Last Updated :
14 Oct, 2022
Sqlmap is an open-source penetration testing tool. It comes with a powerful detection engine. It automates the process of detecting & taking over the database server. There is total of six SQL injection tool techniques are present. This is the highest amount of tool present than others. When we are going to extract the password from a vulnerable database, often the passwords are in hash form. It can detect the hash & can mention which type of hash was that.
Features:
- It supports extracting user, password hashes, tables etc.
- We can download & update any file from the database server underlying file system.
Downloading & Installation:
Step 1: Browse to this link.
Step 2: Click on the zip file on the right side & download the file.
Step 3: Then you have to extract the zip file. And then rename it to ‘sqlmap’
Step 4: Then cut the folder & paste it to your pc C drive
Step 5: Open Command Prompt from the start menu.
Step 6: Write down the following command one by one
cd ../ ../ dir
Step 7: Then write another some commands
cd sqlmap sqlmap.py
It will give the proper output & hence your installation is successful.
sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Screenshots
You can visit the collection of screenshots demonstrating some of features on the wiki.
Installation
You can download the latest tarball by clicking here or latest zipball by clicking here.
Preferably, you can download sqlmap by cloning the Git repository:
git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.
Usage
To get a list of basic options and switches use:
python sqlmap.py -h
To get a list of all options and switches use:
python sqlmap.py -hh
You can find a sample run here.
To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user’s manual.
Links
- Homepage: http://sqlmap.org
- Download: .tar.gz or .zip
- Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom
- Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
- User’s manual: https://github.com/sqlmapproject/sqlmap/wiki
- Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
- Mailing list subscription: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
- Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
- Mailing list archive: http://news.gmane.org/gmane.comp.security.sqlmap
- Twitter: @sqlmap
- Demos: http://www.youtube.com/user/inquisb/videos
- Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
Translations
- Chinese
- Croatian
- Greek
- Indonesian
- Portuguese
Despite advancements in cybersecurity, SQL injection vulnerabilities remain a significant concern, securing a spot in the OWASP Top 10 vulnerabilities list in 2023. Recent data breaches have further highlighted the importance of addressing this vulnerability. For hackers, it’s a goldmine; for penetration testers and developers, it’s a must-do.
Enter SQLMap—a powerful tool designed to detect and exploit SQL injection vulnerabilities. Not only does it identify potential weak spots, but it also aids in extracting data from vulnerable endpoints. Whether you’re a seasoned cybersecurity professional or a newbie developer, understanding how to use SQLMap is crucial.
In this guide, we’ll walk you through the process of setting up SQLMap on a Windows machine, specifically Windows 10. By the end, you’ll be equipped to run your first SQL injection test using SQLMap.
Here’s what we’ll cover:
Downloading SQLMap Prerequisites on Windows: Setting up the right environment.
Downloading SQLMap Utility on Windows: Getting the tool ready.
Running Your First Test: Diving into SQL injection testing.
What is SQLMap?
SQLMap is an open-source software available on github. It is written in python and can run on any operating system. In this article we will set up SQLMap on a Windows machine using Windows 10 operating system.
So with this little introduction of SQLMap and SQLInjection, let’s dive in!
Downloading SQLMap Prerequisites on Windows
Before diving into the SQLMap installation, it’s crucial to ensure your system has the necessary environment set up. For SQLMap, this primarily means having Python installed.
Here’s what you need to know:
#1. Python Compatibility
SQLMap is versatile and works with multiple Python versions.
While it’s compatible with Python 2.6 and 2.7, the latest SQLMap version is optimized for Python 3.
#2. Checking Your Python Version
If you’re unsure whether you have Python installed or want to check its version, open your command prompt or terminal and type python –version.
#3. Downloading Python
- For newcomers or those looking to update, we recommend Python 3 for the best experience.
- Download Python 3 from the official website.
- As of this article’s publication, Python 3.11 is the latest version, fully compatible with the most recent SQLMap release.
With Python ready, you’re one step closer to harnessing the power of SQLMap on your Windows machine!
Installing SQLMap on Windows
SQLMap, a favorite among developers and cybersecurity experts, stands out for its simplicity and efficiency. Written in Python, it’s distributed as a library, eliminating the need for a cumbersome installation process. Instead, you can run SQLMap as you would any Python program.
#1. Accessing the SQLMap Repository
- Visit the official SQLMap GitHub repository.
- Familiarize yourself with the repository’s layout. This is where all the magic happens!
#2. Downloading SQLMap
- Locate the “Code” button on the repository’s top right corner and click on it.
- From the dropdown menu, select “Download ZIP”. For a visual guide, refer to the screenshot below:
And voilà! SQLMap is now ready for action. Remember, no special configurations are needed to start using SQLMap. However, ensure Python is set up correctly to avoid any hiccups.
Your First SQL Injection Test with SQLMap on Windows
Having set up SQLMap, you’re all set to check out SQL Injection vulnerabilities.
Follow these steps to run your first test –
#1. Setting the Stage
- Launch the command prompt and navigate to the directory where you extracted SQLMap.
