Monthly Archives: June 2013

Professionally Evil Toolkit – Sqlmap

Professionally Evil Toolkit – Sqlmap

In this series of the Professionally Evil Toolkit we will be talking about sqlmap. Sqlmap is an open source penetration testing tool that is written in python. Sqlmap automates the process of detecting/exploiting SQL injection flaws and taking over of database servers.  As you might know, SQL injection is ranked number one on the OWASP Top Ten of web application security vulnerabilities. Since sqlmap has a rich feature set full of options, we will be covering an introduction to the tool.

First you should have sqlmap downloaded and installed on your machine used for testing.  If you don’t want to install it, Samurai WTF and Kali Linux comes with this pre loaded.

To launch sqlmap in Samurai we will just open up a shell, browse to the /usr/bin/samurai/sqlmap directory,  and type in python sqlmap.py.  However, sqlmap requires parameters to run.   We can issue the -help command to get help on the tool. Below is a screenshot of

We are going to cover the basic functionality of the tool next.  This can be broken up into several paramater categories:

  • Target
  • Request
  • Injection
  • Enumeration

The target parameter is a requirement as it specifies which URL for sqlmap to test against.  An example of this would be:

The next parameter category is the request paramater. Below are some useful request parameters with descriptions:

  • Data – The ability to put a data string in a request to make it a POST request
  • Cookie- Set a cookie for the request
  • Random-Agent – Randomizes user-agent header value
  • Force-ssl – Very useful on sites that are SSL based
  • Proxy – Great for troubleshooting.  Instructs sqlmap to use a proxy (Burp works great)
Below is an example of running sqlmap on a login screen using a POST request with a local client side proxy.

The next paramater category is the injection paramater. This parameter allows you to specify the back end DBMS if you know it, and to specify a parameter.  By default, if no parameter is specified, sqlmap will try all parameters. We will build on the above example and specify a mysql backend.

Finally, the last paramater category field we are going to talk about is enumeration.  Enumeration gives you the ability to grab banners, current users, current database, passwords, tables, columns, schema’s and even allows the full database dump. Using the example above we can enumerate and dump the entire database using the following command:

To learn more about sqlmap you can use the help page or find more information online here. If your looking for something to test against in a sandboxed environment you could try Mutillidae.

Professionally Evil Toolkit (PET) is a blog series about tools that security professionals use in the industry. These tools can be used for many things including penetration testing, auditing, and testing. The tools mentioned in PET can be very dangerous when ran on production systems.  Secure Ideas recommends you get authorization from the appropriate system owners and test against staging environments prior to running these tools.

Jeff Bleich is a Senior Security Consultant with Secure Ideas.  If you are in need of a penetration test or other security consulting services you can contact him at jeff@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Getting Started with BeEF: The Browser Exploitation Framework

This post is the first in a series on Getting Started with information security tools. For more posts in this series, check out the Getting Started label on this post.  BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar… Continue Reading

Who We Are: Jeff Bleich

In this series of posts we’re introducing staff members at Secure Ideas to give you a quick glimpse into our lives. The goal of these posts is for you to learn more about us. So reach out to us via email or twitter. We’d love to get to know you.  Who am I: Jeff Bleich,… Continue Reading

Your Passwords Were Stolen: What’s Your Plan?

Your Passwords Were Stolen: What’s Your Plan?

If you have been glancing at many news stories this year, you have certainly seen the large number of data breaches that have occurred. Even just today, we are seeing reports that Drupal.org suffered from a breach (https://drupal.org/news/130529SecurityUpdate) that shows unauthorized access to hashed passwords, usernames, and email addresses. Note that this is not a… Continue Reading

SANS Mobile Summit 2013 Recap

So I just got back from the SANS Mobile Security Summit where I was the chair.  The event was a blast and even though I am biased, I think that we had a number of great speakers.  This was the second annual summit and I am already looking forward to next years! Now lets review… Continue Reading