SQL injections are a particularly
nasty type of web application vulnerability that can lead to loss or
disclosure of the contents of a database. Testing a web application to find SQL
injection holes can be a tedious process, which is where the sqlmap tool may come in handy.
sqlmap automates the process of testing a particular web page for various
kinds of SQL injection flaws.
Sqlmap is a command-line driven Python application that can help in both
finding and exploiting SQL injections. By giving it a URL and parameter
names of interest (from HTML forms or GET parameters), it tries to
determine which of those parameters cause different output based on their
value, indicating that they control the dynamic behavior of the
application. Those parameters are then tested by repeatedly making an HTTP
request with slightly different values. Each of the values passed
corresponds to a SQL injection technique, such as appending a
single-quote. Based on whether the HTML response is different from the
original response, the
potential for a SQL injection can be inferred.
The tool also tests an often overlooked input source: cookies. The user
can specify a cookie value which the tool will then manipulate to attempt a
SQL injection via the cookie. Since many applications store their session
information in a database using the cookie value as a key, this is a
relatively common route to SQL injection—one that penetration tests
While it does help remove some of the tedium involved in testing for SQL
injections, sqlmap is by no means an automated solution. A fair amount of
work is required to find a vulnerable parameter. Once a
vulnerability has been found, though, a great deal of information,
including database contents, can be retrieved with a single command.
Like many security tools, sqlmap can be used by those of malicious intent
rather easily. The automated retrieval of database passwords and contents
from a vulnerable application are particularly powerful—thus
dangerous. For some database installations, there is even a mode that will
shell prompt on the server as the user that runs the database application.
Because it is free software, sqlmap is very useful for understanding SQL
injections and, perhaps more importantly, what kinds of things an attacker
can do by abusing a vulnerable application. There is excellent documentation,
both for developers and users.
Sqlmap recently released version 0.6 and is
certainly worth a look for anyone interested in testing a web application
or curious about SQL injection in general.
to post comments)