sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
sqlmap is able to detect and exploit five different SQL injection types:
- Boolean-based blind: sqlmap replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a
SELECTsub-statement, or any other SQL statement whose the user want to retrieve the output. For each HTTP response, by making a comparison between the HTTP response headers/body with the original request, the tool inference the output of the injected statement character by character. Alternatively, the user can provide a string or regular expression to match on True pages. The bisection algorithm implemented in sqlmap to perform this technique is able to fetch each character of the output with a maximum of seven HTTP requests. Where the output is not within the clear-text plain charset, sqlmap will adapt the algorithm with bigger ranges to detect the output.
- Time-based blind: sqlmap replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a query which put on hold the back-end DBMS to return for a certain number of seconds. For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character. Like for boolean-based technique, the bisection algorithm is applied.
- Error-based: sqlmap replaces or appends to the affected parameter a database-specific error message provoking statement and parses the HTTP response headers and body in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within. This technique works only when the web application has been configured to disclose back-end database management system error messages.
- UNION query-based: sqlmap appends to the affected parameter a syntactically valid SQL statement starting with an
UNION ALL SELECT. This techique works when the web application page passes directly the output of the
SELECTstatement within a
forloop, or similar, so that each line of the query output is printed on the page content. sqlmap is also able to exploit partial (single entry) UNION query SQL injection vulnerabilities which occur when the output of the statement is not cycled in a
forconstruct, whereas only the first entry of the query output is displayed.
- Stacked queries, also known as piggy backing: sqlmap tests if the web application supports stacked queries and then, in case it does support, it appends to the affected parameter in the HTTP request, a semi-colon (
;) followed by the SQL statement to be executed. This technique is useful to run SQL statements other than
SELECT, like for instance, data definition or data manipulation statements, possibly leading to file system read and write access and operating system command execution depending on the underlying back-end database management system and the session user privileges.
Features implemented in sqlmap include:
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access,IBM DB2, SQLite,Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.
- Full support for five SQL injection techniques: boolean-based blind, time-based blind,error-based, UNION query and stacked queries.
- Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
- It is possible to provide a single target URL, get the list of targets from Burp proxy or WebScarab proxyrequests log files, get the whole HTTP request from a text file or get the list of targets by providing sqlmap with a Google dork which queries Google search engine and parses its results page. You can also define a regular-expression based scope that is used to identify which of the parsed addresses to test.
- Tests provided GET parameters, POST parameters, HTTP Cookie header values, HTTPUser-Agent header value and HTTP Referer header value to identify and exploit SQL injection vulnerabilities. It is also possible to specify a comma-separated list of specific parameter(s) to test.
- Option to specify the maximum number of concurrent HTTP(S) requests (multi-threading)to speed up the blind SQL injection techniques. Vice versa, it is also possible to specify the number of seconds to hold between each HTTP(S) request. Others optimization switches to speed up the exploitation are implemented too.
Cookieheader string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header values. You can also specify to always URL-encode the Cookie.
- Automatically handles HTTP
Set-Cookieheader from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. Vice versa, you can also force to ignore any
- HTTP protocol Basic, Digest, NTLM and Certificate authentications support.
- HTTP(S) proxy support to pass by the requests to the target application that works also with HTTPS requests and with authenticated proxy servers.
- Options to fake the HTTP
Refererheader value and the HTTP
User-Agentheader value specified by user or randomly selected from a textual file.
- Support to increase the verbosity level of output messages: there exist seven levels of verbosity.
- Support to parse HTML forms from the target URL and forge HTTP(S) requests against those pages to test the form parameters against vulnerabilities.
- Granularity and flexibility in terms of both user’s switches and features.
- Estimated time of arrival support for each query, updated in real time, to provide the user with an overview on how long it will take to retrieve the queries’ output.
- Automatically saves the session (queries and their output, even if partially retrieved) on a textual file in real time while fetching the data and resumes the injection by parsing the session file.
- Support to read options from a configuration INI file rather than specify each time all of the switches on the command line. Support also to generate a configuration file based on the command line switches provided.
- Support to replicate the back-end database tables structure and entries on a local SQLite 3 database.
- Option to update sqlmap to the latest development version from the subversion repository.
- Support to parse HTTP(S) responses and display any DBMS error message to the user.
- Integration with other IT security open source projects, Metasploit and w3af.
Fingerprint and enumeration features
- Extensive back-end database software version and underlying operating system fingerprint based uponerror messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.
- Basic web server software and web application technology fingerprint.
- Support to retrieve the DBMS banner, session user and current database information. The tool can also check if the session user is a database administrator (DBA).
- Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
- Automatic recognition of password hashes format and support to crack them with a dictionary-based attack.
- Support to brute-force tables and columns name. This is useful when the session user has no read access over the system table containing schema information or when the database management system does not store this information anywhere (e.g. MySQL < 5.0).
- Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
- Support to automatically dump all databases‘ schemas and entries. It is possibly to exclude from the dump the system databases.
- Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string likename and pass.
- Support to run custom SQL statement(s) as in an interactive SQL client connecting to the back-end database. sqlmap automatically dissects the provided statement, determines which technique fits best to inject it and how to pack the SQL payload accordingly.
Some of these techniques are detailed in the white paper Advanced SQL injection to operating system full control and in the slide deck Expanding the control over the operating system from the database.
- Support to inject custom user-defined functions: the user can compile a shared library then use sqlmap to create within the back-end DBMS user-defined functions out of the compiled shared library file. These UDFs can then be executed, and optionally removed, via sqlmap. This is supported when the database software is MySQL or PostgreSQL.
- Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- On MySQL and PostgreSQL via user-defined function injection and execution.
- On Microsoft SQL Server via
xp_cmdshell()stored procedure. Also, the stored procedure is re-enabled if disabled or created from scratch if removed by the DBA.
- Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice. sqlmap relies on Metasploit to create the shellcode and implements four different techniques to execute it on the database server. These techniques are:
- Database in-memory execution of the Metasploit’s shellcode via sqlmap own user-defined function
sys_bineval(). Supported on MySQL and PostgreSQL.
- Upload and execution of a Metasploit’s stand-alone payload stager via sqlmap own user-defined function
sys_exec()on MySQL and PostgreSQL or via
xp_cmdshell()on Microsoft SQL Server.
- Execution of Metasploit’s shellcode by performing a SMB reflection attack (MS08-068 with a UNC path request from the database server to the attacker’s machine where the Metasploit
smb_relayserver exploit listens. Supported when running sqlmap with high privileges (
uid=0) on Linux/Unix and the target DBMS runs as Administrator on Windows.
- Database in-memory execution of the Metasploit’s shellcode by exploiting Microsoft SQL Server 2000 and 2005
sp_replwritetovarbinstored procedure heap-based buffer overflow (MS09-004). sqlmap has its own exploit to trigger the vulnerability with automatic DEP memory protection bypass, but it relies on Metasploit to generate the shellcode to get executed upon successful exploitation.
- Support for database process’ user privilege escalation via Metasploit’s
getsystemcommand which include, among others, the kitrap0d technique (MS10-015).
- Support to access (read/add/delete) Windows registry hives.
Preferably, you can download sqlmap by cloning the Git repository:
git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.
To get a list of basic options and switches use:
python sqlmap.py -h
To get a list of all options and switches use:
python sqlmap.py -hh