How to use SQLMap on Windows for finding SQL Injection flaws on your website

How to use SQLMap on Windows for finding SQL Injection flaws on your website . . .


As a (sort-of-mediocre) web developer, I find security of the site as #1 priority. However with limited knowledge on the subject, it was near-impossible to look for any sort of  security flaw without scrolling through forums for days.
After hours of googling, I discovered an excellent tool to automatically uncover SQL injection exploits in my website without the requirement of intricate SQL knowledge.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections
SQLMap is coded in Python programming language and runs natively in Linux operating system, however it should run as nice on Windows machines , however we first need to download and install the Python libraries to the machine for it to run.
Anyway, back to your site, one thing you will need to find are URL’s like this http://yoursite.com/users/user.php?id=3 or http://yoursite.com/gallery/albums.php?aid=532
These parameters (in red) query the database, and if not coded/sanitized correctly, can be vulnerable to sql injection. Users can basically access your database and do things such as access passwords, emails, names etc.
So you’ve found your URL on your site as shown above? Lets see if it is vulnerable to sql injections…..
Step 1 – Download & Install Python 2.7.5
Python 2.7 installed on your Windows machine.
Ensure that version 2.7.5 is installed which can be downloaded from here - http://www.python.org/download/
Choose either the normal Windows installer, or the Windows x86-64 installer.
Run through the install accepting the defaults. If all went well, then all of the Python files should be installed to C:\Python27\
Step 2 – Download SQLMap
SQLMap downloaded on your Windows machine
The latest and greatest version is available on the SQLMap home page – click here - https://github.com/sqlmapproject/sqlmap/zipball/master or here http://sqlmap.org/ (and click download .zip on the left!)
Unzip the .zip and put the folder into the C:\ drive (just for ease of access). The folder may be named something like “sqlmapproject-sqlmap-dbb0d7f” so rename this to something like “sqlmap“. For the purpose of this guide, I will be renaming this folder to “sqlmap“.
Step 3 – Run Command Prompt as Administrator
You can do this multiple ways, but just to explain in a way that everyone can easily do, go to Start > All Programs > Accessories and you will see the Command Prompt icon. BUT WAIT! Don’t just click it!
Ensure that you right-click on the Command Prompt icon and Run As Administrator. Normally, command prompt is set with restrictions meaning certain system tools will not run, so running as administrator enables command prompt to have full access to the system.
Step 4 – Run SQLMap
With the above prerequisites completed, we can now start.
- In the command prompt window, CD into the directory where SQLMap is contained
1
- Type in the following: python sqlmap.py -u “http://yoursite.com/users/users.php?id=3 (replace the red with what you have!)
2
- Hit enter and it will start scanning. If you find that you encounter something like this (in grey) then your site IS vulnerable to SQL injections. Uh-oh!
4
- Let SQLMap run through and at the end it will dump all the necessary information into a files (readable in notepad) in the directory where it resides (for example C:\sqlmap\output\yoursite\).
Below are what I got from the above test:
sqlmap identified the following injection points with a total of 63 HTTP(s) requests:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=8 AND 6220=6220
Type: UNION query
Title: MySQL UNION query (NULL) – 17 columns
Payload: id=-6714 UNION ALL SELECT NULL,NULL,CONCAT(0×7178667171,0x73486f79746764616f74,0x717a666671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#

web application technology: PHP 5.3.19, Apache 2.2.23
back-end DBMS: MySQL >= 5.0.0
Now, if you’re using a wordpress plugin, disable it and remove it immediately as your site can be easily found using google dorks. Notify the author / developer asap!.

16 comments


I Like What You Guys Judi Bola Are Up Also. Such Intelligent Work And Reporting!
Judi Bola Carry On The Excellent Works Guys I Have Incorporated You Guys To My Blogroll. I Think It Will Improve The Value Of My Website :) Judi Bola

Reply


I Do Not Even Know How Judi Bola I Ended Up Here,
Judi Bola But I Thought This Post Was Good. I Do Not Know Who You Are But Definitely You Are Going To A Famous Blogger If You Are Not Already ;)Judi Bola Cheers!

Reply
Anonymous mod

Thanks a lot for sharing this great article. Want to know about the new member of the samsung note family,then just have a look at Galaxy Note 7

Reply

us open tennis 2016 is one of the biggest event of the us history.
You can find us open tennis results on our website for free.
us open 2016 will start soon at the eng od august month.
Rio Olympics 2016 Mascots are great way to express feelings towards game lovers.
You can easily find Rio Olympics 2016 Schedule on our website.
You can also find Happy Birthday wishes.
You can find Premier League information on our site.
You can also find Premier League TableB
I know you cant wait to see the us open tennis schedule.

Reply

Post a Comment