Important SQLMap commands

Introduction

The SQLMap tool can be found in every penetration tester’s toolbox. It is one of the most popular and powerful tools when it comes to exploiting SQL injection vulnerability, which itself tops the OWASP list of Top 10 Vulnerabilities. From confirming the SQL injection vulnerability to extracting the database name, tables, columns and gaining access to a full system, it can be used for multiple purposes.

In this article, we will see different type of SQLMap commands which may come handy while exploiting different scenarios of SQL injection.

SQLMap can be downloaded from the following links:

Windows

Linux: git clone –depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

For demo purposes, I am using this machine from Vulnhub.

Let’s look at the basic usage of SQLMap tool on GET and POST requests.

GET request

• sqlmap -u http://site-to-test.com/test.php?id=1 -p id
• sqlmap -u http://site-to-test.com/test.php?id=1*
• • -u: URL to scan
  • -p: parameter to scan
  • *: Parameter to scan (if -p switch is not provided)

POST request

We can provide the data being passed in the POST request body to scan by the SQLMap tool.

• sqlmap -u http://site-to-test.com/admin/index.php –data=”user=admin&password=admin” -p user
• –data = POST data

Another way is to copy the Burp request into a file and pass the same to SQLMap.

• sqlmap –r <path to the request file>

Let’s go a little bit further to understand other options provided by the SQLMap tool.

Scanning POST login pages

POST login pages are authorized by the cookie header, which is passed in the HTTP header of a GET/POST request. To scan the post login page(s), we have to provide the valid cookie to SQLMap.

• sqlmap -u http://192.168.202.163/admin/index.php?id=1 –cookie=”cookie value”

/admin/index.php?id=1 is a POST login page.

• sqlmap (Read more...)