SQLMap Tips
In modern web application pentests it is quite rare to find sql injection. Consequently it is quite rare to use sqlmap and, when it happens, it is convenient to recall a few tips.
Extended Help
First of all use -hh for the extended help.
Motivation. It happened to me to check the manual (man sqlmap) and search for a particular parameter without finding it. The full documentation is just in the extended help.
Proxy via Burp and force SSL
It is not necessary but useful to proxy (--proxy) sqlmap via Burp to have visibility of the queries and being able to easily send them to repeater. In addition use --force-ssl.
Motivation. I copied the vulnerable request to file and fed it to sqlmap with -r. Then sqlmap was receiving a redirect from the server while the same request in Burp was successfully triggering the injection. Diffing the proxied request from sqlmap with the original one in repeater did not reveal anything. It took me few minutes to realize that without --force-ssl sqlmap initiated an HTTP connection, which caused the server to redirect to HTTPS.
Choose the techniques
With --technique with can specify which techniques sqlmap will use, with BEUSTQ as default where
- B: boolean based blind
- E: error based
- U: union query based
- S: stacked queries
- T: time based blind
- Q: inline queries
Motivation. In a specific assessment time based attempts caused the server to crash and return Bad Gateway, recovering after few minutes. With --technique=BEUSQ I could skip time based and overcome the issue.
Be Specific
If you know the DB then specify it with --dbms. Check the schema of a specific table with -T, then specify the interesting columns to dump with -C. It is also possible to --stop after N results (e.g. prove in a report that 10 users were extracted).
DNS Exfiltration
Time based SQL injections are very time consuming: it is fine to retrieve the current user to prove the vulnerability in a report, however they are highly impractical when it comes to exploitation.
It is possible to exfiltrate data via DNS with the Burp Extension SQLMap DNS Collaborator however exfiltrating data via DNS means that the data will NOT be encrypted so even if you are hosting your own collaborator I would discourage such exfiltration during a professional assessment.