Category: Databases

SQLMap – Automatic SQL Injection Testing Tool

February 3, 2016

SQLMap is like Network Security Scanning tool called Nmap but for scanning databases for sql injection vulnerabilities. SQLMap has been one of the favorite tools in my toolkit for a while now, but it seems like not many people outside of the security space have heard of it.

SQLMap is an SQL injection testing tool that automates the process of detecting and exploiting sql injection vulnerabilities in database servers. It’s a very powerful tool of penetration testers, but its one of those tools every developer that writes code interfacing with databases should learn and use.

SQLMap supports most of the popular relational databases including MySQL, PostgreSQL, Oracle, Microsoft SQL Server, etc. Besides SQL injection feature, SQLMap also has the ability to automatically detect password hash formats and crack them using dictionary-based attacks. It also lets you retrieved information from the vulnerable database once sql injection vulnerability has been detected.

There are a lot of bad code samples out there for people who are just getting started into web programming. Even developers who are somewhat familiar with SQL injection believe that once you parameterized queries, you are safe. But there are many ways to to get it wrong. I am not going to go into how to write parameterized queries that are safe from injection attacks. But what SQLMap provides is a tool that you can point to url to and it will tell you in a minute whether your website is vulnerable. So you can go back to each of the urls and fix your code.

SQLMap is a very easy tool to get started.

Installation:

SQLMap is written in Python. Assuming you have Python already installed on your system, you cal install SQLMap either through git:

git clone https://github.com/sqlmapproject/sqlmap.git sqlmap

Or you can download a zip or tarball

To get started, go to the sqlmap directory and find the sqlmap.py file. Check out what options are available using the sqlmap help option.

python sqlmap.py -h

Request:

Now lets test the a url on my website for sql injection:

python sqlmap.py -u 'http://sacharya.com/wp-admin'

This will launch the automatic sql injection testing and will give you the result at the end. And this should be enough for basic testing.
However, you can further specify how to connect to the target URL using the following options:

Specify Data string to be sent through POST
--data=DATA

Specify HTTP Cookie header value
--cookie=COOKIE

Use randomly selected HTTP User-Agent header value
--random-agent

Use a proxy to connect to the target URL
--proxy=PROXY

Use Tor anonymity network    
--tor

Check to see if Tor is used properly
--check-tor

Extract information:

Once a vulnerability has been found, you can easily extract information out of the vulnerable database. The following options are available:

Retrieve everything
--all

Detect session user
--current-user

Detect current database
--current-db

Find out if session user is a database admin.
--is-dba
 
List database system user
--users
 
List databases
--dbs

Enumerate tables
--tables

Enumerate columns
--columns

Dump database content
--dump

For more details on the usage, see this wiki.