Testing for SQLi With Sqlmap – Where to Find It and How to Verify It

sqlmap is a popular CLI tool for detecting and exploiting SQLi vulnerabilities. Since we're only interested in discovering those bugs, we're less interested in the weaponization, except for brainstorming possible attack scenarios for report submissions.

The simplest use of sqlmap is using the -u flag to target the parameters being passed in a specific URL. Using webscantest.com again as our example target, we can test the parameters in a form submission specifically vulnerable to GET requests:

sqlmap -u "http://webscantest.com/datastore/search_get_by_id.php?id=3"

As sqlmap begins probing the parameters passed in the target URL, it will prompt you to answer several questions about the direction and scope of the attack:

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

If you can successfully identify the backend through your own investigations, it's a good idea to say yes here, just to reduce any possible noise in the report.

You should also get a question about what risk level of input values you're willing to tolerate:

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values?

sqlmap, as a tool designed to both detect SQLi vulnerabilities and exploit them, needs to be handled with care. Unless you're testing against a sandboxed instance, completely independent from all production systems, you should go with the lower risk-level settings. Using the lowest risk level ensures that sqlmap will test the form with malicious SQL inputs designed to cause the database to sleep or enumerate hidden information—and not corrupt data or compromise authentication systems. Because of the sensitivity of the information and processes contained in the targeted SQL database, it's important to tread carefully with vulnerabilities associated with backend systems.

Once sqlmap runs through its range of test inputs, it will prompt you to ask about targeting other parameters. Once you've run through all the parameters passed in the targeted URL, sqlmap will print out a report of all the vulnerabilities discovered:

Success! There are a few vulnerabilities related to the id parameter, including a pair of blind SQLi vulnerabilities (where the results of the injection are not directly visible in the GUI) and error- and UNION-based inputs—all confirmed by the documentation on webscantest.com.