sqlmap - A Tool to Test SQL Injection

In a previous post I designed a simple web page that would accept a username and password.  I chose to test this same page for sql injections with a tool called sqlmap.

First taking the server response from a previous post I noticed the data was posted as "username=test&password=test".  Then I took this information and created the sqlmap command I was going to run.

python sqlmap.py --data="username=test&password=test" --url="http://test.local" -t http.log

It was after some research that I found the "-t" option.  This outputs to a file the server and client responses in plain text or the encoding used. 

The http.log was a lot easier to use then wireshark that I initially was using.  I wanted to understand more of how sqlmap could gather the database name, table name and then the contents of this.

I grepped the http.log file for the keyword username= and found after url-decoding the SQL statements being sent back and forth.  Then I analyzed the Set-cookie for the data that was being leaked.  

Observations to note:
1. Verify when you create  variable that passes data that the size of the variable is checked.  If the size of the username or password was truncated it would have not allowed sqlmap to gather the data that it needed.

2. Sanitize the data as it is passed to a POST or GET type variable

3. Hackers will hide from the http logs what they are trying to accomplish because the data is not being recorded in the URL

4. If the username and password were incorrect the sqlmap tool would not work properly.

5. Be careful disclosing the errors that may occur in a sql query or web page errors.  This could give hackers a clue as to how your application is designed.