One of the questions that we get on a regular basis is “Are there any good tools for SQL Injection?”
There are a number of great tools that do this commercially like Core Impact and Cenzic Hailstorm. However, many tools will simply alert you that a SQL Injection vulnerability exists then leave it at that.
We are penetration testers so proof is kind of important. Simply stating that you found a SQL injection vulnerability because your tool said so is not enough.
To that end, I would like to introduce you to sqlmap.
First up, I would like to say thanks to the developers Bernardo Damele A. G. and Daniele Bellucci.
Now I would like to show you a short video of the tool.
|# ./sqlmap.py -l /tmp/webscarab.log/conversations/|
It also has the ability automatically dump data. For example it can dump the database version and the tables in the database.
To do this you would use the –dump-all switch like:
|# ./sqlmap.py –dump-all -u “testurl.com”|
Next, it has the ability to use googledork search strings. Yep, thats right googledorking and SQL Injection… Honestly, does it get any better?
|# ./sqlmap.py –dump-all -g “site:testsite.com ext:php”|
The above command will have google crawl a website and pull all pages with a php extension. After sqlmap has a nice list of targets it tries to attack them.
Finally, and in my humble opinion most importantly, it can get you a SQL shell.
To do this use the –sql-shell option and it will try to give you a shell.
|# ./sqlmap.py –sql-shell -g “site:testsite.com ext:php”|
Once again, I want to drive home the importance of proof. Our jobs as testers is to demonstrate risk. To do that we need to act like a threat and interact with a vulnerability. Simply stating that a tool said there is a vulnerability is not enough. Also, we should be after what the attackers are after…. Data! What better place to get data then a SQL database?