Running sqlmap yourself is not difficult. Read through this tutorial and you will get an introduction to a powerful sql injection testing tool. Of course this the same tool we use on our online sql injection test site.
One thing to keep in mind is that Sqlmap is a python based tool, this means it will usually run on any system with python however we like Ubuntu, it just makes it easy to get stuff done. Python comes already installed in Ubuntu. Just a matter of downloading the tool, unpacking it and running the command with the necessary options. Lets not get ahead of ourselves, there may be some Windows users amongst you so let me start off with getting an Ubuntu install up and running. It is easy to get started on an Ubuntu Linux system even if the thought of Linux sends into shivering spasms of fear. Who knows you may even like it.
If you are running Microsoft Windows as your main operating system you will likely find it the most convenient and simple to run an install of Ubuntu Linux in a virtual machine. You can then play with sqlmap, nmap, nikto and openvas along with a hundred other powerful open source security tools. If you would like to perform remote scanning such as that provided by hackertarget.com you could pay for a cheap Ubuntu based VPS from one of hundreds of providers, paying anything from $10 per month to $100 or so. Linode is great for this, providing high quality and solid systems for the price.
Step 1: Install Virtualbox
Virtualbox could be a free and straightforward to use virtual machine manager, you may in fact use VMware or Parallels however we are going to use virtualbox.Select Bridge for your adapter, you may do NAT or Host solely in fact simply depends on your necessities. By exploitation bridge mode your VM can have AN information science address on your native network this makes it easier once you square measure twiddling with network based mostly security testing tools. Security testing is fun, simply make sure you solely check on systems you own / operate or have permission to scan.
Step 2: Ubuntu Installation
Download the latest Ubuntu iso from http://www.ubuntu.com, select the ISO as the boot media for your guest and start the virtual machine. Select the install option and Ubuntu will be installed onto the virtual hard disk on the machine.Step 3: SQLmap Installation
Python is pre-installed in Ubuntu so all you need to do is download sqlmap from sourceforge, unpack it into a directory and start your testing.http://sqlmap.sourceforge.net/#downloadYou can unpack it with a GUI based tool (double click on it) or use tar and gzip together with this command.
tar zxvf sqlmap-0.9.tar.gzThis should be your results from a working installation:
cd sqlmap
python sqlmap.py
sqlmap/0.9 – automatic SQL injection and database takeover toolThe error is merely telling us we did not fill in the necessary parameters for a test to take place. You can repeat the command using the (-h) to get a full list of options or see the excellent online help and tutorials on the sqlmap project page.
http://sqlmap.sourceforge.net
Usage: python sqlmap.py [options]
sqlmap.py: error: missing a mandatory parameter (‘-d’, ‘-u’, ‘-l’, ‘-r’, ‘-g’, ‘-c’, ‘–wizard’ or ‘–update’), -h for help
For a simple test we will use the HTTP GET testing option against a single uri.
python sqlmap.py -u ‘http://mytestsite.com/page.php?id=5′This will run a bunch of sql injection tests against that URL with the parameter (id) being tested for SQL Injection.
SQLmap can be used to not only test but also to exploit SQL Injection, doing things such as extracting data from databases, updating tables and even popping shells on remote hosts if all the ducks are in line. All these options and examples are available on the excellent sourceforge project page. So now you have a working installation get on over there and start testing.
0 comments:
Post a Comment