SQLmap is an open-source penetration testing tool for automatic process of SQL injections on database. It analyzes the database for SQL loopholes to and exploit it to gain access. SQLmap comes up with a number of powerful features that includes database scanning, accessing the underlying file system and also getting the information from the database. It works on Windows, Linux and MAC OS X operating systems.
SQLmap helps in dumping the databases, finding the SQL loopholes and the ways to exploit it. This tool can also figure out the root cause and users can exploit the SQL injection attacks that can work great in different ways. This tool is capable of injecting a malicious shell into the database that allows user to take over the website and perform various operations.
Additionally, it also tries to break into the password from the found hashes and dictionary attacks.
Defenders can use SQLmap for the penetration testing purposes of their web applications, databases and servers.
This tool can crack week passwords easily, assess whether the database is run with restrictive privileges, and to detect any potential injection holes in the application.
This is a command line terminal tool. One can explore all the options by entering a simple sqlmap -h command in the terminal to display all the available functions it can perform.
Most importantly, in order to use sqlmap, you need to have the URL of the target website with the required parameters for SQL injection.
Here are the most common options to remember for using sqlmap:
- To get database tables & columns
sqlmap –u “” –tables –columns –dump
- To fingerprint a database
sqlmap -u “URL?name=value” –data=“name=&name=value” –cookie=“name=value“ -f
- To identify Databse users, password, roles & privileges
sqlmap –u “” –users –password –privileges –roles