Its a Friday afternoon and you, Mr. Diligent, Security Expert, are looking for just one more great ‘find’ before calling it a week. This lazy mans method is probably for you. It requires: (1) very little thought, (2) a vulnerable site and (3) a few skills at working your command prompt.
5 minute setup:
1. Download the latest version of sqlmap.
2. Download and install Active State Perl.
3. Scan through the thorough documentation of sqlmap at install_path/doc.
Now we are ready to go. We are going to send sqlmap a list of URLs within the vulnerable site based on which ones are indexed by Google and contain GET (?var=value) parameters. There is no need to scan through the site using this method. No need to parse through forms, tamper with URL’s, etc. In fact this is a great numero uno method of testing any new site that comes your way as a security professional…
All you need to do is to feed sqlmap a Google dork command and it is this simple. From the command prompt and within the sqlmap directory execute this command:
perl sqlmap.pl -g “site:yourdomain.com”
sqlmap will hit Google up for any URLs within this domain that contain parameters and then attempt to tamper each URL that Google returns.
You still have a lot of control here. You can choose to try to exploit each URL that sqlmap finds on Google or to ignore it. If a URL can be tampered with you can choose to enact this tampering. If a vulnerability can be exploited you control how it is exploited.
Using the many command line parameters you can take a vulnerable URL and run it through many paces per the documentation (stacked tests, time tests, union tests, fingerprinting, etc).
In protect the organizations that I work for I have found this tool to be a great way to find vulnerabilities on target sites who are indexed by Google.
Note that this should not replace exhaustive testing where all URL activity back and forth between the browser and web server is logged and examined. There is obviously a large disparity between what Google finds or is allowed to find and what a site and its protected pieces may contain.
If you are looking for a way to find the lazy mans entry into exploitable areas of your web servers then look no further than sqlmap.
Now go report your SQL injection vulnerabilities and enjoy your weekend!