Do not use the following instructions to exploit others websites / services , Usage of SQL Map for attacking targets without prior mutual consent is illegal.
According to the Open Web Application Security Project (OWASP), injection attacks are first on the list of the top 10 web vulnerabilities. Diving into these, SQL injections are responsible for a big chunk of this. Exploitation of SQL injections is trivial.
SQL Map is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
We’re going to use SQL Map in 2 examples one for testing a Get request and the other for testing a POST request also listing some extra commands that will be useful in further steps.
- Download & install python if you don’t have it from the following link https://www.python.org/downloads/
- Download SQL Map from the following link
- Extract the Zip folder then we’re ready to start
2) Exploit Get Request
- Open command prompt in Windows as administrator
- Go to the extracted SQL Map folder
- Type the following command
sqlmap.py -u “Target URL”
as the following picture
- If the database engine is identified you have the choice to use the specific payloads for the identified db or use all the available payloads
- According to previous screen shots , SQL map identified the parameter “id” as a vulnerable parameter and also listed the used patterns and their types.
3) Exploit POST Request
In this case we need to capture / intercept the post request and save it to text file then use SQL Map to exploit it , you can use any HTTP interceptor like “Fiddler” or “BurpSuite” or use the developer tool of your browser as the following examples.
Chrome Dev Tools
- Go to “http://demo.testfire.net/default.aspx”
- Click “Sign in” link in the top right
- Use the following credentials to login
User Name : admin , Password : admin
before you sign in make sure you’re going to intercept the login request as the above examples
- Save the raw post request in .txt file and move it to SQL map folder root
- Type the following command to start the exploit
sqlmap.py -r filename.txt
In this case we have 2 vulnerable parameters , you have to choose which parameter you want to continue testing with as the above screen shot.
4) Useful Commands
sqlmap.py -r filename.txt –dbs
When the session user has read access to the system table containing information about available databases, it is possible to enumerate the list of databases.
sqlmap.py -r filename.txt –dump-all
It is possible to dump all databases tables entries at once that the session user has read access on.
SQL Map usage Wiki