Aleksandar Krstic

Personal Blog

Security Testing – SQL Injection

For many testers Security Testing is grey area.

One of common ways to test security of your web application is SQL Injection.

In this post I’ll cover basic testing with one of popular free tools – SQLMap – www.sqlmap.org

This tool support wide range of database systems – MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.

How to use it?

Following steps are for MS SQL Server, but logic is same for all other types.

  1. Download and install Python – https://www.python.org/downloads/
    *Use 2.7.12 version, because version 3 is not supported
  2. Download and extract sqlmap – http://sqlmap.org/
  3. Go to your browser, run application that you want to test
  4. Click F12 in your browser and go to Network tab, so you can track http requests
  5. pen1

  6. Navigate to field which you want to use for injection – e.g. First Name input field in some form, fill all required data and click Next/Submit button
  7. In Network tab find request that was sent and collect data for your request
    It’s something like this
  8. pen2

  9. You will usually need to handle json requests, so in this example we will use that type of request. Create json request based on data you found in Network and save it as .txt file.
  10. pen3

  11. Run CMD as Administrator
  12. Type following command
    C:\Python27\python.exe C:\PATH-TO-EXTRACED-SQLMAP-FILES\sqlmap.py -r C:\PATH-TO-TXT-FILE-WITH-SAVED-POST\penetration.txt -p PARAMETER-YOU-WANT-TO-TEST –dbms=”Microsoft SQL Server”

    *First path is location where Python is installed
    *Second path is location where sqlmap is extracted
    *Third path is location where you saved your post as txt
    -p is parameter that you want to use for injection. If you look image from above, we can use CardHolderName
    –dbms is type of db Management System, you can leave it blank, tool will try process for every supported dbms.
    Beside this, there are a lot of options that can be used – https://github.com/sqlmapproject/sqlmap/wiki/Usage

  13. After execution of this command you will get a few Yes/No or Continue/Quit prompts, and of course select Yes or Continues (by typing Y or C in command line)
  14. At the end you will get report is it your application vulnerable to SQL Injections or not.