Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

SQLMap

What is SQLMap?

SQLmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It is great for finding and exploiting SQL Injection vulnerabilities by sending SQL syntax at running websites and determining if a flaw has been found.

If a flaw (SQL Injection) is found, SQLmap could then exploit that flaw and extract information from the database.

In a DevSecOps environment, SQLmap is used to find and report on flaws, as software systems run through the staging or similar environments for testing.

Security Stage DAST (Dynamic Analysis)
Type Open source
Languages Many
Site https://sqlmap.org/

 

Pre-requisite

1 You'll need a URL to scan
2 You'll need to configure endpoints and sample inputs

 

How do I set it up?

To add SQLMap into the Uleska Platform, there are 3 main steps:

  1. Configure a dynamic testing stage version for your application
  2. Enhance that version with further information on your running application
  3. Add the SQLMap tool into your application and version toolkit

1. Configure a dynamic testing stage version for your application

Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.

2. Enhance that version with further information on your running application

SQLMap works by sending requests to the website that will pass information into the site for processing against a database. Common examples of this might be where the website receives data in a form, such as a name, or an address.

Therefore to run SQLMap some preparation work is needed. When penetration testers are manually using SQLMap to test a running system, they will first spider the website, or build a list of URLs for the website that pass information (e.g. POST or PUT requests, or GET requests with parameters). If the request does not pass information into the web application, then there is not much SQLMap can do to attempt any exploits.

In a DevSecOps environment with the Uleska Platform, the list of URLs to be used can be populated in two ways:

  1. Using Burp Spider (Crawler)

    1. You can manually use the BurpSuite product to act as a proxy and access your website. In this mode, you can activate it's crawler function to scan the site and learn all the URLs that are used. This can be simple, or there can be an art to it, depending on the website. For more information see https://portswigger.net/burp/documentation/scanner/crawling
    2. When the BurpSuite crawler has finished, you can save the crawl output as a file. To do this click on the 'Target' tab in BurpSuite, right-click on the URL you are to test and select 'Save Selected Items'

    SQLMap_BurpSaveURLS

    • Give this file a name (doesn't matter about the file type) and save the file.
    • In the Uleska Platform, edit the version of the stage you wish to add SQLMap testing to, and click on the 'Import' tab.
    • Browse to the file where you saved the BurpSuite spider, select it, and click 'Upload'

    SQLMap Import

  • This will have the effect of importing the various URLs from your crawl of the website and adding them into the Uleska setup for your application. It will fill in the following fields that can be passed to SQLMap to allow it to replace inputs with SQL injection syntax:
    • The URL path for the resource (for GET requests this will include parameters)
    • Data attributes that are passed
    • Verbs that are supported (GET, POST, PUT, etc)
    • A 'Body Template' which indicates the body content passed (e.g. POST text, JSON, etc

SQLMap Data Attributes

  1. Adding URLs Through UI (or API)
    1. At any point (with or without a crawl/spider) you can add dynamic URLs/resources into the 'Web Pages' tab. To do this you click the 'Edit' icon for your version (stage) and choose the 'Web Pages' tab. Here you can enter web resources as follows:
      1. Path: add the path to the entry. This will be the path of the URI (i.e. after the domain name portion - so for https://www.example.com/accounts/addentry/ the path would be '/accounts/addentry/' )
      2. Description: Add a description for your resource
      3. Affected Assets: Here you can specify types of information affected by that resource, such as PII, Financial, or Health data. This affects the risk calculations for your application issues.
      4. Data Attributes: Enumerate the data attribute names that can be passed (and manipulated by SQLMap)
      5. Accessible Verbs: Set what type of HTTP requests can access the resource, e.g. GET, POST, PUT, etc.
      6. Content - Body Template: For POST or PUT requests, you can specify input formats and tags where enumerated Data Attributes can be placed. This lets the Uleska Platform and SQLMap know where to substitute data attribute values for SQL syntax. E.g. if your login page used "inputPassword=<<inputPassword>>&inputName=<<inputName>>" format, this let's the tools know where to substitute.

3. Add the SQLMap tool into your application and version toolkit

With the dynamic version configure and 'Web Pages' described, now the Uleska Platform is set up to allow any project to be dynamically tested with your SQLMap tool. Let's show you how to setup your applications and versions to run this.

To enable the SQLMap tool for the stage scanning,

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'SQLMap' tool.

SQLMapSetup

  • To configure elements of the SQLMap tool itself, click on the blue cog to specify settings:
    • User-Agent: If your website requires a certain user-agent header in the requests, you can set it here for the SQLMap tool to use.
    • Level: Level (depth) of tests to run, value between 1 and 5.
    • Risk: Level of risk (i.e. how dangerous) the SQL injection requests will be, number between 1 and 3.
    • Connection: You don not need to specify a connection for SQLMap.
  • Click Save.
  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the SQLMap tool will be included in the test run which will start a security scan of the Uri for the configured version. Any results added to your vulnerabilities list.

Notes

No all options available on the SQLMap command line are currently supported. The Uleska Platform adaptor for SQLMap will use the tool to find areas of the target that are vulnerable to SQL injection, and report those issues back. It will not attempt to enumerate the database, or exploit in any way.

We do not currently support setting a proxy, using tor, or forcing DBMS limitations. Please contact Uleska for more details, or to request support for SQLMap flags.