SQLMAP.md
Overview
sqlmap
is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
It provides an efficient detection injection as well many features ranging from fetching data from the database to accessing the underlying file system and executing commands on the operating system.
sqlmap
currently supports the following database management systems:
MySQL
Oracle
PostgreSQL
Microsoft SQL Server
Microsoft Access
IBM DB2
SQLite
Firebird
Sybase
SAP MaxDB
HSQLDB
Informix
For a more, and very, detailed usage guide of sqlmap
, refer to the official documentation: https://github.com/sqlmapproject/sqlmap/wiki/Usage
.
General options
Target specification
sqlmap
offers multiples ways to specify one or multiples targets:
using an URL with the
-u <URL>
option ;from an HTTP request file using the
-r <REQUEST_FILE>
option, which can be helpful for authenticated requests using multiples session cookies ;using a direct connection string to the database with the
-d <CONNECTION_STRING>
option, which can be helpful to make use ofsqlmap
file system, command injections and passwords retriving queries ;from a
Burp
orWebScarab
proxy log file using the-l <LOG_FILE>
option, which can be used to conduct an automated testing on all requests made after spidering and mapping the targeted web application.
One or multiples injection points can be specified in the URL or request file by appending an *
(asterix) to a parameter value. The *
should not replace the parameter value, as a valid value helps sqlmap
in detecting the injection technique to use.
Techniques
Option: --technique=<TECH>
.
sqlmap
supports the following techniques:
B
: Boolean-based blindE
: Error-basedU
: Union query-basedS
: Stacked queriesT
: Time-based blindQ
: Inline queries
By default sqlmap
tests for all types/techniques it supports, i.e: BEUSTQ
. To specify one or more techniques, the --technique
option can be used:
Level and risk
Option: --level=<1 - 5>
.
The level
defines the depth of tests to perform, ranging from level=1
, very limited number of requests performed, to level=5
, corresponding to a much larger number of payloads and boundaries tested. The level also influence the injections points tested:
GET
andPOST
parameters are always tested ;HTTP Cookie header values are tested from
level=2
;HTTP
User-Agent
/Referer
headers' value is tested fromlevel=3
.
The default value is level=1
. It is recommended to start with a level=1
test, to quickly iterate over all injection techniques and then conduct a level=5
testing if no injections were yet detected.
Option: --risk=<1 - 3>
.
The risk
defines the presumed risk of the payloads to use, ranging from risk=1
, innocuous for the majority of SQL injection points, to risk=3
, adding OR
-based SQL injection tests which could lead to update of entries of the database if the SQL injection is in an UPDATE
or DELETE
statement.
The risk=3
option should not be used against production databases, especially if the injected query is presumed to modify the data of the database.
Tamper injection data
Option: --tamper="<TAMPER_SCRIPTS>"
.
Note that sqlmap
integrates an IPS / WAF detection mechanism, which can be launched using the --identify-waf
switch option.
sqlmap
provides a way to tamper the payloads to bypass input validation mechanism such as an IPS appliance or a web application firewall (WAF). The option takes as parameter a comma-separated list of tamper scripts to use, for example --tamper=between,charencode,charunicodeencode
.
On a Linux default installation, the tamper scripts packaged with sqlmap
can be found in /usr/share/sqlmap/tamper/
.
To start sqlmap
with all the packaged tamper scripts, the following commands can be used:
Estimated time of arrival (ETA)
Switch: --eta
.
sqlmap
provides an option to calculate and show in real time the estimated time of arrival to retrieve each query output.
Databases dumping
Once identified, the DBMS can be specified with the --dbms=<DBMS>
option.
Users, passwords and privileges
sqlmap
includes queries to retrieve users, users' password and users' privileges from known DBMS databases and tables:
--current-user
Retrieve DBMS current user
--current-db
Retrieve DBMS current database
--hostname
Retrieve DBMS server hostname
--is-dba
Detect if the DBMS current user is DBA
--users
Enumerate DBMS users
--passwords
Enumerate DBMS users password hashes
--privileges
Enumerate DBMS users privileges
--roles
Enumerate DBMS users roles
Databases, tables, columns and data
The following options can be used to dump one or multiples databases content:
--dbs
Enumerate DBMS databases
--tables
Enumerate DBMS database tables
--columns
Enumerate DBMS database table columns
--schema
Enumerate DBMS schema
--count
Retrieve number of entries for table(s)
--dump
Dump DBMS database table entries
--dump-all
Dump all DBMS databases tables entries
-D <DB>
DBMS database to enumerate
-T <TBL>
DBMS database table(s) to enumerate
-C <COL>
DBMS database table column(s) to enumerate
-X <EXCLUDE>
DBMS database identifier(s) to not enumerate
--exclude-sysdbs
Exclude DBMS system databases when enumerating tables (master, msdb, model, etc.)
--where=<DUMP_WHERE>
Use WHERE condition while table dumping
--start=<LIMIT_START>
First dump table entry to retrieve
--stop=<LIMIT_STOP>
Last dump table entry to retrieve
For instance, the following sqlmap
commands can be used to enumerate the databases content and retrieve data:
Search keyword(s) in databases, tables or columns names
Switch and options: --search <[ -D <DB_NAME> | -T <TABLE_NAME> | -C <COLUMN_NAME> ]>
.
This functionally can be used to identify tables or columns containing sensible information such as application level usernames or passwords.
The --search
switch option needs to be used in conjunction with one of the following support options:
-C
following a list of comma-separated column names to look for across the whole database management system.-T
following a list of comma-separated table names to look for across the whole database management system.-D
following a list of comma-separated database names to look for across the database management system
For example:
Direct SQL query
Option: --sql-query <QUERY>
Switch: --sql-shell
sqlmap
also provides an option to directly run arbitrary SQL query, automatically dissecting the provided statement, determining which technique is appropriate to use to inject it and how to pack the SQL payload accordingly.
In case of a non SELECT
statement, sqlmap
will execute the query through the stacked query SQL injection technique S
if stacked queries are supported through the injection point.
The --sql-query
option can be used to run the specified SQL statement while the --sql-shell
switch option will start an interactive SQL console connected to the database management system.
OS access
File system access
If the DBMS is either MySQL
, PostgreSQL
or Microsoft SQL Server
, an SQL injection can be leveraged to retrieve or upload files from / on the underlying file system. The DBMS user session used to make the SQL queries needs to have the sufficient privileges needed to use the DBMS specific functionalities.
--file-read=<REMOTE_FILE_PATH>
Read a file from the back-end DBMS file system
--file-write=<LOCAL_FILE_PATH>
Write a local file on the back-end DBMS file system
--file-dest=<REMOTE_FILE_PATH>
Back-end DBMS absolute filepath to write to
The --file-write
and --file-dest
options must be used simultaneously to specify the local file to upload and its destination path on the target system.
Note that, if the account responsible of the DBMS service has sufficient privileges on the file system, an SQL injection could be used to upload a webshell in an accessible website folder to achieve remote commands execution. The website folder can either be guessed through a brute force attack or leaked by verbose error messages on the web application.
Commands execution
Option and switch: --os-cmd <COMMAND>
and --os-shell
.
An SQL injection can be leveraged to remotely execute commands on the underlying operating system, given:
the DBMS is either
MySQL
,PostgreSQL
orMicrosoft SQL Server
;the current DBMS user session has sufficient privileges to use the DBMS specific functionalities.
On MySQL and PostgreSQL, sqlmap uploads a shared library containing two user-defined functions, sys_exec()
and sys_eval()
, then it creates these two functions on the database and calls one of them to execute the specified command, depending on user's choice to display the standard output or not. On Microsoft SQL Server, sqlmap abuses the xp_cmdshell
stored procedure: if it is disabled (by default on Microsoft SQL Server >= 2005), sqlmap re-enables it if possible; if it does not exist, sqlmap creates it from scratch.
The --os-cmd
option can be used to run the specified command while the --os-shell
switch option will start an interactive command prompt.
Windows registry access
Switches: --reg-read
, --reg-add
and --reg-del
.
Auxiliary options: --reg-key
, --reg-value
, --reg-data
and --reg-type
.
An SQL injection can be leveraged to access Windows registries if the following conditions are met:
the DBMS is either
MySQL
,PostgreSQL
orMicrosoft SQL Server
;stacked queries are supported through the injection point ;
the current DBMS user session has sufficient privileges to use the DBMS specific functionalities ;
the Windows, local or domain, account responsible of the DBMS service has sufficient privileges to access the specified registries.
--reg-key
Windows registry key path
--reg-value
Value item name inside provided key
--reg-data
Item value data
--reg-type
Type of the item value data
References
https://sqlwiki.netspi.com https://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857 https://github.com/sqlmapproject/sqlmap/wiki/Usage https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
Last updated