Automatically Finding SQL Injections

Overview

We’ve already discussed how to manually find areas that are susceptible to SQL injection. We’ve also discussed how to further probe those areas and then actually exploit them. Sometimes though, we just don’t have the time to manually go through all the possible areas on a web application and try out everything that comes to mind. This is where a pentester should adopt a systematic approach, and automated tools enter the stage. Some of the common tools are:

• sqlmap
• jSQL Injection
• DSSS
• Metasploit (ships with a number of scanners)
• Nmap (queries a list of database vulnerabilities against relevant database servers)

The sqlmap tool

This is an open-source pentesting tool that is used in automating the process of identifying and exploiting SQL injection vulnerabilities in a web application. It has a powerful detection engine and a broad range of switches. It provides features such as database fingerprinting, harvesting, access to the underlying filesystem of a database, and remote code execution via out-of-band connections. As such, the tool’s popularity is a no-brainer.

Let’s test the sqlmap below. We’ll be using Acunetix’s intentionally vulnerable web application with the URL http://testphp.vulnweb.com/.

To get started, we enter the command sqlmap -u <URL> into the terminal. Since the website is made with PHP, it makes sense that PHP forms are being used. Specific forms must be passed to the tool for it to work properly. We’ll ask for all the tables to be enumerated as well with the --tables switch. Our final command will then be:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --tables

We can check its output by using the terminal below. First-time use will prompt for some confirmations; please accept them.