Rank: Administrator
Medals:
Joined: 1/26/2011(UTC) Posts: 238
Thanks: 36 times Was thanked: 10 time(s) in 9 post(s)
|
Sqlmap is the most powerful SQL Injection tool that is available for free and an open source program. Sqlmap automates the process of detecting and exploiting SQL Injection and taking over of database servers. Sqlmap is able to detect and exploit six different SQL Injections types that are: - Boolean-based blind
- Time-based blind
- Error-based
- UNION query-based
- Stacked queries
- Out of Bound
Sqlmap offers many features like: - Directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
- Enumerate users, password hashes, privileges, roles, databases, tables and columns.
- Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
- Dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
- Search for specific database names, specific tables across all databases or specific columns across all databases' tables.
- Download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- Execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- Establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
- Database process' user privilege escalation via Metasploit's Meterpreter getsystem command.
Download SqlmapSqlmap is written in Python language that supports cross platform. So, to use the Sqlmap you first need to install python interpreter. You can download the python interpreter from the following link. You can download Sqlmap from the following link Download the Sqlmap zip and extract the zip in any directory. Launch the cmd (windows Users) and navigate to the Sqlmap directory, where you can execute Sqlmap commands. Sqlmap UsageBasic command to detect SQL Injection and enumerate Databases of the victim Code:sqlmap.py – u http://victimsite.com/index?id=2 --dbs
Most commonly used commands of SqlmapUsage: sqlmap.py [options] Options: Code:-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target: At least one of these options has to be provided to define the target(s) Code: -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request: These options can be used to specify how to connect to the target URL Code: --data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header value
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection: These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts Code:-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to this value
Detection: These options can be used to customize the detection phase Code:
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (0-3, default 1)
Techniques: These options can be used to tweak testing of specific SQL injection techniques Code: --technique=TECH SQL injection techniques to use (default "BEUSTQ")
Enumeration: These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements Code: -a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access: These options can be used to access the back-end database management system underlying operating system Code: --os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General: These options can be used to set some general working parameters Code: --batch Never ask for user input, use the default behaviour
--flush-session Flush session files for current target
Miscellaneous: Code: --sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users
Official Demonstration Video
Note: This is an introduction post of Sqlmap, a demo for working with Sqlmap will be posted soon. So, Stay tuned.
To learn about SQL Injection and how SQL Injection works you can read the 5 days tutorials on SQL Injection here:[Day 1][Tutorial]Manual SQL injection: Happy Hunting[Day 2][Tutorial]Manual SQL injection: Access To Database[Day 3][Tutorial]Manual SQL injection: Admin 0day[Day 4][Tutorial]Manual SQL injection: Your Day[Day 5][Tutorial]Manual SQL injection: Securing Site
|