LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Find SQL injection vulnerabilities with sqlmap

By Jake Edge
September 3, 2008

SQL injections are a particularly nasty type of web application vulnerability that can lead to loss or disclosure of the contents of a database. Testing a web application to find SQL injection holes can be a tedious process, which is where the sqlmap tool may come in handy. sqlmap automates the process of testing a particular web page for various kinds of SQL injection flaws.

Sqlmap is a command-line driven Python application that can help in both finding and exploiting SQL injections. By giving it a URL and parameter names of interest (from HTML forms or GET parameters), it tries to determine which of those parameters cause different output based on their value, indicating that they control the dynamic behavior of the application. Those parameters are then tested by repeatedly making an HTTP request with slightly different values. Each of the values passed corresponds to a SQL injection technique, such as appending a single-quote. Based on whether the HTML response is different from the original response, the potential for a SQL injection can be inferred.

The tool also tests an often overlooked input source: cookies. The user can specify a cookie value which the tool will then manipulate to attempt a SQL injection via the cookie. Since many applications store their session information in a database using the cookie value as a key, this is a relatively common route to SQL injection—one that penetration tests sometimes miss.

While it does help remove some of the tedium involved in testing for SQL injections, sqlmap is by no means an automated solution. A fair amount of work is required to find a vulnerable parameter. Once a vulnerability has been found, though, a great deal of information, including database contents, can be retrieved with a single command.

Like many security tools, sqlmap can be used by those of malicious intent rather easily. The automated retrieval of database passwords and contents from a vulnerable application are particularly powerful—thus dangerous. For some database installations, there is even a mode that will get a shell prompt on the server as the user that runs the database application.

Because it is free software, sqlmap is very useful for understanding SQL injections and, perhaps more importantly, what kinds of things an attacker can do by abusing a vulnerable application. There is excellent documentation, both for developers and users. Sqlmap recently released version 0.6 and is certainly worth a look for anyone interested in testing a web application or curious about SQL injection in general.

(Log in to post comments)

Find SQL injection vulnerabilities with sqlmap

Posted Sep 11, 2008 13:11 UTC (Thu) by rknasc (guest, #11401) [Link]

In Popular Culture:

http://www.xkcd.org/327/

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds