Testing SQL injection with sqlmap

This videos is made by John Strand from pauldotcom.com

Sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options.

 

Hacking

Subcategory

Penetration testing
 Information security & security management

Main category

Information security & security management

Database

Subcategory

Database

Knowledge is the life of the mind

What is SQL injection?

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.

A successful SQL injection exploit can:

  • read sensitive data from the database
  • modify database data (Insert/Update/Delete)
  • execute administration operations on the database (such as shutdown the DBMS)
  • recover the content of a given file present on the DBMS file system
  • in some cases issue commands to the operating system

Learn more about SQL injection

Hi, my name is or 1=1
Article

White hats publish DDoS hijacking manual, turn tables on attackers

A handful of command-line strings, the open-source penetration-testing tool SQLMap, and knowledge of a command server’s location are pretty much all that’s required to gain access to its back-end database and server-side configuration files.

Read more

What is sqlmap?

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Visit sqlmap website

SQL injection prevention

SQL Injection prevention cheat sheet

The following (Java) example is UNSAFE, and would allow an attacker to inject code into the query that would be executed by the database.

The unvalidated “customerName” parameter that is simply appended to the query allows an attacker to inject any SQL code they want.

Unfortunately, this method for accessing databases is all too common.

Learn more about how to prevent SQL injection

Believe you can and you’re halfway there