Introduction
In this lab, you will learn how to use sqlmap, a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. Specifically, you will focus on a key optimization technique: targeting a specific backend Database Management System (DBMS).
By default, sqlmap tests for a wide variety of database systems, which can be time-consuming. By specifying the target DBMS (like MySQL, PostgreSQL, or MSSQL), you can significantly speed up the scanning process, reduce the number of requests sent to the server, and make your testing more efficient.
We have pre-configured a vulnerable web application for you to practice on. The target URL for this lab is: http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit#
Let's get started!
Identify the Likely Backend DBMS (e.g., MySQL, PostgreSQL)
In this step, you will run a basic sqlmap scan to let it automatically identify the backend database system. This is a common first step in a penetration test. The information gathered here will help us optimize our attack in the subsequent steps.
We will use the --batch flag to let sqlmap run with its default answers to all questions, making the scan non-interactive. We also need to provide a session cookie to access the vulnerable page. For this lab, the cookie is security=low; PHPSESSID=labex.
Execute the following command in your terminal:
sqlmap -u "http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=labex" --batch
sqlmap will start its testing process. Pay close attention to the output. After a series of tests, sqlmap will print information about the web server's operating system, the web server technology, and most importantly, the backend DBMS.
You should see output similar to this (some details may vary):
[INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 8.1.2, Apache 2.4.52
back-end DBMS: MySQL >= 5.0
As you can see, sqlmap has identified the backend database as MySQL. This is the crucial piece of information we'll use next.
Use the --dbms Flag to Specify the Target System
In this step, we will learn about the --dbms flag, which is the core of this lab. Now that we know the target is running MySQL from the previous step, there is no need for sqlmap to waste time running tests for other database systems like PostgreSQL, Oracle, or Microsoft SQL Server.
The --dbms flag allows you to tell sqlmap exactly which database system to test for. This makes the tool much more efficient.
The syntax is straightforward:
--dbms=DBMS_NAME
You replace DBMS_NAME with the name of the target database. Here are some common values:
MySQLPostgreSQLMSSQL(Microsoft SQL Server)OracleSQLiteAccess
By providing this information, you are instructing sqlmap to only use payloads and techniques that are specific to the specified DBMS. This is a fundamental skill for using sqlmap effectively in real-world scenarios. In the next step, you will apply this flag to a new scan.
Execute a Scan with --dbms=MySQL
In this step, you will execute the sqlmap scan again, but this time you will add the --dbms=MySQL flag. This will tell sqlmap to focus its efforts exclusively on MySQL-specific tests, based on the intelligence we gathered in Step 1.
Run the following command in your terminal. It's the same command as before, with the new flag added.
sqlmap -u "http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=labex" --dbms=MySQL --batch
The scan will start immediately. You will notice that sqlmap's initial output confirms that it is forcing the backend DBMS to MySQL.
[INFO] forcing back-end DBMS to 'MySQL'
Let the scan run to completion. In the next step, we will analyze the results and compare them to our first scan.
Observe the Reduced Number of Payloads and Faster Identification
In this step, you will observe the direct benefits of using the --dbms flag. The primary advantages are a significant reduction in the number of tests performed and a much faster completion time.
If you compare the output of the scan from Step 3 with the first scan from Step 1, you'll notice a key difference. The first scan spent time trying to identify the database, running generic tests and then narrowing them down. The second scan, however, skipped all of that.
The output from the targeted scan will show that sqlmap is only running tests relevant to MySQL. You won't see it testing for other systems like PostgreSQL or Oracle.
For example, a generic scan might test hundreds of payloads across different types of SQL injection for multiple databases. The targeted scan, however, will only run the payloads known to work against MySQL. This results in:
- Fewer HTTP Requests: The tool sends significantly fewer requests to the target server.
- Faster Execution: The overall scan time is dramatically reduced.
This efficiency is critical in penetration testing, where time is often a constraint and minimizing network traffic can help avoid detection by firewalls or Intrusion Detection Systems (IDS).
Understand How This Optimizes the Attack by Reducing Test Cases
In this final step, let's solidify our understanding of why targeting the DBMS is a best practice for optimization.
sqlmap is designed to be a comprehensive tool. Without any guidance, its default behavior is to assume it knows nothing about the target. Therefore, it runs a large battery of tests to cover many possibilities:
- Fingerprinting: It first tries to determine the DBMS type by sending various queries and analyzing the responses. Each database has unique functions, error messages, and behaviors that can reveal its identity.
- Broad Testing: It then tests for different SQL injection techniques (boolean-based blind, time-based blind, error-based, UNION query, etc.).
- DBMS-Specific Payloads: For each technique, it tries payloads that work across different database systems.
This "brute force" approach is thorough but inefficient if you already know or can quickly guess the backend.
By using --dbms=MySQL, you are telling sqlmap to skip step 1 entirely and to only use payloads from step 3 that are relevant to MySQL. This prunes a massive number of test cases from its workflow.
This optimization provides three key advantages:
- Speed: The scan finishes much faster because it's not running unnecessary tests.
- Stealth: Fewer requests mean less "noise" in the web server's logs, making the activity less likely to trigger alerts.
- Efficiency: It focuses the tool's power on the most probable attack vectors, increasing the chances of a successful and quick discovery.
Mastering flags like --dbms transforms sqlmap from a simple automated scanner into a precise and surgical testing tool.
Summary
In this lab, you learned a crucial technique for optimizing sqlmap scans. You saw firsthand how identifying the backend Database Management System (DBMS) and then using the --dbms flag can dramatically improve the efficiency of your SQL injection testing.
You started by running a generic scan to identify the backend as MySQL. Then, you learned about the --dbms flag and used it to run a targeted scan. By comparing the two approaches, you observed that the targeted scan was significantly faster because it eliminated a large number of irrelevant test cases.
This principle of focusing your tools is a fundamental concept in effective penetration testing. Congratulations on completing this lab and adding a key sqlmap skill to your toolkit!
