Penetration TestingWebsite

How to Use Sqlmap – Sqlmap Full Tutorial – SQL Injection

How to use SQLMAP to test a website for SQL Injection vulnerability (Sqlmap Tutorial)

In this article, we will look at different types of SQLMap commands that can be useful while using different SQL injection scenarios. Sqlmap Tutorial

The SQLMap tool can be found in every checkbox toolbox. It is one of the most well-known and powerful tools when it comes to exploiting the vulnerability of SQL injections, which itself is at the top of OWASP’s top 10 risk list. From verifying the vulnerability of SQL injection to site extraction, tables, columns, and access to a complete system, it can be used for many purposes. Sqlmap Tutorial Sqlmap Tutorial Sqlmap Tutorial

What is SQL Injection?

SQL Injection is a code injection method where the attacker uses malicious SQL queries that control the web application site. With the right set of queries, the user can access the information stored on the site. SQLMAP assesses whether the ‘GET’ parameter is at risk of SQL injection.

The goal of sqlmap is to detect and apply the risk of SQL injection. Sqlmap is a web-based scanning tool for risk.

When it receives one or more SQL injections into a target host, the user can choose between a variety of options to create a wider fingerprint management system, get DBMS session user and website, and count users, passwords, rights, and information details. , discard all complete DBMS tables/columns or users, use their SQL statement, read some files in the file system, and much more …

SQLMap is written in python language and this is one of the best tools for making SQL injection attacks.

Also Read: PUBG & BGMI Mobile Account Hack Phishing tool with Termux

SQL injection attack :

SQL is a structured query language. The language used by programs to access data on a related website. Language also includes instructions for updating or deleting data stored in website tables.

For end-users, access to the website is a form, which will be on a Web page or at the beginning of a business software piece. The field in which you submit a query on a Google page is an example of this. The back of the screen captures the input users typed on the platform and wraps it up with a SQL query.

Hackers have found ways to put the full SQL statement or statement clause in the input area. This can mislead the query processing methods embedded in the form and redirect all SQL instructions to the site rather than sending input as the query.

Also Read: How to Create Unlimited Gmail Accounts Without Phone Verification

SQL injection attacks can enable criminals to steal all their records or revise values. The option to change the data on the website enables hackers to steal money. Imagine if a customer was able to change the account balance from a negative amount to a positive amount. In automated systems, this can result in payment and criminals can withdraw the money before anyone in the business knows about the mistake.

 

Overview :

– Techniques -u
– Crawl –forms
– Enumeration –data
– Batch –headers
– Risk –user-agent
– Level –cookie
– Threads –flush-session
– Verbosity –output-dir
– Proxy –tamper
– SQL Injection Via Burp-Suite



 

Installation Sqlmap 

Install Sqlmap in Linux :

sudo apt-get install sqlmap -y

 

Install Sqlmap in Termux:

apt update -y 
apt install git -y
apt install python2 -y
git clone https://github.com/sqlmapproject/sqlmap.git 
cd sqlmap
python2 sqlmap.py

 

Video :

 

Hindi Videos: https://play.onlinehacking.xyz/v/VP5Yi3
English Videos: https://play.onlinehacking.xyz/v/fVX9sU

1. Crawl 

A crawl is an important option that allows the SQLMap tool to crawl a website, from a root location. Depth of crawling can be defined in the command.

If you want to clear all references enter the number of lists you want to scan.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2

-u: Target

  • crawl 1: http://www.example.com/news
  • crawl 2: http://www.example.com/news/newest/
  • crawl 3: http://www.example.com/news/newest/terror/
  • crawl 4: http://www.example.com/news/newest/terror/country/

 

2. Batch

The batch command is used to bypass the request you receive in sqlmap. Eg: When crawling a target you should be asked to enter y or n (or) to enter any values. But if you enter a batch command these values ​​will be skipped and sqlmap enter default values.

The batch command is used at random times. When we try to scan something, SQLMap may ask us to provide an input scanner: for example, when the clarity feature is used, the tool asks the user if the user wants to scan the specified URL. When the batch is specified in the command, the tool uses the default value to proceed without asking the user.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch

–batch is all questions will be answered automatically



 

3. Techniques

In sqlmap, I want to use a time-based blind SQL process. –technique = comes with BEUSTQ default which character should only use blind time?

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --technique="U" --batch
  • B: Boolean-based blind
  • E: Error-based
  • U: Union query-based
  • S: Stacked queries
  • T: Time-based blind
  • Q: Inline queries

 

4. Threads 

The series option allows the user to specify the number of applications sent simultaneously to the SQLMap tool. This will reduce the entire test time. This should not be kept to a high value, as it may affect the accuracy of the result.

Filters in sqlmap allow scanning to increase scanning speed or reduce scanning speed. Thus, there are levels of 1 to 10 threads.

If the number is too fast the result will be too low the number will be a bird and send fewer requests and collect more detailed information compared to the top series.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --threads 5

by default 1 and a maximum of 10

 

 

5. Risk

The danger command in the tool allows users to see the upload. Paid loads range from 1 to 3. By default, sqlmap sets up pay-per-view tools.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --risk 1

 

6. Level 

By default, sqlmap will check all GET and POST parameters specified, but in some cases, you may want to check additional entry points such as HTTP headers. It is possible to specify it with some options, but the only way forward is to use the option – level. There are 5 levels available in sqlmap (default level 1). Level 2 adds HTTP Cookie title check, level 3 adds HTTP User-Agent / Referer titles.

