testing connection to the target URL
[INFO] using random User-Agent : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
[INFO] GET parameter 'id' is 'OR boolean-based blind - WHERE or HAVING clause (NOT - preferred)' injectable
[INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - preferred)'...
Use case 5: Provide user credentials for HTTP protocol authentication.
Code:
python sqlmap.py -u "http://www.target.com/vuln.php" --auth-type Basic --auth-cred "testuser:testpass"
Motivation: Some web applications require authentication before accessing certain pages or functionality. By providing user credentials, sqlmap can test SQL injection vulnerabilities within the context of an authenticated session. This is particularly useful when testing the security of privileged areas of a website.
Explanation:
--auth-type Basic: Specifies the type of authentication to use. In this example, Basic authentication is used.--auth-cred "testuser:testpass": Specifies the username and password for authentication. In this example, the username is “testuser” and the password is “testpass”.
Example output:
[INFO] testing connection to the target URL
[INFO] testing if the target URL requires authentication
[INFO] resuming back-end DBMS 'mysql'
[INFO] GET parameter 'id' is 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'...
Conclusion:
SQLMap is a powerful tool for automating the detection and exploitation of SQL injection vulnerabilities. By using the different options and parameters provided by sqlmap, you can accurately and efficiently test the security of web applications. Whether you are a security researcher or a website owner, understanding and utilizing sqlmap can greatly enhance your ability to identify and mitigate SQL injection risks.
