How to Use SQLMap (BSWR)

Using the SQLMap Tool

The SQLMap tool is an open source penetration testing tool that is used to detect and exploit SQL injection vulnerabilities and the taking over of database servers. SQL, or Structured Query Language, is the standard language used to interact with a database. SQLMap is a tool that is helpful for penetration testers as it has a robust detection engine with various niche features and a wide range of switches. That allows penetration testers to perform database fingerprinting, access data from the database, access the underlying file system and execute commands on the operating system through out-of-band connections.

Why Use the SQLMap Tool?

SQL injection is one of the most common types of cyberattacks. It seems there is always something in the news about data dumps that contain usernames, passwords credit card information, and other sensitive data. When that happens, it’s likely that those dumps are the result of SQL injection attacks. Attackers can gain access to whatever information is included in the database when they are successful in their attacks. That’s why it’s so important to have the knowledge and skills needed to use the SQLMap tool to detect SQL injection vulnerabilities.

The SQLMap tool has a vast number of options, making it easy to test a database. It’s a python-based tool that is used for the detection and exploitation of SQL injection weaknesses. It’s a tool that every penetration tester should know how to use. SQLMap can be used to: * Scan web applications for SQL injection flaws or weaknesses * Exploit SQL injection vulnerabilities * Use tamper scripts to bypass a Web Application Firewall (WAF) * Extract a database and the database user details * Own the underlying OS and run OS level commands.

SQLMap offers full support for the following Database Management Systems (DBMS): * MySQL * Microsoft SQL Server * Microsoft Access * Oracle * SQLite * PostgreSQL * IBM DB2 * Sybase * Firebird * SAP MaxDB * Informix * HSQLDB * H2

It also provides full support for six different SQL injection techniques: error-based, time-based blind, boolean-based blind, out-of-band, stacked queries, and UNION query.

For more information about the SQLMap tool, and to learn to use it, enroll in the How to Use SQLMap tutorial. The course will teach students the basics of SQLMap and how to run the tool. Enrolling in the course is easy, just click on the Register button at the top right corner of this screen to get started.

Teaching Assistant Vikramajeet Khatri and Tahir Ibrahim

(Disclaimer: Breaking Stuff with Robert is a Cybrary series that will be running indefinitely. You will not earn CEU/CPE hours by watching any individual 'Breaking Stuff with Robert' episode. However, you can still earn a certificate of completion for each episode completed.)