SQLi with SQLmap

Bengal Black Diamond - Gray Hat Hacker's Community September 20, 2024

 

SQLi with SQLmap

Learn step by step

Use of SQLmap

A sqlmap check attempts an attack in each of a number of categories — there are six in total. If one of these attacks succeeds, you know that you have a serious problem and part of the interface that fronts your database needs to be re-written to block that attack.

The types of attacks that sqlmap attempts are:

  • Boolean-based blind SQL injection
  • Time-based blind SQL injection
  • Error-based SQL injection
  • Union-based SQL injection
  • Stacked queries
  • Out-of-band attacks

The definitions used by the sqlmap developers don’t map exactly to the categories used by OWASP. The list includes both types of Classic SQL injection and both types of Blind SQL injection.

The stacked queries attack strategy performed by sqlmap should cover what OWASP terms DBMS-specific attacks. The Combined attack category of OWASP isn’t relevant to the SQL Injection-focused sqlmap detection system.

Logically, if you can ensure that your system isn’t vulnerable to an SQL injection attack, it automatically won’t be vulnerable to a combined attack. However, you should use other pen testing tools to check whether your site is vulnerable to DDoS attacks, XSS, or DNS hijacking. All systems are permanently liable to authentication attacks — you need to ensure a secure identity and access management strategy in order to protect your business from the threat of authentication cracking.

The sqlmap system checks work with the following DBMSs:

Features -

SQLMap is a powerful open-source penetration testing tool designed to automate the process of detecting and exploiting SQL injection vulnerabilities in web applications. Here are some of its key features:

1. Automated Detection: SQLMap can automatically detect various types of SQL injection vulnerabilities, including error-based, blind, and time-based injections.

2. Database Fingerprinting: It can identify the underlying database management system (DBMS) being used, such as MySQL, PostgreSQL, Oracle, Microsoft SQL Server, and others.

3. Data Retrieval: SQLMap can extract data from the database, including tables, columns, and specific data entries.

4. Database Management: It allows users to perform various database management tasks, such as creating and dropping databases, tables, and users.

5. Payloads: SQLMap supports a wide range of payloads and techniques for exploiting SQL injection vulnerabilities, including UNION-based, error-based, and time-based payloads.

6. Support for Multiple Protocols: It can interact with web applications through various protocols, including HTTP, HTTPS, and even through proxy servers.

7. Session Management: SQLMap can handle session cookies and supports various authentication mechanisms, allowing it to work with applications that require login credentials.

8. Customizable Options: Users can customize the tool’s behavior through a wide range of command-line options, including specifying the level of verbosity, the number of concurrent requests, and more.

9. Tamper Scripts: SQLMap includes tamper scripts that can modify payloads to bypass certain web application firewalls (WAFs) and intrusion detection systems (IDS).

10. Output Formats: It can output results in various formats, including plain text, HTML, XML, and JSON, making it easier to integrate with other tools or systems.

11. OS Shell Access: SQLMap can provide an operating system shell access if the database is vulnerable and allows it, enabling further exploitation.

12.Integration with Other Tools: SQLMap can be integrated with other security tools and frameworks, enhancing its capabilities in penetration testing workflows.

Overview -
Techniques -

There are 6 techniques -

B: Boolean-based Blind 
E: Error-based 
U: Union query-based 
S: Stacked queries 
T: Time-based Blind 
Q: Inline queries

Technique- B

Boolean-based blind SQL injection is a technique used to extract data from a database when the application is vulnerable to SQL injection, but the database does not return any error messages or data. In this case, the attacker must rely on the application’s behavior to infer the structure of the database.

Here’s an example of how to use SQLMap to exploit a Boolean-based blind SQL injection vulnerability:

Example:

Suppose we have a web application that takes a username parameter and returns a success message if the username exists in the database. The application is vulnerable to SQL injection, but it does not return any error messages or data.

Step 1: Identify the Vulnerable Parameter

We identify the username parameter as the vulnerable parameter.

Step 2: Determine the Injection Point

We determine the injection point by analyzing the application’s behavior. In this case, the injection point is after the username parameter.

Step 3: Use SQLMap to Exploit the Vulnerability

We use SQLMap to exploit the vulnerability:

In this command:

  • -u specifies the URL of the vulnerable page
  • --technique=B specifies that we want to use the Boolean-based blind technique
  • --dbms=mysql specifies the database management system (in this case, MySQL)

Step 4: Extract Data

SQLMap will start extracting data from the database by sending a series of requests to the application. Each request will contain a different payload that is designed to elicit a different response from the application.

For example, SQLMap might send the following requests:

The first request is designed to test whether the admin username exists in the database. If the response is a success message, SQLMap knows that the username exists.

The second request is designed to test whether the admin username does not exist in the database. If the response is a failure message, SQLMap knows that the username does not exist.

The third request is designed to test whether the admin username exists in the database and has a specific value for the username column. If the response is a success message, SQLMap knows that the username exists and has the specified value.

Step 5: Analyze the Results

SQLMap analyzes the responses from the application and uses the results to infer the structure of the database. In this case, SQLMap might determine that the admin username exists in the database and has a specific value for the username column.

Crawl [ — crawl 3 ]

Depth 1: https://www.example.com/coureses
Depth 2: https://www.example.com/coureses/soc
Depth 3: https://www.example.com/coureses/soc/overview
Depth 4: https://www.example.com/coureses/soc/overview/registration

Batch [ — batch ]

By Default choose the Permission !

Threads { by default 1, maximum 10 } [ — threads ]

The threads option allows the user to define the number of concurrent requests to be sent by the SQLMap tool

Risk { Risk values 1,2,3 } [ — risk ]

The “–- risk” option can be used to specify an accepted risk level from 1 to 3. The higher the value, the greater the number of payloads injected by sqlmap, but also the greater the risk and harm the database like can change or update the Data.

Level { minimum 1, Maximum 5 } [ — level ]

Updating the level of vulnerability test range, like first of all testing cookies, then User agent etc. (also can be false positive)

Verbosity

Being able to increase the verbosity of your SQLmap output will help with this testing. By increasing the verbosity to 4 you can get the HTTP requests, with 5 you also see the HTTP response headers, and 6 will show the full HTTP response

______ After finding Vulnerable URL then you have to show how to exploit for impactful Vulnerability details

Here you can follow the Cheat Sheet of sqlmap —

Sqlmap Cheat Sheet: Commands, Options, and Advanced Features
Use this comprehensive sqlmap cheat sheet to easily lookup any command you need. It includes a special search and copy…www.stationx.net

Happy Hacking !!

Post a Comment

0 Comments

Emoji
(y)
:)
:(
hihi
:-)
:D
=D
:-d
;(
;-(
@-)
:P
:o
:>)
(o)
:p
(p)
:-s
(m)
8-)
:-t
:-b
b-(
:-#
=p~
x-)
(k)