sqlmap is web application & database penetration testing tool that automates detecting and exploiting many types of SQL injection flaw, and then taking over the database server. It’s able to detect a huge range of injection types.

Let’s take the following code –

<?php
        $link = mysql_connect("localhost", "twl", "XXXX");
        mysql_select_db("twl");

        echo "This is a page\n";
        $sql = "SELECT * FROM wp_posts WHERE ID='" . $_GET['id'] . "';";
        $res = mysql_query($sql);
        mysql_free_result($res);
        echo "This is some text\n";
        mysql_close($link);

?>

Let’s test this from an external perspective –

SQL injectable code

SQL injectable code

We can see that when we provide an id of ’10’, the page succeeds. When we pass a single quote in as the id, we get a MySQL error message. We can see that our single quote has been passed directly to the database server and executed as part of the query.

We can now invoke sqlmap, passing a URL containing a valid argument. sqlmap will then attempt to detect a range of different types of injection flaw –

./sqlmap.py -u 'http://www.plzpwn.me/sql.php?id=1'
sqlmap1

sqlmap1

We can see that sqlmap has detected an SQL injection method.

[INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable

sqlmap shows the payload that it’s going to pass to the application. In this case, it’s fortunately regular SQL injection rather than blind SQL injection which will be covered in the next article. We can use the error messages that the database returns from our crafted queries in order to mine the data we’re interested in.

Now let’s pass ‘–dbs’ to sqlmap in an attempt to retrieve the list of databases from the remove server.

sqlmap2

sqlmap2

Success, we were able to enumerate the remote list of databases. We can now use the -D, -T flags as well as the dump options to export the entire database!

Motto: Sanitize your code input.