This article introduces sqlmap and shows how it can be used to detect and exploit SQL injection vulnerabilities.
2. SQL injection
This vulnerability allows the attacker to modify an SQL query. Improper validation of data sent by the user causes the data to be interpreted as a part of an SQL query.
SQL injection can lead to:
– reading data from the database (confidentiality affected)
– changing data in the database (integrity affected)
– deleting the database (availability affected)
It is presented below how SQL injection can be used to learn credentials of registered users. When this is the case, the attacker can easily impersonate an arbitrary user of the vulnerable system. Sqlmap is used as detection and exploitation tool .
Let’s attack the website used for viewing account details in OWASP Mutillidae II (web application, that is intentionally vulnerable – OWASP Top 10 vulnerabilities ). This website is vulnerable to SQL injection and is available at 192.168.56.101/mutillidae/index.php?page=user-info.php when OWASP Mutillidae II is used on Metasploitable (Linux based virtual machine, that is intentionally vulnerable ; 192.168.56.101 is IP address of Metasploitable).
Remark: edit /var/www/mutillidae/config.inc on Metasploitable and set $dbname = ‘owasp10′; to make OWASP Mutillidae II working.
The website requires username and password to view the details of the account. These parameters will be tested for SQL injection by sqlmap.
4. Request interception
Parameters of the request can by entered manually in sqlmap. However, it’s more convenient to intercept the request, save it and deliver to sqlmap as one of the parameters. Then there is no need to enter the parameters of the request manually (time-consuming process for requests with many parameters).
Let’s set the Security Level to 0 (can be changed using Toggle Security) in OWASP Mutillidae II. Then intercept the request with Burp Suite (an integrated platform for web site security testing ) and save it. The attacker is not registered in the system (username and password can be arbitrary – abc and def respectively in the intercepted request).
5. Launching sqlmap
Sqlmap is included in Kali Linux (penetration testing distribution ). Use the following command in Kali Linux to launch sqlmap.
The previously saved request is loaded from file when -r is used. One should use –tables to enumerate database tables when SQL injection is detected.
6. Vulnerabilities and payloads
Let’s see the vulnerabilities found by sqlmap. This tool detected that parameters username and password are vulnerable to SQL injection. The user is asked to specify the injection point that will be used to extract database tables (the output presented in Exploitation section of the article).
The user can also read the payloads used to identify the injection points (presented for username parameter).
Sqlmap was asked to extract database tables. The attacker wants to read the credentials of registered users. He expects that the table accounts in database owasp10 stores these credentials.
Let’s use the following command in Kali Linux to dump the entries from accounts table:
The output is presented below. SQL injection vulnerability was used to learn the credentials of the registered users.
An SQL injection vulnerability was introduced. It allows us to modify SQL query as a result of improper validation of data sent by the user. As a consequence, confidentiality, integrity and availability of data in the database can be affected. Sqlmap was used to detect and exploit SQL injection vulnerability.
http://sqlmap.org/ (access date: 10 September 2014)
 OWASP Mutillidae II
http://sourceforge.net/projects/mutillidae/ (access date: 10 September 2014)
http://www.offensive-security.com/metasploit-unleashed/Metasploitable (access date: 10 September 2014)
 Burp Suite
http://portswigger.net/burp/ (access date: 10 September 2014)
 Kali Linux
http://www.kali.org/ (access date: 10 September 2014)