Trick 1
Boolean (Yes/No)
It asks the website simple true or false questions. By looking at how the webpage changes, it slowly guesses the secrets.
SQLmap: Database Takeover
Automatic SQL injection and database exploit.
Web SecuritySQLSecurityWeb
Master the automation of detecting and exploiting SQL injection vulnerabilities.
Security Tool Guide
The Complete Guide to SQLmap
Learn how to test websites for database flaws automatically. A simple, step-by-step manual for finding weak spots.
The Core Problem: SQL Injection
Imagine a website is a building. A search box or login screen is the front door. The website has a guard that checks your ID.
If the website is built poorly, a bad guy can give the guard a weird, confusing ID card. The guard gets confused and accidentally hands over the keys to the entire building.
This trick is called a SQL Injection. It forces the website's database to hand over secret information it should protect.
Normal login:
Username: John
Password: mypassword123
Password: mypassword123
Hacker login (SQL Injection):
Username: admin
Password: ' OR '1'='1
Password: ' OR '1'='1
Enter SQLmap
Testing a website for this bug by hand takes hours. You have to type thousands of weird passwords to see if the guard gets confused.
SQLmap is a free tool that acts like a robot. It automatically throws thousands of tests at a website in seconds to see if it is broken. It does the hard work for you.
Databases It Can Talk To
A database is just a digital filing cabinet. Websites use different brands of filing cabinets. SQLmap knows how to break the locks on almost all of them.
MySQL
Oracle
PostgreSQL
Microsoft SQL
The 6 Tricks SQLmap Uses
If the front door is locked, SQLmap tries the windows, the back door, and the roof. It has a bag of six main tricks it uses to fool a website.
Trick 2
Error-Based
It intentionally breaks the website to make it crash. When it crashes, the website often prints out error messages that contain secret database names.
Trick 3
Union Query
It glues its own question onto the end of the website's normal question. The website then prints the stolen data directly on the screen.
Trick 4
Stacked Queries
It adds a semicolon (;) to end the first command, and then writes a completely new, evil command right after it.
Trick 5
Time-Based
It tells the database to "pause for 5 seconds" if a letter is correct. If the website loads slowly, SQLmap knows it guessed the right letter.
Trick 6
Inline Queries
It hides its evil command inside another normal command, making a computer puzzle that tricks the database.
The 4-Step Process
1
Target
You give the tool a website link.
2
Detect
It finds the weak spots.
3
Exploit
It breaks the lock to get inside.
4
Extract
It downloads the saved data.
Your First Command
Using SQLmap is simple. You open a computer terminal (a black screen where you type text) and give it a
website link using the -u flag.
sqlmap -u "http://www.badsite.com/product.php?id=5"
What this does:
It tells SQLmap to test the link. It will look at the part that says "id=5" and try replacing the number 5 with evil code.
Stealing the Digital Filing Cabinet
Once SQLmap finds a hole, you have to tell it what to steal. It is a step-by-step process. First you ask for the folders, then the files, then the papers inside.
Step 1: Get Database Names
Find out what filing cabinets exist.
sqlmap -u "link" --dbs
Step 2: Get Table Names
Look inside one cabinet (let's call it "shopDB") to find the folders.
sqlmap -u "link" -D shopDB --tables
Step 3: Dump the Data
Take all the paper out of the "users" folder.
sqlmap -u "link" -D shopDB -T users --dump
The Golden Rule of Testing
Do not use SQLmap on websites you do not own.
Using this tool against a company or person without their direct permission is a crime. It is the digital version of breaking into someone's house. You must only use SQLmap on your own websites to see if they are safe, or if a company pays you to test their security.
How to Defeat SQLmap
If SQLmap can break your website, how do you fix it? The answer is simple: Never trust user input.
Use Prepared Statements
A "Prepared Statement" separates the computer code from the text the user types in. It tells the database, "Treat whatever this user typed as a plain word, not as a command."
If a hacker types a command, the database will just think their name is literally a weird math problem. The database will not run the command, and SQLmap will fail completely.
Two Ways Websites Listen
Websites take information from you in two different ways. SQLmap can attack both.
1. GET
Request (The Postcard)
The information is visible right in the web address (URL). Anyone looking can see it.
site.com/item?id=5
2. POST
Request (The Sealed Letter)
The information is hidden inside an envelope when you hit "Submit" on a login form. You
must tell SQLmap to open the letter using the --data command.
sqlmap -u "link" --data="user=admin"
Hello, my name is
admin_user
Digital Nametags (Cookies)
When you log in, a website hands your browser a digital nametag called a "Cookie". Every time you click a new page, your browser shows the nametag.
