8/13/2019 Automatic SQL Injection Tool - Sqlmap _ Linux Blog

http://slidepdf.com/reader/full/automatic-sql-injection-tool-sqlmap-linux-blog 1/3

Linux Blog

home posts rss about forum

Automatic SQL injection tool - sqlmapPosted by Nikesh Jauhari

Whatever you do with this tool is uniquely your responsibility. If you are not authorized to punch

holes in the network you are attacking be aware that such action might get you in trouble with a

lot of law enforcement agencies.

sqlmap goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a

variety of options to perform an extensive back-end database management system fingerprint,

retrieve DBMS session user and database, enumerate users, password hashes, privileges,

databases, dump entire or user's specific DBMS tables/columns, run his own SQL statement, read

specific files on the file system and more.

sqlmap has support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end

database management systems. Besides these four database management systems software,sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase

sqlmap Installation:

Download the sqlmap .deb package from here, double click on this downloaded file to install

sqlmap along with all the required dependency.

Using sqlmap:

Let's say that you are auditing a web application and found a web page that accepts dynamic

user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent

header value. You now want to test if these are affected by a SQL injection vulnerability, and if so,

exploit them to retrieve as much information as possible out of the web application's back-end

database management system or even be able to access the underlying operating system.

Consider that the target url is:

http://<server ip>/sqlmap/mysql/get_int.php?id=1

Now pass the original address to sql map using command:

sqlmap -u "http://<server ip>/sqlmap/mysql/get_int.php?id=1" -v 1

L

Ho

Ho

po

Ho

Ord

Ho

Con

Use

Lin

Ho

 Acc

Get

Ho

►

►

▼

omatic SQL injection tool - sqlmap | Linux Blog

3

8/13/2019 Automatic SQL Injection Tool - Sqlmap _ Linux Blog

http://slidepdf.com/reader/full/automatic-sql-injection-tool-sqlmap-linux-blog 2/3

0   6

Sqlmap will automatically:

  * Identify the vulnerable parameter(s) (id in this scenario);

  * Depending on the user's options, fingerprint, enumerate, takeover the database server.

sqlmap demo:

You can watch more demo videos, they are hosted on YouTube.

You might also like:

SQL injection Tool - Havij

SQL Injection Tool - sqlninjaDetection & Exploitation Of SQL Injection Flaws - Safe3 SQL Injector Tool to Detect SQL Injection - SQLInject-Finder Protect MySQL Database from SQL injection attacks - GreenSQL

 

►

►

►

►

0

omatic SQL injection tool - sqlmap | Linux Blog

3

8/13/2019 Automatic SQL Injection Tool - Sqlmap _ Linux Blog

http://slidepdf.com/reader/full/automatic-sql-injection-tool-sqlmap-linux-blog 3/3

Linkwithin

0 comments:

Post a Comment

Comment as: 

Publish 

omatic SQL injection tool - sqlmap | Linux Blog

3