The SQLMap tool can be found in every penetration tester’s toolbox. It is one of the most popular and powerful tools when it comes to exploiting SQL injection vulnerability, which itself tops the OWASP list of Top 10 Vulnerabilities. From confirming the SQL injection vulnerability to extracting the database name, tables, columns and gaining a full system, it can be used for multiple purposes.
In this article, we will see different type of SQLMap commands which may come handy while exploiting different scenarios of SQL injection.
SQLMap can be downloaded from the following links:
Linux: git clone –depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
For demo purposes, I am using this machine from Vulnhub.
Let’s look at the basic usage of SQLMap tool on GET and POST requests.
sqlmap -u http://site-to-test.com/test.php?id=1 -p id
sqlmap -u http://site-to-test.com/test.php?id=1*
-u: URL to scan
-p: parameter to scan
*: Parameter to scan (if -p switch is not provided)
We can provide the data being passed in the POST request body to scan by the SQLMap tool.
sqlmap -u http://site-to-test.com/admin/index.php –data=”user=admin&password=admin” -p user
–data = POST data
Another way is to copy the Burp request into a file and pass the same to SQLMap.
sqlmap -r <path to the request file>
Let’s go little bit advance to understand other options provided by the SQLMap tool.
Post login pages are authorized by the cookie header, which is passed in the HTTP header of a GET/POST request. To scan the post login page(s), we have to provide the valid cookie to SQLMap.
sqlmap -u http://192.168.202.163/admin/index.php?id=1 –cookie=”cookie value”
/admin/index.php?id=1 is a post login page.
Similarly, many of the pages are protected by the User-Agent or Referrer header. The same can be included (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Satyam Singh. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/GRla9ST-xoo/