colbyburgess
Legendary
- Joined
- Feb 16, 2024
- Posts
- 36
- Reaction score
- 0
- Status
- Offline
- Last Seen
How to use SQLMAP to test a website for SQL injection vulnerabilities.
What is SQL injection?
SQL Injection is a code injection technique in which an attacker sends malicious SQL queries to a web application's database. A user can gain access to information stored in databases by executing the appropriate queries. SQLMAP checks if a 'GET' parameter is vulnerable to SQL injection.
For example, consider the following PHP code segment:
$variable=$_POST['input']; mysql_query("INSERT INTO 'table' ('column') VALUES ('$variable')");
If the user enters "value", With the input "DROP TABLE table;-" the query becomes
INSERT INTO 'Table' ('Column') The syntax VALUES('value'); DROP TABLE table;--' is not ideal as it compiles user input alongside pre-written SQL queries. As a result, the user will be able to enter the necessary SQL query to manipulate the database.
Where can you use SQLMAP?
If you see a web URL of the form http://testphp.vulnweb.com/listproducts.php?cat=1, with the 'GET' parameter in bold, the website may be vulnerable to this type of SQL injection, allowing an attacker to gain access to database information. Furthermore, SQLMAP works with PHP.
A simple test to determine if your website is vulnerable is to replace the value in the get request parameter with an asterisk. As an example,
If this results in an error like the one shown above, we can definitively say that the website is vulnerable.
Installing SQLMap
SQLMAP comes pre-installed with Kali Linux, which is the preferred platform for most penetration testers. You can install sqlmap on other debian-based linux systems using the command.
sudo apt-get install sqlmap.
Usage
In this article, we will use a website designed with vulnerabilities for demonstration purposes.
As you can see, there is a GET request parameter (cat = 1) that the user can modify by changing the value of cat. As a result, this website may be vulnerable to this type of SQL injection.
We use SQLMAP to test this. To see the list of parameters that can be passed, type in the terminal:
SqlMap -H
The parameters that we will use for basic SQL Injection are shown in the image above. Along with these, we'll use the -dbs and -u parameters, as explained in Step 1.
Using SQLMAP to test a website for SQL injection vulnerabilities:
Step 1: List information about existing databases.
So, first, enter the web url that we want to check, followed by the -u parameter. We can also use the -tor parameter to test the website using proxies. Typically, we would want to test whether we can gain access to a database. So, we use the -dbs option to accomplish this. The -dbs command lists all available databases.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --databases
The following output indicates that there are two available databases. Sometimes the application will notify you that it has identified the database and ask if you want to test other database types. You can type 'Y'. Furthermore, it may ask if you want to test other parameters for vulnerabilities; enter 'Y' here because we want to thoroughly test the web application.
We see that there are two databases: acuart and information_schema.
Step 2: List information about tables in a particular database.
To try to access any of the databases, we must slightly modify our command. We now use -D to specify the name of the database we want to access, and once we've got access to it, we'll see if we can access the tables. For this, we use the -tables query. Allow us to access the acuart database.
Use sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables.
Tables
The picture above shows that 8 tables have been retrieved. So we can conclude without a doubt that the website is vulnerable.
Step 3: Compile information about the columns of a specific table.
If we want to view the columns of a specific table, we can use the following command, where -T specifies the table name and -columns queries the column names. We will attempt to access the table 'artists'.
SqlMap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists --columns
Columns
Step 4: Dump data from the columns.
Similarly, we can access the information in a specific column by using the following command, where -C is used to specify multiple column names separated by a comma, and the -dump query retrieves the data.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists -C aname --dump.
The above image shows that we have accessed data from the database. Similarly, in such vulnerable websites, we can literally explore through the databases and extract information.