Home > Programming, QA, Test and Automation Stuffs, QA > SQL Injection Automation Tool

SQL Injection Automation Tool

Hello guys,

Today I will share this tool that will help you to perform some SQL Injection tests on your website.

What is SQL Injection tests ? It is a type of security tests that you can perform on your web application. You need to be sure that your website is preventing users and hackers to access your database through SQL injection.

To test if your web page has a SQL injection vulnerability, you need to check if it accepts dynamic user-provided values via GET, POST or Cookie parameters or via the HTTP User-Agent request header. You need to explore them to retrieve as much information as possible from the back-end database management system, or even be able to access the underlying file system and operating system.

This tool, sqlmap, can automate the process of identifying and exploiting this type of vulnerability. I will give you some tips here:

  • First you need to download the file or git clone:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
  • Run the command below to check the available options:
    python sqlmap.py -hh 
  • If you want to test, you need to pass the url:
python sqlmap.py -u "http://localhost:8000/test?id=1" --batch
  • To increase the level of the tests you can use –level or –risk options and specify the level (1-5) or the risk (1-3) of the scope of the tests:
python sqlmap.py -u "http://localhost:8000/test?id=1" --level=5 

These options above are used to customize the detection phase, the default is 1.

If you have authentication, you can send the --cookies of an already logged session or, --auth-type and --auth-cred to authenticate before the tests.

I suggest to you to test on your localhost with a copy of your database so you don’t mess your data.

Resources:

http://sqlmap.org/

https://github.com/sqlmapproject/sqlmap

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: