SQLMAP is an open-source penetration tool. SQLMAP allows you to automate the process of identifying and then exploiting SQL injection flaws and subsequently taking control of the database servers. In addition, SQLMAP comes with a detection engine that includes advanced features to support penetration testing.
SQL Injection (SQLi) Flaws
Threat actors use the Structured Query Language (SQL) to inject commands that can compromise the original query and then read or modify database records. There may be fields designed by the software developers where the submission of an expanded result in SQL syntax will enable access to passwords or other sensitive information. SQLi attacks may allow access to data from anywhere within the database. Depending on the nature of the attack, the threat actor may be able to change or delete this data.
SQLi examples include manipulation of the basic SQL functionality. Manipulations can consist of retrieving confidential data, whereby an SQL query is modified to return additional data. A union SQLi attack accesses and retrieves data from multiple database tables. An SQLi attack interferes with basic application logic such that the query can interfere with the execution of an application. An SQLi attack can result in access to passwords, personal information, credit card, and other financial details. Using SQLi, a threat actor can bypass authentication and access, delete, or modify data within exploited databases. SQLi attacks can also be used to execute operating system-level commands. Executing OS-level commands would allow a threat actor to escalate the attacks further.
- Support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, and other DMBS systems.
- Support directly connecting to the database without passing via a SQL injection by providing DBMS credentials, IP address, port, and database name.
- Support to enumerate password hashes, roles, privileges, databases, tables, database columns, and users.
- Automatic recognition of password hash formats and features to execute a dictionary-based attack.
- Support copy database tables to include a specified range of entries or specific columns per the user’s choice. The user specifies a particular range of characters from each column’s entry.
- Support to search across many parameters to include database names, specific tables across all databases, or particular columns from within all the tables.
- Support to download and upload any file from the database server underlying file system for the MySQL, PostgreSQL, or Microsoft SQL Server databases.
- Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL, or Microsoft SQL Server.
- Support establishing out-of-band stateful TCP connections between the attacker’s machine and the underlying database server operating system.
- Support database process’ user privilege escalation using the Metasploit Meterpreter “getsystem” command.
SQLMAP provides full support for SQL injection techniques, including stacked queries, time-based blind, error-based, UNION query-based, and boolean-based blind.
- Stacked queries are also known as piggybacking. In this scenario, SQLMAP tests if the web application supports stacked queries and then appends the affected parameter in the HTTP request using a semicolon followed by the SQL statement, which is to be executed.
- SQLMAP uses a time-based blind to replace or append a syntactically valid SQL statement to the affected parameter in the HTTP request. This SQL statement string contains a query that places the back-end DBMS’s return on hold for a certain number of seconds.
- SQLMAP error-based injection replaces or appends to the affected parameter a database-specific error message.
- SQLMAP uses a UNION-based query to append a syntactically valid SQL statement to the affected parameter starting with a UNION ALL SELECT. This technique works when the web application page directly passes the output of the SELECT statement within a for loop or similar so that each line of the query output is printed on the page content.
- SQLMAP uses Boolean-based blind to replace or append to the affected parameter in the HTTP request, a correct and valid SQL statement string containing a SELECT sub-statement, or any other SQL statement that the user wants to retrieve the output.
SQLMAP was developed in Python, a dynamic, object-oriented, interpreted programming language. This design makes SQLMAP a cross-platform application independent of the operating system. SQLMAP requires Python version 2.6, 2.7, or 3. x. SQLMAP relies on the Metasploit Framework for some of its post-exploitation features.
SQLMAP is free software that can be redistributed under the terms of the GNU General Public License. This open-source software is published by the Free Software Foundation, Version 2 or later, with the clarifications and exceptions described in the license file. The license grants a right to use, modify and redistribute the software under certain conditions. Organizations wishing to embed SQLMAP technology into proprietary software licenses should be purchased through email@example.com.
The Current Release
The current version, v1.6, was released on January 3, 2022. This followed version v1.5 which was released on January 3, 2021.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.