logo
I want to do penetration test over created page with get forms parameters used.

Let’s try?

001. Introduction

SQLinjection is a nightmare of any programmer. I’m not a programmer, but i sometime create something – and i try to protect my site against attacks.

We can precisely analyze our code to find any vurnelability. We can also use a special tool – “sqlmap“.

Keep in mind, that any tool will not replace human – this is only complement the work.

SQLMAP – from home page http://sqlmap.org/

“sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.”


002. Prepare to test

I used lFedora 20 – linux distro.

I installed git + downloaded sqlmap project.

[root@forum litwin]# yum install git
Loaded plugins: fastestmirror, langpacks, refresh-packagekit
updates/20/x86_64/metalink | 27 kB 00:00:00 
updates | 4.9 kB 00:00:00 
updates/20/x86_64/primary_db | 12 MB 00:00:03 
(1/2): updates/20/x86_64/updateinfo | 1.6 MB 00:00:00 
(2/2): updates/20/x86_64/pkgtags | 1.3 MB 00:00:00 
Loading mirror speeds from cached hostfile
 * fedora: ftp.icm.edu.pl
 * updates: ftp.icm.edu.pl
Resolving Dependencies
--> Running transaction check
---> Package git.x86_64 0:1.9.3-2.fc20 will be installed
--> Processing Dependency: perl-Git = 1.9.3-2.fc20 for package: git-1.9.3-2.fc20.x86_64
--> Processing Dependency: perl(Term::ReadKey) for package: git-1.9.3-2.fc20.x86_64
--> Processing Dependency: perl(Git) for package: git-1.9.3-2.fc20.x86_64
--> Processing Dependency: perl(Error) for package: git-1.9.3-2.fc20.x86_64
--> Running transaction check
---> Package perl-Error.noarch 1:0.17021-1.fc20 will be installed
---> Package perl-Git.noarch 0:1.9.3-2.fc20 will be installed
---> Package perl-TermReadKey.x86_64 0:2.30-20.fc20 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================
 Package Arch Version Repository Size
=================================================================================================================================
Installing:
 git x86_64 1.9.3-2.fc20 updates 4.7 M
Installing for dependencies:
 perl-Error noarch 1:0.17021-1.fc20 fedora 32 k
 perl-Git noarch 1.9.3-2.fc20 updates 54 k
 perl-TermReadKey x86_64 2.30-20.fc20 fedora 31 k

Transaction Summary
=================================================================================================================================
Install 1 Package (+3 Dependent packages)

Total download size: 4.8 M
Installed size: 24 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): perl-Error-0.17021-1.fc20.noarch.rpm | 32 kB 00:00:00 
(2/4): git-1.9.3-2.fc20.x86_64.rpm | 4.7 MB 00:00:01 
(3/4): perl-Git-1.9.3-2.fc20.noarch.rpm | 54 kB 00:00:00 
(4/4): perl-TermReadKey-2.30-20.fc20.x86_64.rpm | 31 kB 00:00:00 
---------------------------------------------------------------------------------------------------------------------------------
Total 2.5 MB/s | 4.8 MB 00:00:01 
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction (shutdown inhibited)
 Installing : 1:perl-Error-0.17021-1.fc20.noarch 1/4 
 Installing : perl-TermReadKey-2.30-20.fc20.x86_64 2/4 
 Installing : perl-Git-1.9.3-2.fc20.noarch 3/4 
 Installing : git-1.9.3-2.fc20.x86_64 4/4 
 Verifying : git-1.9.3-2.fc20.x86_64 1/4 
 Verifying : 1:perl-Error-0.17021-1.fc20.noarch 2/4 
 Verifying : perl-TermReadKey-2.30-20.fc20.x86_64 3/4 
 Verifying : perl-Git-1.9.3-2.fc20.noarch 4/4 

Installed:
 git.x86_64 0:1.9.3-2.fc20 

Dependency Installed:
 perl-Error.noarch 1:0.17021-1.fc20 perl-Git.noarch 0:1.9.3-2.fc20 perl-TermReadKey.x86_64 0:2.30-20.fc20 

Complete!
[root@forum litwin]# git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
Cloning into 'sqlmap-dev'...
remote: Counting objects: 46291, done.
remote: Compressing objects: 100% (62/62), done.
remote: Total 46291 (delta 25), reused 0 (delta 0)
Receiving objects: 100% (46291/46291), 40.89 MiB | 3.15 MiB/s, done.
Resolving deltas: 100% (35477/35477), done.
Checking connectivity... done.

 

003. Do a penetration test

I used a wizard. You can also prepare a more spcific test.

[root@forum litwin]# cd sqlmap-dev/

[root@forum sqlmap-dev]# python sqlmap.py -u http://hakimodo.pl/wyszukiwarka_hostow/pokaz_wynik.php?adres=1 --wizard
 _
 ___ ___| |_____ ___ ___ {1.0-dev-e4b00bd}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
 |_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:32:36

POST data (--data) [Enter for None]: 
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 3
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 3

sqlmap is running, please wait..


[22:11:30] [CRITICAL] all tested parameters appear to be not injectable. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

[*] shutting down at 22:11:30

What exactly has been done?

  • “-u” parameter is used to point a page what will be attacked
  • -u http://hakimodo.pl/wyszukiwarka_hostow/pokaz_wynik.php?adres=1
  • “–wizard” – this will use a wizard in order to facilitate entire process
attack process

attack process

 

Whole process took about 40 minutes to complete.


 

 004. Analyze

Let’s look on victim access-log?

access-log

access-log

access-log

access-log

We can see different type of attack – of course this process made some server load.


 

 

005. Conclusion.

This test will not reveal all vulnerabilities, but there is a chance to find something, what you missed…

 

You can also target main file of site, with “–forms” option – program will ask to test againt every variable (POST/GET).

 

Rest of program options:

 

Entire program home page is located here: http://sqlmap.org/

 

.