Changes to the community structure and the menu bar
Significant changes have happened to the structure of our community and our drop down menu bar. READ ABOUT IT HERE
Protect Your Assets

Owning SQLi vulnerability with SQLmap

Owning SQLi vulnerability with SQLmap

Contributor... CaroleLoomis Contributor...

SQLi (or SQL Injection) is defined as one of the most critical vulnerabilities when it comes to web application security. The attack is done by successfully inserting or injecting SQL statements on input fields or parameters coming from the end-user. A successful execution might lead the attacker to:


  • Bypass security, like the login page.
  • Expose sensitive information, which we refer to as a “data breach.”
  • Manipulate data (Add, Edit, Delete), data structures, db schemes, procedures and scripts depending on the severity of the vulnerability.

In some situations, it can lead to taking over the whole server itself by means of code execution and privilege escalation. Finding a SQLi vulnerable site or application is the first step, but exploiting and further digging is another thing. This blog aims to give you the nuts & bolts on using SQLmap and learn basic techniques to properly evaluate SQLi injections and understand some attack methods.


So let’s get started! We will be using SQLmap on Ubuntu Linux. If you want to use Pentest Distros that already has SQLmap that is fine. But for the sake of beginners who are new to Linux or folks who just started learning penetration testing, it would be a good foundation if you can install it by yourself. SQLmap runs on Python so it is not OS dependent.



Open the terminal and follow these simple steps:


  1. Download

wget '' --output-document=sqlmap.tar.gz


2.  Extract


tar -xvf sqlmap.tar.gz && mv sqlmapproject* sqlmap && cd sqlmap && ls



3.  Run version check


python –version


Now we will proceed to the next phase.


If you want to view available commands and options available, you can use Python –h  (for Basic) –hh  (for Advanced) options.


A quick note: Sometimes it can be overwhelming and a little confusing to see dozens of options or commands, especially when you’re trying to run a tool for the first time. Knowing the basics may not be enough for you to learn the whole shebang, but it will definitely help you get started.


Quick jump! There are two main methods that send parameters or data from client to the server: the GET and POST request. Both contain parameters with corresponding values and are areas that are vulnerable to SQLi injection.


GET request

In an HTTP GET request, parameters are sent as a query string format.

The structure looks like this:


ID <-- is a URL parameter

123 <- is the value of the parameter


Sometimes there are 2 or more parameters:













Example: python –u “”


POST request

A post request has capture/input fields or form objects/fields and is sent in the body. The usual content type is application/x-www-form-urlencoded.


Example: python –u --forms


You can specify data to be posted with the following option:



If there is no data is specified, SQLmap will ask/fill the parameter’s value with randomly generated data.


We now have two basic examples of running SQLmap on GET and POST request but there are things that we may encounter in some circumstances.



If we are behind a firewall and a proxy is needed to access the site/url/machine then we would need to specify the --proxy (http|https|socks4|socks5) supported.




Using socks V5 proxy -u "" --proxy="socks5://mysuperproxy:8080"

Using socks V4 proxy -u "" --proxy="socks4://"

Using HTTP proxy -u "https://" --proxy=""



Some websites require authentication such as Basic, Digest or NTLM and for this, you can use --auth-type=BASIC  --auth-cred="username:password"


Example: -u "https://" --proxy="" –auth-type=BASIC –auth-cred=”superuser:awesomepass123”


Valid session or valid login

In some cases, the target can only be injected and exploited if there is a valid credential or if an authenticated session is established. If we encounter this scenario, we can use –cookie.




DBMS type

Below is an example of SQL error that discloses the database type. Let us remember that each DMBS type consists of specifically designed or crafted payloads—knowing the type of database backend before running the attack would save tremendous amounts of time! We can specify the type using --dbms


Example: -u "https://” --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –dbms=”Microsoft SQL Server”


Below is an example of successfully finding a valid injection point. Once we have this, we can go ahead and proceed with enumeration.



If we want to enumerate the entire database we can use –dbs



We did not successfully list the entire database.



Lets dig a little deeper: By enumerating tables of a specific database, we will use the –D to specify the database we want and the –table option to enumerate all tables.


Example: python –url= --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –D transactions –tables




Let’s now enumerate columns of a specific table by specifying the tables using –T and adding --columns


Example: python –url= --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –D transactions –T sample_tran_table --columns



Let’s do a select statement by using –SQL-query

python –url= --cookie=”ASPSESSIONIDASRQASRD=MNLBEJLCPMEGCAMDAMPJAONP” –sql-query=”select * from transactions.sample_tran_table”



We can also do searching using  --D | --T | --C and invoking –search option





That’s all for now. Hope you enjoyed this and learned something!


Posted on behalf of Medz Barao, Fortify on Demand Security Team.

About the Author



Great post! Be nice if it was chapter one...