Using sqlmap to discover SQL vulnerabilities
The Tester
SQL injection is a big problem on the Internet. The handy sqlmap utility will tell you if you need to worry about an SQL attack in your own web environment.
SQL injection is one of the most common forms of network intrusion. An SQL injection attack typically exploits a problem in the SQL code – for instance, incorrect filtering for string literal escape characters or insufficient type checking. If you watch the Common Vulnerabilities and Exposures website [1], you'll see that new SQL injection attacks are discovered every week.
Software developers and Linux distribution maintainers are constantly watching for new SQL injection problems, which are often fixed through a security patch. However, many potential problems fall through the cracks – either on the development side or because a busy webmaster doesn't have time to install every patch and upgrade every system.
More importantly, some attack vectors haven't been discovered or adapted yet, so even if you do your best to keep your own systems up to date, it is still a good idea to look for potential problems yourself.
Most SQL injection attacks, however, require artificial, carefully crafted, and totally un-intuitive input. In other words, you almost have to be an expert to watch the security alerts and recreate every potential SQL attack on your own. Luckily, the security-minded admin can turn to a tool called sqlmap [2] to check for vulnerabilities in network-based SQL systems.
Sqlmap is an SQL-focused penetration testing tool that includes several useful options for discovering and attacking a SQL database. The easiest way to obtain sqlmap is to install or Live-boot a pen-testing Linux distro that comes with sqlmap pre-installed. In this article, I'll start up sqlmap from the Kali Linux Live system [3]. Kali is a Linux distribution specializing in security tools to assist in penetration testing, vulnerability detection, forensics, and other security-related tasks. You could also look for sqlmap in your Linux distro's package repositories, or you could download the source code from the sqlmap project website.
Sqlmap supports a number of database alternatives, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IMDB2, SQLite, and more. The sqlmap tool comes with automatic recognition of password hash formats and built-in support for dictionary attacks to crack passwords. Advanced features let you dump a complete database file, download and upload files to the database server, and even engage in privilege escalation using Metasploit's Meterpreter tool.
The Kali distro weighs in at less than 3GB and is available as a direct ISO download or torrent feed [4]. Kali is available in 32- and 64-bit versions for Intel processors and is also available for ARM processors. Kali supports forensic modes, USB, and straight installs. In this article, we describe how to improve your network's security using Kali Linux. If you decide to use Kali for your pen testing, see the Kali documentation at the project website [5] for more on getting a system up and running.
SQL Injection
SQL injection refers to methods that make a database server run SQL commands that were not intended by the application developer. Although vulnerability tools can usually find SQL vulnerabilities easily, some users might not realize their data is vulnerable. The steps described in this article can help you determine whether your data is susceptible to theft or compromise using SQL injection.
Thanks to sqlmap, you can look for SQL problems without advanced understanding of SQL programming techniques.
Information Gathering
Sqlmap is ideal for identifying vulnerabilities specific to your particular database version without actually having to know how to inject SQL code.
To get started determining whether a server is susceptible to a SQL injection attack, use the -u
parameter with the sqlmap
command to specify the URL you want to test. The command in Listing 1 (line 1) launches a test for the URL http://www.internalserver.com/looky.php?id=1.
Listing 1
Looking for a Vulnerable Database System
Sqlmap launches into a series of tests to look for vulnerabilities. The output in Listing 1 shows that the tests reveal that the database is injectable. Line 33, for instance, states:
GET parameter 'id' is 'MySQL UNION query (NULL) -- 1 to 20 columns' injectable
The tests in Listing 1 also reveal the database vendor and version: MySQL 5.0.11. As you can see in line 54, sqlmap saves the information it uncovers to a text file:
[21:03:18] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.internalserver.com'
Identifying Databases
Now that I know the database is vulnerable, the next step is to determine which databases are running on the MySQL server by using sqlmap
with the -u
parameter and the --dbs
parameter (Listing 2).
Listing 2
Getting the Database Names
The output following the query in Listing 2 reveals that the database server has two databases: information
and clients
(lines 33 and 34). At this point in the pen test, the database owner will hopefully start to understand that the system is indeed at risk of an SQL injection.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.