Different ways to use sqlmap

Add Comment
Hi All, In my previous arctice i have described SQL Injection Exploitation using SQLmap

In this article we will see what are the different ways by which we can execute sqlmap tool.

For more information about different commands of sqlmap click here 

Process 1:- 

For demonstration purpose i will be using bWAPP on my localhost, i will use the same setup which i have shown you in my previous article

URL:- http://localhost/bWAPP/sqli_1.php?title=%27&action=search
Vulnerable parameter : title

Fig 1: Error while putting parameter as '

So lets start how we can execute sqlmap by capturing the entire request.

Step 1: Capture the request in proxy like burp as shown below

Fig 2: Capturing the request which contains vulnerable parameter

Step 2 : Copy the request and save it in the folder where you have installed your sqlmap

                                      Fig 3: Copying the request which contains vulnerable parameter

Step 3: Copy + Paste it in the folder where you have installed the sqlmap. In my case i have installed sqlmap on below directory:-

So i will create one text file and will save the request say  sqlmap_text.txt

Fig 4: Creating text file on sqlmap folder

Step 4:-  Press Ctrl +Shift + Right Click(mouse)  to open command prompt

 Fig 5: Opening cmd on sqlmap location

Fig 6: command prompt at sqlmap folder location  

Step 5:- Now its time to execute sqlmap. The command will be as below 

sqlmap.py -r text_file_name -p vulnerable_parameter --level=3 --risk=3

-r = REQUESTFILE      Load HTTP request from a file 

-p = TESTPARAMETER    Testable parameter(s)

--level = LEVEL     Level of tests to perform (1-5, default 1)
 --risk=RISK         Risk of tests to perform (0-3, default 1)

To  know more about the different sqlmap command  in command prompt  type  
sqlmap.py --help 

So the final command will be 
sqlmap.py -r sqlmap_test.txt -p title --level=3 --risk=3

Fig 7: sqlmap command   

Fig 8: sqlmap output showing database name

And like wise you can fetch information like 
Database Users
Tables in Database 
Colums from the user table
Database dump 

Process 2:-

What if you are testing application which has NTLM authentication, to know more about how to set NTLM authentication click here.

So if you want to set traffic to pass from your localhost set the command as follow 

sqlmap.py --proxy= -r text_file_name -p vulnerable_parameter --level=3 --risk=3

--proxy=PROXY       Use a proxy to connect to the target URL 

Now your SQLMap will attack on your web application through Burp suite which is already taking care of NTLM Authentication.

Process 3:-

If you are testing application in client environment where
=> Application is in UAT and hosted on internet then you must have
-  Set up upstream proxy in burpsuite
-  Your traffic will be passed from Browser ==> Burp Suite ==> UpStreamProxy

Then it might be possible that cipher suit compatibility issue with application/web server so in that case you might not get proper output in your sqlmap GUI also you will not get any response in your burpsuit history as traffic you are routing is through burp proxy.

Below error you will encounter

1- In Burp response you will get error like


2- In sqlmap you will receive error like below


So in that case follow below step to solve this issue :-

1 - Set up burp suite as follow

By doing above setting at burp level now your sqlmap can easily handle each request.
PS: Make sure in your .txt file you have entered http request

Soon i will be updating many other techniques of using sqlmap. Stay tuned :) 

Thanks you.