9

I use sqlmap to test the services of my company.

I tried increasing the value of its --level option, but I do not find clear descriptions of the tests added with an increased --risk value.

So, what do risk levels 2 and 3 tests do, and what are the risks of running them?

schroeder
  • 123,438
  • 55
  • 284
  • 319
tux lu
  • 125
  • 1
  • 1
  • 6
  • 2
    Their [GitHub wiki](https://github.com/sqlmapproject/sqlmap/wiki/Usage#level) gives some basic info about all the options sqlmap has. Also about the risk and level parameter. – Eelke Jun 28 '17 at 14:34
  • Based on the link from the comment above, it might be interesting to open the xml/payloads.xml file and see if there's any structure or comments to the file that indicate the payloads run with each level – iainpb Jun 28 '17 at 14:37

2 Answers2

8

--level

By default sqlmap will test all GET and POST parameters specified, however in some cases you might want to test additional entry points such as HTTP headers. It is possible to specify it with specific options, but the most straight forward technique is to use the --level option. There is 5 levels available in sqlmap (default being level 1). Level 2 adds HTTP Cookie header testing, level 3 adds HTTP User-Agent/Referer headers. I can't provide to you more info about higher levels because there is no more info about them on sqlmap wiki.

--risk

Regarding the risk. There are 3 risk values. The wiki writes:

The default value is 1 which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also OR-based SQL injection tests.

schroeder
  • 123,438
  • 55
  • 284
  • 319
OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • 1
    Level 5 of the --level option includes testing Host headers. I know this question is old but I wanted to add that. – cybel Jan 12 '21 at 21:51
2

--risk is explained correctly in the answer by OscarAkaElvis.

However, --level not only adds more injection points such as cookies and other headers but also performs more tests for each injection point. If you want to perform all possible tests on just 1 parameter, you still need level 5. The values are defined as:

  • 1: Always (<100 requests)
  • 2: Try a bit harder (100-200 requests)
  • 3: Good number of requests (200-500 requests)
  • 4: Extensive test (500-1000 requests)
  • 5: You have plenty of time (>1000 requests)

If you want to test a specific parameter without sqlmap spraying crap in all directions at random and exponentially increasing the number of requests, you can use -p. For example, to test the id parameter in GET /admin?id=7&op=fetch on level 5, you can use:

sqlmap -p id --level 5 -u 'https://example.com/admin?id=7&op=fetch'

Testing this, the number of requests actually performed by each level by sqlmap 1.5.2 with only basic union tests (1-10 columns, it prompts for this) are:

  • --level 1 --risk 1: 53 requests
  • --level 2 --risk 1: 342 requests
  • --level 3 --risk 1: 1080 requests
  • --level 4 --risk 1: 2060 requests
  • --level 5 --risk 1: 3280 requests

When increasing to --risk 3, the number of tests increases further:

  • --level 1 --risk 3: 112 requests
  • --level 2 --risk 3: 646 requests
  • --level 3 --risk 3: 2160 requests
  • --level 4 --risk 3: 4320 requests
  • --level 5 --risk 3: 7850 requests

Finally, while OscarAkaElvis correctly cites the documentation saying:

Risk value 2 adds to the default level the tests for heavy query time-based SQL injections

Risk level 1 also already does time-based SQL injections. You don't need to increase the risk level for that. The higher risk level will just use much slower queries, which might take the system down for longer if they work and block the web server for example.

You can see exactly what it does for different --level and --risk values by using ctrl+f in the files in this directory: https://github.com/sqlmapproject/sqlmap/tree/master/data/xml/payloads
For example by searching for <risk>1, your browser will find all queries for that risk level.

Luc
  • 31,973
  • 8
  • 71
  • 135