The level allows the type of payload used by the tool. By default, it uses a value of 1 and can be configured to level 3. Level 3, as it is very high, includes heavy SQL queries. The standard specifies the amount of check / payable to be performed. Price range from 1 to 5. 5, which is the limit, includes a large number of scanning uploads.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --level 2



7. Verbosity

In case we want to see the payload sent to the tool, we can use the verbose option. values range from 1 to 6.

Check that payload are sent in a person-readable format for this purpose using verbose.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch -v 4

Verbosity :

  • 0: Show only Python tracebacks, errors, and critical messages.
  • 1: Show also information and warning messages.
  • 2: Show also debug messages.
  • 3: Show also payloads injected.
  • 4: Show also HTTP requests.
  • 5: Show also HTTP responses’ headers.
  • 6: Show also HTTP responses’ page content.

 

8. Database Enumeration

Given that SQLMap is widely used in SQL injection applications, let’s take a look at some of the site calculator instructions for the vulnerable SQL injection application.

For database enumeration, you need to enter this command -dbs or you can enter the command below to access the website.

 

1, Fine Current User & Current Database and Current hostname (system name)

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --current-user --current-db --hostname --batch
  • –current-user : Fine fetching current user ( To identify the current database user )
  • –current-db  : Fine fetching current Database ( To identify the current database name )
  • –hostname  : Fine fetching current Hostname ( To identify the current database hostname [system] )

2. Fine available all databases details & names

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
  • –dbs : fetching database names

 

3. Now we have the database name. To find all tables for database “acuart,” run the following command:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
  • -u : Target and also enter the id
  • -D : select database
  • –tables : shows all other tables

Now you can see the database tables

4. To open & save database information from the “users” table, use the following command:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users –dump
  • -u : Target and also enter the id
  • -D : select database
  • -T : select database tables
  • –dump : Save & Open Database tables

Cracked the login and password credentials

 

9. HTTP Headers

I was wondering if sqlmap could detect HTTP headers with SQL risk. I know that if I use – level> = 3 then it will automatically check the HTTP titles of the user agent and Referrer, but I would also like to check some more.

Therefore, UserAgent, Cookies, and Referrer. You can set custom header fields using the headers = HEADERS option however in my test this did not check the given input field but instead sent the given value.

I recently wrote a tool to test all HTTP subject fields but the number of tests it performs previously is pale compared to SQLmap. It is currently testing SQLi based on errors but will also throw some empty bytes in the main fields. However, it will check all the default fields including any custom fields.

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --headers="Referer:abc.com" -v 4 --batch

It appears custom header injection is supported :

  • –user-agent=”sqlmap*”
  • –referer=”target.com*”
  • –headers=”User-Agent:test*\nReferer:bla”
  • –headers=”Foo:bar*”
  • -r request.txt

 

 

10. User-Agent

Similarly, many pages are protected by a User-Agent or Referrer title. The same can be added to the command:

Firewall Detect & block your system. user agent change and Bypass firewall

add any fake user agent and Bypass the firewall

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --user-agent="GECKO_Chrome" -v 4 --batch

Mobile User-Agent :

add mobile parameter user agent. request receive mobile user agent

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --mobile -v 4

which smartphone do you want sqlmap to imitate through the HTTP User-Agent header?

  1. Apple iPhone 8 (default)
  2. BlackBerry Z10
  3. Google Nexus 7
  4. Google Pixel
  5. HP iPAQ 6365
  6. HTC 10
  7. Huawei P8
  8. Microsoft Lumia 950
  9. Nokia N97
  10. Samsung Galaxy S7
  11.  Xiaomi Mi 3

user-agent successfully changed and Bypassed firewall Undetect system

 

11. tamper ( Bypassing WAF

Most of the time, we encounter a situation where the application is stored behind the web application firewall (WAF). Check that the site is protected by WAF

sqlmap --list-tampers

 

bypass SQL injection keyword ( encode keyword & and send. not detect Firewall )

Payload received for encode --tamper=base64encode

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --tamper=base64encode -v 3

 

 

12. Forms 

The URL of the page with the form field (meaning the login page) can be provided with the –form option to parse the page and direct the user to check the specified fields.

login page SQL injection fine – login page Vulnerable parameter chack

sqlmap -u http://testphp.vulnweb.com/login.php --forms

Now pages with a large number of form fields can be successfully scanned using the form and group option together. This will analyze the page and check the form fields and automatically provide user input.

If the entire application should be scanned, the clarity option and form and switch can be used.

 

13. Post request

You can also save the request on file. So, if you do not know how to block any application you should learn about the burp suite tool.

Once you have saved the request to file you can submit this post request command.

This Form Vulnerable Chack 12. Forms 

sqlmap -u http://192.168.149.137/admin/userinfo.php --data="uname=abc&pass=123&login=submit" –dbs

 

 

14. Proxy

We may specify representative details where we allow the request to proceed. If we want to transfer the request with a proxy tool like Burp, start Burp Suite and configure it to run on localhost in port 8080. Now use the following SQLMap command:

To perform a proxy scan on sqlmap properly, make sure the proxy IP address is set. In particular, the proxy IP will be http://127.0.0.1:8080

SQL map sent the request burp suite and modify your request and send the request server

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 -–proxy="http://127.0.0.1:8080" --batch

Open burp suite and chack you request

 

 

Conclusion :

I hope all the examples in sqlmap have helped you too according to this amazing SQL injection tool. Check the video format of the post. SQLMap is a great tool when it comes to finding and applying SQL injection risks. With so many supported options, switches, and the ability to create and use customized text, it stands out in many open-source tools testing for SQL injection vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button