If the website checks the nametag poorly, SQLmap can write evil code directly onto the nametag to trick the guard.
sqlmap -u "link" --cookie="session_id=123"
Sneaking Past the Digital Bouncer
Many modern websites have a Web Application Firewall (WAF). Think of this as a big, mean bouncer at the
front door. If the bouncer sees obvious hacker words like SELECT * FROM, he throws you out immediately.
Blocked by Bouncer
The firewall detects normal SQLmap commands.
UNION SELECT password
TAMPER SCRIPT
Sneaking Past
SQLmap uses disguises (adding weird spaces or changing letters) so the bouncer gets confused.
U%4eION SeLeCt pA%73sWoRd
SQLmap is a Bulldozer, Not a Ninja
When you watch hacker movies, they type a few keys and quietly sneak in. SQLmap does not do this.
Because it acts like a robot rapidly guessing passwords, it makes thousands of requests a minute. This leaves massive footprints in the website's security logs. If you use this tool, the website owner will absolutely know you were there, what time you arrived, and exactly what you tried to do.
How Attackers Find Targets (Google Dorks)
How do bad guys find websites to test? They don't guess. They ask Google. By using special search commands called "Google Dorks", they can ask Google to only show websites that have old or weak-looking links.
inurl:"php?id="
Search
* Note: Searching is fine, but attacking the results without permission is illegal.
Reading the Computer's Files
Sometimes the database guard has high-level permissions on the computer. If the guard is powerful enough, SQLmap can force them to read private files stored on the computer's hard drive, like the master password list for the whole server.
sqlmap -u "link" --file-read="/etc/passwd"
The Worst Case: OS Shell
This is the absolute worst thing that can happen to a website. If the database guard is running as
the "Administrator" of the computer, SQLmap can use the --os-shell
command.
This completely bypasses the database and gives the hacker a direct command line to the actual computer server. They can delete the website, upload viruses, or steal everything. Game over.
Making the Robot Work Faster
By default, SQLmap works carefully and uses one "thread" (one set of hands). If you are testing a massive website and have permission, you can tell it to use up to 10 sets of hands at once to finish the job faster.
Default Speed
--threads=1
Fast Speed
--threads=5
Maximum Speed
--threads=10
Warning: Using 10 threads can cause weak websites to crash and turn off completely!
The Robot Remembers
Testing a large database can take hours. If your laptop battery dies, you don't lose your work. SQLmap automatically saves every single thing it finds into a secret "Output" folder on your computer. If you run the exact same command again, it resumes exactly where it left off!
The Pre-Flight Checklist
I own this website OR I have written permission from the owner.
I double-checked that the link is 100% correct.
I understand this tool leaves massive footprints in logs.
I will not use 10 threads on a fragile server.
If any answer is no, stop immediately.
More in this series
Master more skills with other tutorials from the Web Security series.
Web Security
- SQLmap: Database Takeover: Automatic SQL injection and database exploit.
- BeEF: Browser Exploitation Framework: Assessing the security of web browsers.
- Nikto: Comprehensive Web Scanner: Identify server vulnerabilities and misconfigurations.
- DIRB: Web Content Scanner: Analyze web server directories and files.
- Gobuster: URI and DNS Buster: Discover hidden paths and subdomains.
- Burp Suite: Web Security Testing: The standard for web application security.
Networking
- Responder: Network Poisoning: Exploiting Windows network services.
- Ettercap: MITM Attacks: Sniffing and dissecting network traffic.
- Netcat: The Swiss Army Knife: Read and write data across network connections.
- Wireshark: Protocol Analysis: Uncovering the secrets of network traffic.
OSINT
- Maltego: Information Gathering: Visualizing relationships for intelligence gathering.
Wireless
- Kismet: Wireless Discovery: Sniffing and monitoring wireless networks.
- Aircrack-ng: Wireless Security Auditing: Assessing the security of WiFi networks.
Cryptography
- Hashcat: Password Recovery: The world's fastest password cracker.
- John the Ripper: Password Cracking: The fastest way to test password strength.
Forensics
- Autopsy: Digital Forensics: Uncovering digital evidence and recovering files.
Security
- Hydra: Login Cracker: A very fast network logon cracker.
- Metasploit: The Exploitation Framework: Mastering vulnerability assessment and exploitation.
- Nmap: Network Exploration and Security Auditing: The essential guide to scanning and mapping networks.