One of the questions that we get on a regular basis is “Are there any good tools for SQL Injection?”
There are a number of great tools that do this commercially like Core Impact and Cenzic Hailstorm. However, many tools will simply alert you that a SQL Injection vulnerability exists then leave it at that.
We are penetration testers so proof is kind of important. Simply stating that you found a SQL injection vulnerability because your tool said so is not enough.
To that end, I would like to introduce you to sqlmap.
First up, I would like to say thanks to the developers Bernardo Damele A. G. and Daniele Bellucci.
Now I would like to show you a short video of the tool.

Why does this tool rock?
Glad you asked.
First, it has the ability to process results from burpsuite and webscarab with the -l option:

# ./ -l /tmp/webscarab.log/conversations/

It also has the ability automatically dump data. For example it can dump the database version and the tables in the database.
To do this you would use the –dump-all switch like:

# ./ –dump-all -u “”

Next, it has the ability to use googledork search strings. Yep, thats right googledorking and SQL Injection… Honestly, does it get any better?

# ./ –dump-all -g “ ext:php”

The above command will have google crawl a website and pull all pages with a php extension. After sqlmap has a nice list of targets it tries to attack them.
Finally, and in my humble opinion most importantly, it can get you a SQL shell.
To do this use the –sql-shell option and it will try to give you a shell.

# ./ –sql-shell -g “ ext:php”

Very nice!!!

Once again, I want to drive home the importance of proof. Our jobs as testers is to demonstrate risk. To do that we need to act like a threat and interact with a vulnerability. Simply stating that a tool said there is a vulnerability is not enough. Also, we should be after what the attackers are after…. Data! What better place to get data then a SQL database?

About the author