How to use SQLMap on Windows for finding SQL Injection flaws on your website . . .
As a (sort-of-mediocre) web developer, I find security of the site as #1 priority. However with limited knowledge on the subject, it was near-impossible to look for any sort of security flaw without scrolling through forums for days.
After hours of googling, I discovered an excellent tool to automatically uncover SQL injection exploits in my website without the requirement of intricate SQL knowledge.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections
SQLMap is coded in Python programming language and runs natively in Linux operating system, however it should run as nice on Windows machines , however we first need to download and install the Python libraries to the machine for it to run.
Anyway, back to your site, one thing you will need to find are URL’s like this http://yoursite.com/users/user.php?id=3 or http://yoursite.com/gallery/albums.php?aid=532
These parameters (in red) query the database, and if not coded/sanitized correctly, can be vulnerable to sql injection. Users can basically access your database and do things such as access passwords, emails, names etc.
So you’ve found your URL on your site as shown above? Lets see if it is vulnerable to sql injections…..
Step 1 – Download & Install Python 2.7.5
Python 2.7 installed on your Windows machine.
Ensure that version 2.7.5 is installed which can be downloaded from here - http://www.python.org/download/
Choose either the normal Windows installer, or the Windows x86-64 installer.
Run through the install accepting the defaults. If all went well, then all of the Python files should be installed to C:\Python27\
Step 2 – Download SQLMap
SQLMap downloaded on your Windows machine
The latest and greatest version is available on the SQLMap home page – click here - https://github.com/sqlmapproject/sqlmap/zipball/master or here http://sqlmap.org/ (and click download .zip on the left!)
Unzip the .zip and put the folder into the C:\ drive (just for ease of access). The folder may be named something like “sqlmapproject-sqlmap-dbb0d7f” so rename this to something like “sqlmap“. For the purpose of this guide, I will be renaming this folder to “sqlmap“.
Step 3 – Run Command Prompt as Administrator
You can do this multiple ways, but just to explain in a way that everyone can easily do, go to Start > All Programs > Accessories and you will see the Command Prompt icon. BUT WAIT! Don’t just click it!
Ensure that you right-click on the Command Prompt icon and Run As Administrator. Normally, command prompt is set with restrictions meaning certain system tools will not run, so running as administrator enables command prompt to have full access to the system.
Step 4 – Run SQLMap
With the above prerequisites completed, we can now start.
- In the command prompt window, CD into the directory where SQLMap is contained
- Type in the following: python sqlmap.py -u “http://yoursite.com/users/users.php?id=3“ (replace the red with what you have!)
- Hit enter and it will start scanning. If you find that you encounter something like this (in grey) then your site IS vulnerable to SQL injections. Uh-oh!
- Let SQLMap run through and at the end it will dump all the necessary information into a files (readable in notepad) in the directory where it resides (for example C:\sqlmap\output\yoursite\).
Below are what I got from the above test:
sqlmap identified the following injection points with a total of 63 HTTP(s) requests:
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=8 AND 6220=6220Type: UNION query
Title: MySQL UNION query (NULL) – 17 columns
Payload: id=-6714 UNION ALL SELECT NULL,NULL,CONCAT(0×7178667171,0x73486f79746764616f74,0x717a666671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
web application technology: PHP 5.3.19, Apache 2.2.23
back-end DBMS: MySQL >= 5.0.0
Now, if you’re using a wordpress plugin, disable it and remove it immediately as your site can be easily found using google dorks. Notify the author / developer asap!.