Data is one of the most vital components of information systems. Database powered web applications are used by organization to get data from customers. In the Web application attack, there are different types of attacks such as buffer overflows, SQL injection, cross-site scripting and distributed denial-of-service (DDoS) attacks.
SQL Injection
SQL is the acronym for Structured Query Language. It is used to retrieve and manipulate data in the database. SQL Injection is an attack that poisons dynamic SQL statements to comment out certain parts of the statement or appending a condition that will always be true.
Sqlmap
Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.
Vulnerable Urls
Lets say there is a web application or website that has a url in it like this
http://www.site.com/section.php?id=1
and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url
http://www.site.com/section.php?id=1'
We just added a single quote in the parameter. If this url throws an error or reacts in an unexpected manner then it is clear that the database has got the unexpected single quote which the application did not escape properly. So in this case this input parameter "id" is vulnerable to sql injection.
Hacking with sqlmap
Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the
sqlmap ‐u http://www.site.com/section.php?id=1
The above is the first and most simple command to run with the sqlmap tool. It checks the input parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends different kinds of sql injection payloads to the input parameter and checks the output. In the process sqlmap is also able to identify the remote system os, database name and version.
So the sqlmap tool has discovered the operating system, web server and database along with version information. Even this much is pretty impressive. But its time to move on and see what more is this tool capable of.
Discover Databases
Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.
sqlmap ‐u http://www.sitemap.com/section.php?id=1 ‐‐dbs
Find tables in a particular database
sqlmap ‐u http://www.site.com/section.php?id=1 ‐‐tables ‐D Databasename
Get columns of a table
sqlmap ‐u http://www.site.com/section.php?id=1 ‐‐columns ‐D Databasename ‐T tablename
Get data from a table
sqlmap -u http://www.site.com/section.php?id=1 --dump -D Databasename -T tablename
