Wednesday, 1 April 2015

Sqlmap simple Tutorial

Sqlmap simple Tutorial


Getting started with sqlmap
Using sqlmap can be tricky when you are not familiar with it. This sqlmap tutorial aims to present the most important functionalities of this popular sql injection tool in a quick and simple way. Before using sqlmap you must first get the latest release of the tool and install a Python interpreter. Most Linux distributions have python installed by default. If it’s not the case or if you are not using linux, you will need to download and install python. Finally, you will need a vulnerable website to test. In this tutorial we are using our simulation environment (hosted on the local machine  and available on port 8888).

Lauching sqlmap

Once sqlmap is extracted, move to its directory and execute the command below to make sure everything is working fine.
SYNTAX TO SHOW SQLMAP HELP.
python sqlmap.py --help
If you do not see sqlmap help make sure you did not forget a step in the setup instructions.

Test GET Parameters

You are now ready to test a vulnerable GET parameter. Run sqlmap as indicated below. Make sure you specify the URL through -u parameter (or --url) and specify the complete URL of the page you want to test, including GET parameters and a random value for each one.
GENERAL SYNTAX
python sqlmap.py -u "http(s)://target[:port]/[...]/[page]?param=val[&...]"

TEST GET PARAMETER WITH SQLMAP
python sqlmap.py -u "http://127.0.0.1:8888/cases/productsCategory.php?category=1"

Test POST Parameters Using Sqlmap

By default sqlmap tests only GET parameter but you can specify POST parameters you would like to verify. Sqlmap will then test both GET and POST parameters indicated. In order to do so, add the --data option like shown below.
GENERAL SYNTAX
python sqlmap.py --data "param=val[&...]" -u "http(s)://target[:port]/[...]/[page]"

TEST POST PARAMETER WITH SQLMAP
python sqlmap.py --data "username=xyz&password=xyz&submit=xyz" -u "http://127.0.0.1:8888/cases/login.php"
One common mistake when testing POST parameter is to forget indicating the submit parameter. If it is not specified, sqlmap will not be able to do a correct scan. You will most likely end up with a report indicating that no vulnerabilities were found in the script even if it is vulnerable. Always specify the submit parameter name and its default value.

Parse Forms

Sqlmap has a built-in functionality to parse all forms in a webpage and automatically test them. Even though in some cases the scan may not be as efficient as it is when manually indicating all parameters, it is still handy in many situations. Here is the syntax:
GENERAL SYNTAX
python sqlmap.py --forms -u "http(s)://target[:port]/[...]/[page]"

PARSE FORMS WITH SQLMAP
python sqlmap.py --forms -u "http://synapse:8888/cases/productsCategory.php"

Level of Tests

By default sqlmap will test all GET and POST parameters specified, however in some cases you might want to test additional entry points such as HTTP headers. It is possible to specify it with specific options, but the most straight forward technique is to use the --level option. There is 5 levels available in sqlmap (default being level 1). Level 2 adds HTTP Cookie header testing, level 3 adds HTTP User-Agent/Referer headers.
GENERAL SYNTHAX
python sqlmap.py -u "http(s)://target[:port]/[...]/[page]" --level 5

URL Paths

There are some cases where parameters may be included inside URI paths. Sqlmap allows you to specify exactly where to try SQL injection in these cases. Let’s take an example where mod_rewrite is used and http://host/page/param-value/ points to http://host/page.php?id=param. Here is how sqlmap should be used in this case.
GENERAL SYNTHAX
Append an asterisk (*) after each segment to test.

SQLMAP SYNTAX TO TEST URI SEGMENTS.
python sqlmap.py -u "http://host/page/param-value*/"

Extracting Information With Sqlmap

Things get really interesting in this sqlmap tutorial when it comes to extracting information. It is a fastidious task to recover information stored in the database from a SQL injection point, especially when no result is returned directly in the vulnerable webpage. Fortunately, sqlmap allows the tester to extract precious piece of information without the hassle of manual techniques. Below is a quick overview of those options, you simply have to add the options (without parameter) in your call to sqlmap.
RECOVER SESSION USER USING SQLMAP.
--current-user

DETECT CURRENT DATABASE USING SQLMAP.
--current-db

FIND OUT IF SESSION USER IS DATABASE ADMINISTRATOR USING SQLMAP.
--is-dba

LIST DATABASE SYSTEM USERS USING SQLMAP.
--users

LIST DATABASES USING SQLMAP.
--dbs

Enumerating Tables

When the session user has read access to system tables containing information about databases’ tables, sqlmap will be able to enumerate tables.
OPTION TO ENUMERATE TABLES WITH SQLMAP.
--tables
The following options are handy with table enumeration:
  • -D database_name to restrict result to the specified database.
  • --exclude-sysdbs to exclude system tables.

Enumerating Columns

Sqlmap can also enumerate columns. Here again, the session user will need to have read access to system tables containing information about databases’ tables.
OPTION TO ENUMERATE COLUMNS WITH SQLMAP.
--columns
In addition to -D database_name and --exclude-sysdbs you can add option -T table_name to limit data to the specified table.

Dump Table

It is even possible for the attacker to dump entire tables or database using the following options.
OPTION TO DUMP DATABASE CONTENT WITH SQLMAP.
--dump
Here again options -T table_name-D database_name and --exclude-sysdbs can be used to limit extracted data.

Complete Sqlmap Tutorial



To get more information about sqlmap usage you can consult the official sqlmap wiki on github.

2 comments:

  1. Do you need to increase your credit score?
    Do you intend to upgrade your school grade?
    Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
    Do you need any information concerning any database.
    Do you need to retrieve deleted files?
    Do you need to clear your criminal records or DMV?
    Do you want to remove any site or link from any blog?
    you should contact this hacker, he is reliable and good at the hack jobs..
    contact : cybergoldenhacker at gmail dot com

    ReplyDelete
  2. I Want to use this medium to appreciate an online ghost hacker, after being ripped off my money he helped me find my cheating lover and helped me hacked his WHATSAPP, GMAIL, kik and all his social media platforms and i got to know that he has being cheating on me and in less than 24 hours he helped me out with everything, hacking setting is trust worthy, contact him via: hackingsetting50@gmail.com

    ReplyDelete