2 - Getting Started with SQLmap

- Basic listing of options ```bash sqlmap -h ``` - Advanced listing of options ```bash sqlmap -hh ``` # Basic Scenario - Consider the below PHP code with an SQL injection vuln - Error reporting is enabled for the vulnerable SQL query, there will be a database error returned as part of the web-server response in case of any SQL query execution problems - As such, the web app is vulnerable to error-based SQL injection ```php $link = mysqli_connect($host, $username, $password, $database, 3306); $sql = "SELECT * FROM users WHERE id = " . $_GET["id"] . " LIMIT 0, 1"; $result = mysqli_query($link, $sql); if (!$result) die("<b>SQL error:</b> ". mysqli_error($link) . "<br>\n"); ``` ![[images/Pasted image 20251206200202.png]] - We can run `sqlmap` against the web app as follows - Detection is run across BEUSTQ SQL injection types ```bash sqlmap -u "http://www.example.com/vuln.php?id=1" --batch # --batch is used for skipping any required user-input, by automatically choosing using the default option ``` # Log Message Description - URL content is stable: "target URL content is stable" - No major changes between responses in case of continuous identical requests - Parameter appears to be dynamic: "target URL content is stable" - Sign that any changes made to its value would result in a change in the response; hence the parameter may be linked to a **database** - Parameter might be injectable: "heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') - DBMS errors are a good indication of the potential SQLi. In this case, there was a MySQL error when SQLMap sends an intentionally invalid value was used (e.g. `?id=1",)..).))'`), which indicates that the tested parameter could be SQLi injectable and that the target could be MySQL - Parameter might be vulnerable to XSS attacks: - "heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks" - While not the primary purpose of SQLmap, a quick heuristic test is run for XSS vuln - Back-end BDMS is '...': - "it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]" - Specific DBMS may be identified - Level/risk values: - "for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]" - This basically means running all SQL injection payloads for that specific DBMS, while if no DBMS were detected, only top payloads would be tested - Reflective valued found: "reflective value(s) found and filtering out" - Warning that parts of the used payloads are found in the response - Parameter appears to be injectable: "GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (`with --string="luther"`)" - Indicates that the parameter appears to be injectable, though there is still a chance for it to be a false-positive finding - Additionally, `with --string="luther"` indicates that SQLMap recognized and used the appearance of constant string value `luther` in the response for distinguishing `TRUE` from `FALSE` responses - Time-based comparison statistical model: "time-based comparison requires a larger statistical model, please wait........... (done)" - SQLMap uses a statistical model for the recognition of regular and (deliberately) delayed target responses - For this model to work, there is a requirement to collect a sufficient number of regular response times - Extending UNION query injection technique tests: "automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found" - UNION-query SQLi checks require considerably more requests for successful recognition of usable payload than other SQLi types - To lower the testing time per parameter, especially if the target does not appear to be injectable, the number of requests is capped to a constant value (i.e., 10) for this type of check - Technique appears to be usable: "ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test" - As a heuristic check for the UNION-query SQLi type, before the actual `UNION` payloads are sent, a technique known as `ORDER BY` is checked for usability - In case that it is usable, SQLMap can quickly recognize the correct number of required `UNION` columns by conducting the binary-search approach - Parameter is vulnerable: "GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]" - This is one of the most important messages of SQLMap, as it means that the parameter was found to be vulnerable to SQL injections - SQLmap identified injection points: "sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:" - Following after is a listing of all injection points with type, title, and payloads, which represents the final proof of successful detection and exploitation of found SQLi vulnerabilities - Data logged to text files: "fetched data logged to text files under '/home/user/.sqlmap/output/www.example.com'" - This indicates the local file system location used for storing all logs, sessions, and output data for a specific target - in this case, `www.example.com` - After such an initial run, where the injection point is successfully detected, all details for future runs are stored inside the same directory's session files