SQL Injection is one of the most common and dangerous security vulnerabilities that websites can suffer from. SQLMAP is an open-source penetration testing tool that can automate the process of detecting and exploiting SQL injection flaws. In this blog post, we will discuss how to use SQLMAP to test a website for SQL injection vulnerability.
Before we dive into the tutorial, it is essential to understand what SQL Injection is and why it is dangerous.
SQL Injection is a security vulnerability that occurs when an attacker can inject malicious SQL code into a database query. The malicious code can allow the attacker to gain unauthorized access to sensitive data or even take control of the entire database. SQL Injection attacks can lead to data breaches, identity theft, and other cyber crimes.
Now that we have a better understanding of SQL Injection let’s move on to the tutorial.
Step 1: Install SQLMAP
The first step is to install SQLMAP on your computer. SQLMAP is a command-line tool that runs on Windows, Linux, and Mac OS. You can download SQLMAP from the official website or install it using a package manager like apt or yum.
Step 2: Find a Vulnerable Website
Once you have installed SQLMAP, you need to find a website that is vulnerable to SQL Injection. There are various ways to do this. One way is to use a vulnerability scanner like Nessus or OpenVAS. Another way is to use Google Dorks, which are search strings that can help you find vulnerable websites.
Step 3: Identify the Vulnerable Parameter
Once you have found a vulnerable website, you need to identify the parameter that is vulnerable to SQL Injection. A parameter is a variable that is passed to a website’s backend script. It can be a form field, a URL parameter, or a cookie value.
To identify the vulnerable parameter, you can use a web proxies tool like Burp Suite or OWASP ZAP. These tools intercept the web traffic between the client and the server and allow you to inspect and modify the request and response data.
Step 4: Run SQLMAP
Now that you have identified the vulnerable parameter, it’s time to run SQLMAP. The basic syntax for running SQLMAP is as follows:
sqlmap -u <target-url> -p <vulnerable-parameter> --dbs
Let’s break down this command:
sqlmapis the name of the tool.
-uspecifies the URL of the target website.
-pspecifies the name of the vulnerable parameter.
--dbstells SQLMAP to enumerate the databases on the server.
For example, let’s say that we have found a vulnerable parameter called “id” on a website with the URL “http://example.com/index.php?id=1“. The SQLMAP command would look like this:
sqlmap -u "http://example.com/index.php?id=1" -p id --dbs
Step 5: Enumerate Databases
Once you have run the SQLMAP command, it will start enumerating the databases on the server. This process may take some time, depending on the size of the database and the network speed.
SQLMAP uses various techniques to enumerate databases, such as blind SQL Injection, error-based SQL Injection, and time-based SQL Injection. The goal is to extract as much information as possible from the database without causing any damage.
Step 6: Enumerate Tables
Once SQLMAP has enumerated the databases, it’s time to enumerate the tables. The syntax for enumerating tables is as follows:
sqlmap -u <target-url> -p <vulnerable-parameter> -D <database-name> --tables
Let’s say that SQLMAP has enumerated a database called “exampledb”. The SQLMAP command
to enumerate tables in the “exampledb” database, it would look like this:
sqlmap -u "http://example.com/index.php?id=1" -p id -D exampledb --tables
Step 7: Enumerate Columns
Once SQLMAP has enumerated the tables, it’s time to enumerate the columns. The syntax for enumerating columns is as follows:
sqlmap -u <target-url> -p <vulnerable-parameter> -D <database-name> -T <table-name> --columns
Let’s say that SQLMAP has enumerated a table called “users” in the “exampledb” database. The SQLMAP command to enumerate columns in the “users” table would look like this:
sqlmap -u "http://example.com/index.php?id=1" -p id -D exampledb -T users --columns
Step 8: Dump Data
Once SQLMAP has enumerated the columns, it’s time to dump the data. The syntax for dumping data is as follows:
sqlmap -u <target-url> -p <vulnerable-parameter> -D <database-name> -T <table-name> -C <column-name1>,<column-name2>,... --dump
Let’s say that SQLMAP has enumerated the columns “id,” “username,” and “password” in the “users” table in the “exampledb” database. The SQLMAP command to dump the data in these columns would look like this:
sqlmap -u "http://example.com/index.php?id=1" -p id -D exampledb -T users -C id,username,password --dump
Step 9: Analyze the Data
Once SQLMAP has dumped the data, it’s time to analyze it. You can use a spreadsheet program like Microsoft Excel or Google Sheets to organize and analyze the data. Look for sensitive information like passwords, credit card numbers, and personal identification information.
Step 10: Report the Findings
Finally, it’s essential to report the findings to the website owner or administrator. Provide a detailed report of the vulnerabilities found, including the steps taken to exploit them. It’s important to give the website owner or administrator enough information to fix the vulnerabilities and prevent them from happening again.