From our previous videos, we have only performed single-thread operations of SQLMap. But, in real life, it is not that easy. There are hundreds of rows that might be present inside a table. So, it means, the operation may take a long time to complete the process. So, we may need to speed up these operations.
Luckily, the developers of SQLMap have provided us with four types of optimization techniques that will help us speed up the process.
From the SQL Map Advanced help menu, we got four types of switches, as marked in color below:
Let’s explain them one by one. In this video, we will be
going to perform this operation in a Blind and Time-based scenario.
Go back to the home page of SQLi-labs and click on this marked link:
Similar to the previous chapters, we have to input the ID as a parameter with a numeric value on top of the URL bar:
Now, let’s perform SQLMap, and firstly, try to exploit this injection.
The --batch switch is used to enable a non-interactive session, once we use the switch the interactive shell will never ask for user input, it will automatically input default behavior.
The time Linux command-line utility automatically tracks and monitors the actual timing of completion of the processes.
The time taken for this operation is listed below:
Now, we have confirmed that the injection is Blind and Time-based. Now, we are ready, let’s continue our topic.
Previously, I have told you that SQLMap provides us four types of optimization techniques as follows:
- Multi-threading
- NULL connections
- HTTP persistent connections
- Output prediction
Multi-threading
As we have already mentioned, SQL Map runs on only one
single thread, which means it is darn slow. We can utilize the --threads switch and specify a value for the number of threads, which ranges from
1 to 10. By increasing the thread count, it can dramatically increase the
overall performance of SQLMap.
Let's try that out. First, let's try to dump all the tables under the database security without the threads option. Here I am going to use the time command line utility to track and monitor the time.
The time Linux command-line utility automatically tracks and monitors the actual timing of completion of the processes.
The time taken for this operation is listed below:
Now, let's attempt to do the same with a thread count of 4. But each time we have to remove the log file of the previous operations.
The time taken for this operation is listed below:
As you can see, the running time has decreased with
additional threads.
NULL connection
The NULL connection is enabled by the --null-connection command-line switch.
The NULL connection option in SQLMap will try to exploit the injection without actually retrieving the full HTML body of the target. Instead, it utilizes various HTTP properties, such as Range and HEAD to retrieve a certain section of the HTML body, or just simply checks the response length to determine TRUE and FALSE situations.
The time taken for this operation is listed below:
If compare it with the previous then you will find out a significant difference. But as the process time decreases, which means CPU usage is high compared to others.
HTTP persistent connections
By default, SQLMap closes, opens, and recloses the connection to the target server as per your requirements, but this can sometimes create a bit of overhead. In case there is an overhead, this can be optimized by using the --keep-alive switch which uses the HTTP's persistent connection mechanism, and the exchange of data happens over an already opened connection.
The time taken for this operation is listed below:
If you compare it with the previous out you will find a significant difference.
Output prediction
To speed up things even further, SQLMap takes a very novel approach.
The output-prediction switch uses a table of precompiled datasets containing some common outputs found during SQL injections.
The time taken for this operation is listed below:
Basic Optimization
SQLMap provides an option to turn on some of the flags for performance optimization by using the -o switch.
These flags will enable as follows:
- --keep-alive
- --null-connection
- --threads 3
This basically enables persistent connections, NULL
connections, and multiple threads to three. This setting can be enabled to
achieve rudimentary performance benefits in certain types of injections like
those that are error-based.
The time taken for this operation is listed below: