Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork6.1k
Introduction
Let's say that you are auditing a web application and found a web page that accepts dynamic user-provided values viaGET,POST orCookie parameters or via the HTTPUser-Agent request header.You now want to test if these are affected by a SQL injection vulnerability, and if so, exploit them to retrieve as much information as possible from the back-end database management system, or even be able to access the underlying file system and operating system.
In a simple world, consider that the target url is:
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1Assume that:
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1is the same page as the original one and (the condition evaluates toTrue):
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2differs from the original one (the condition evaluates toFalse). This likely means that you are in front of a SQL injection vulnerability in theidGET parameter of theindex.php page. Additionally, no sanitisation of user's supplied input is taking place before the SQL statement is sent to the back-end database management system.
This is quite a common flaw in dynamic content web applications and it does not depend upon the back-end database management system nor on the web application programming language; it is a flaw within the application code. TheOpen Web Application Security Project rated this class of vulnerability as themost common and serious web application vulnerability in theirTop Ten list from 2013.
Now that you have found the vulnerable parameter, you can exploit it by manipulating theid parameter value in the HTTP request.
Back to the scenario, we can make an educated guess about the probable syntax of the SQLSELECT statement where the user supplied value is being used in theget_int.php web page. In pseudo PHP code:
$query = "SELECT [column name(s)] FROM [table name] WHEREmarkdown-heading">Direct connection to the database management system
Up until sqlmap version0.8, the tool has beenyet another SQL injection tool, used by web application penetration testers/newbies/curious teens/computer addicted/punks and so on. Things move onand as they evolve, we do as well. Now it supports this new switch,-d, that allows you to connect from your machine to the database server's TCP port where the database management system daemon is listeningon and perform any operation you would do while using it to attack a database via a SQL injection vulnerability.
- Introduction - Introductory to sqlmap
- Techniques - SQLi techniques supported by sqlmap
- Features - Brief list of supported features
- Download and update - Keep your copy up-to-date
- Dependencies - Information about used third-party libraries and tools
- History - History from 2006 to 2025
- Usage - Exhaustive breakdown of alloptions andswitches together withexamples
- License - Copyright information
- FAQ - Frequently Asked Questions
- Presentations - Materials from sqlmap team presented at conferences
- Screenshots - Collection of screenshots demonstrating some of features
- Third party libraries - Detailed information about third-party libraries and tools used by sqlmap