Note: Always ensure you have permission to test the target system. Ethical hacking is about improving security, not exploiting it.
Conclusion
SQLMap’s capabilities extend far beyond the basics covered in this guide. For a deeper dive into its features and functionalities, explore its official GitHub usage page.
We hope this guide has empowered you with the tools and knowledge to confidently set up SQLMap on Windows and embark on your SQL Injection testing journey. Remember, with great power comes great responsibility. Always prioritize ethical hacking practices.
Use SQLMap to tackle and triumph over injection vulnerabilities.
For more insights, tutorials, and a community of security-aware developers, visit BUZZ. Together, we will make security accessible to all!
Кстати, о том, как тестировать и взламывать сайты с помощью sqlmap написано в этой статье. А в этой статье, напротив, написано как защищать сайты и базы данных от взлома с sqlmap.
Подготовка для запуска sqlmap: скачивание sqlmap и Python
Для запуска sqlmap под Windows нужно две вещи:
- sqlmap
- Python
За sqlmap заходим на
Ссылка скрыта от гостей
, или скачиваем по
Ссылка скрыта от гостей
zip-файл.
За Python’ом заходим на его официальный сайт в
Ссылка скрыта от гостей
. Там представлены две ветки 3.* и 2.*. Я тоже люблю самые свежие версии, но в данном случае (для запуска sqlmap) нам нужна версия 2.*. На момент скачивания доступна Python 2.7.9.
Установка скаченного файла элементарна. Только запомните, в какой каталог вы его установили.
Так, теперь переходим в каталог с установленным Python. У меня это каталог C:Python27(думаю, у вас также, если вы не меняли дефолтные значения).
Запустите командную строку (Win+x и в открывшемся окне выберите «Командная строка»). Теперь хватаете файл python.exe (который лежит в каталоге C:Python27) и перетаскиваете его в окно командной строки. В командной строке должно появится полный путь до файла. Дописываете к нему через пробел -v
И нажимаете Enter. Если видите много разной информации, в том числе и о версии, значит всё в порядке. Нажмите Ctrl+c, чтобы выйти.
Запуск sqlmap
Помните наш скаченный архив с sqlmap? Распакуйте его. Теперь в командную строку перетаскиваете файл python.exe, ставите пробел, перетаскиваете в эту же командную строку файл sqlmap.py (из архива с sqlmap) ставите ещё один пробел и пишите -h. У меня получилось так
Код:
C:Python27python.exe C:UsersAlexDownloadssqlmapproject-sqlmap-6cc092bsqlmap.py -h
Нажмите Enter:
Если появилась справка по sqlmap, значит всё работает как надо! Можно приступать к анализу сайтов.
Как использовать sqlmap на Windows
В командной строке на Windows sqlmap нужно запускать следующим образом:
путь_до_файла_python.exe путь_до_файла_sqlmap.py -u адрес_проверяемого_сайта –dbs
Например, я хочу проверить сайт
В этом случае полная команда будет
Код:
C:Python27python.exe C:UsersAlexDownloadssqlmapproject-sqlmap-6cc092bsqlmap.py -u --dbs
Чтобы узнать как искать уязвимые к SQL-инъекциям сайты, а также дополнительные ключи для дальнейшего анализа с помощью sqlmap, обратитесь к статье «Использование SQLMAP на Kali Linux: взлом веб-сайтов и баз данных через SQL-инъекции». Она хоть и для Linux, но общие принципы работы и ключи sqlmap применимы также и при работе на Windows.
Для того, чтобы грамотно программировать на PHP скрипты, которые неуязвимы к SQL-инжектам, прочитайте советы из статьи «Защита сайта от взлома: предотвращение SQL-инъекций».
Skip to content
Sqlmap is arguably the most popular tool for exploitation of sql injection vulnerability and database takeover. It is completely automated and customization depending upon the server or database configurations. This tool provides wide ranges of flags which can be used to trigger an attack in an effective manner. It is completely open-source in terms of license. Its written in python. Now as I am going to discuss more and more about sqlmap it’s usage and tutorials in my forthcoming blogs so we need to know how to install and start sqlmap for further uses.
If you use Kali, Backtrack or any such VM then it comes as a package.
This post is a brief guide to setup and run sqlmap on windows. I am installing on Windows 10 machines but it works fine on any windows flavor, we just need python to support it.
Download and install Python
As this tool is written in python, the first thing we need is the python interpreter. Please Download the python interpreter from python.org. There are two series of python, 2.7.x and 3.6.x. Sqlmap should run fine with both. Please note there may be some OS dependency for the versions of Python so do check before you download it. So download and install.
As you can see, I have installed the 2.7.x.
Download and install sqlmap
Now please download the zip file from their website. Extract the zip files in any of your chosen directory. Launch the command prompt and navigate to the directory. Now run the sqlmap.py.
Well ! Now don’t complain it was so much easy. 🙂 But as you have it up and running you can wait for the tutorials coming up next. Stay tuned.