One of the questions that we get on a regular basis is "Are there any good tools for SQL Injection?"

There are a number of great tools that do this commercially like Core Impact and Cenzic Hailstorm. However, many tools will simply alert you that a SQL Injection vulnerability exists then leave it at that.

We are penetration testers so proof is kind of important. Simply stating that you found a SQL injection vulnerability because your tool said so is not enough.

To that end, I would like to introduce you to sqlmap.

First up, I would like to say thanks to the developers Bernardo Damele A. G. and Daniele Bellucci.

Now I would like to show you a short video of the tool.

Why does this tool rock?

Glad you asked.

First, it has the ability to process results from burpsuite and webscarab with the -l option:

Like..

It also has the ability automatically dump data. For example it can dump the database version and the tables in the database.

To do this you would use the --dump-all switch like:

Next, it has the ability to use googledork search strings. Yep, thats right googledorking and SQL Injection... Honestly, does it get any better?

The above command will have google crawl a website and pull all pages with a php extension. After sqlmap has a nice list of targets it tries to attack them.

Finally, and in my humble opinion most importantly, it can get you a SQL shell.

To do this use the --sql-shell option and it will try to give you a shell.

Very nice!!!

Once again, I want to drive home the importance of proof. Our jobs as testers is to demonstrate risk. To do that we need to act like a threat and interact with a vulnerability. Simply stating that a tool said there is a vulnerability is not enough. Also, we should be after what the attackers are after.... Data! What better place to get data then a SQL database?

strandjs