According to OWASP, SQL injection is one of the top 10 most commonly found vulnerabilities in web applications. In this tutorial we are going to show you how you can automate SQL injection attack using the popular tool SQLmap. We are going to do this on a test site. GET method based SQL injection will be demonstrated using SQLmap in this tutorial. SQLmap also has capability to crack hashed password. SQLmap comes preinstalled in Kali Linux. If you are using another Linux distro like Debian, Ubuntu, or arch you can easily get it from the official repositories.
SQLmap is a terminal based application. So fire up your terminal and just type sqlmap to check if it is already installed.
Debian and Ubuntu based distros
#sudo apt-get install sqlmap
Arch based distros
#sudo pacman -Syy sqlmap
RedHat based distros
#sudo yum install sqlmap
Once SQLmap is installed then all you need is a vulnerable target to see its magic.
SQL injection using SQLmap
Basic command structure is very simple. First you write sqlmap and then URL followed by specific wildcards of where you want the injection to occur.
#sqlmap -u "url"
This command will perform SQL injection on the target and report back if specified target is vulnerable or not. Assuming that target is vulnerable, all the possible SQL injection attacks will be listed for that target. In order to render out some information, first you need to get the list of available databases available at target machine.
#sqlmap -u "url" --dbs
–dbs option here will enlist all the available databases on the target machine if the target is vulnerable to SQL injection. Once you get the list of your databases, the next step is to get the list of all the tables of selected database.
#sqlmap -u "url" --tables -D database-name.
here –table option is used to extract the list of all the tables in the selected database. -D option is used to specify the database name that you found out in the previous step. Next you need to enlist all the columns in the table.
#sqlmap -u "url" --columns -D database-name -T table-name
Now –columns option will tell the sqlmap to get the name of all the columns and additional -T argument is used to specify the table name from which you want to enlist all the columns.
Once you get the columns’ name, either you can dump the whole columns’ data into csv file from the database or you can dump the data from selected fields.
#sqlmap -u "url" --dump -D database -name -T table-name
Here this command will tell the sqlmap to dump all the data from the database-name where table table-name exists.
You can also dump the whole database by using following command
#sqlmap -u "url" --dump -D database-name.
Check if current user is a database administrator
To see if the current user has root access to the database management system, issue the following command.
#sqlmap -u "url" -o -b --current-user --is-dba
If current user turns out be a root user you can extract the password for that user and all the other users. Use the following command.
#sqlmap -u "url" -v1 --current-user --password
SQLmap on multiple target list.
sqlmap is a very flexible tool. You can give it any number of target in a text file and it will test all the targets on time.
#sqlmap -m "path-to-file" --batch
here –batch option will process all the target with default options.
SQLmap also has password cracking capability. It can perform dictionary attack on the found hashes. Hash cracking process will take time according to your CPU power.
You can also find about other security testing tools here: