LabEx
Log InJoin Free

Discover Injection Points by Crawling a Website with sqlmap

Kali LinuxBeginner
Practice Now

Introduction

SQL injection is a common web vulnerability that allows attackers to interfere with the queries that an application makes to its database. sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

While sqlmap is primarily known for its injection testing capabilities, it also includes powerful features for discovering potential injection points by crawling a target website. This is particularly useful when you don't have a specific URL or parameter in mind, and you want sqlmap to explore the site and identify all possible entry points for injection.

In this lab, you will learn how to leverage sqlmap's crawling functionality to automatically discover URLs and forms on a target website, and then test them for SQL injection vulnerabilities. You will identify a root URL, use the --crawl flag, set the crawling depth, execute the operation, and finally review the discovered injection points.

Identify a Root URL for the Target Website

In this step, you will identify the root URL of the target website that sqlmap will start crawling from. This is the entry point for sqlmap to begin discovering links and forms. For this lab, we will use a simple web server running locally.

First, let's ensure the web server is running and accessible. You can use curl to check if the server responds.

curl http://127.0.0.1:8000

You should see some HTML output, indicating the server is active. The root URL for our target website will be http://127.0.0.1:8000.

Next, we will use this URL as the starting point for sqlmap.

Use the --crawl Flag to Discover Links and Forms

In this step, you will learn how to use the --crawl flag with sqlmap. This flag instructs sqlmap to crawl the target website and discover new URLs and forms to test for SQL injection vulnerabilities. Without this flag, sqlmap would only test the explicitly provided URL.

The basic syntax for using --crawl is:

sqlmap -u < target_url > --crawl

Let's try running sqlmap with the --crawl flag on our target URL. This command will start the crawling process.

sqlmap -u http://127.0.0.1:8000 --crawl

You will see sqlmap starting to crawl the website, identifying links and forms. It will ask you a few questions during the process. For the purpose of this lab, you can generally accept the default options by pressing Enter or typing y when prompted.

For example, when asked "do you want to keep the results in a CSV file?", you can type n and press Enter. When asked "do you want to test for other common vulnerabilities?", you can type n and press Enter.

Set the Crawling Depth with --crawl-depth=2

In this step, you will refine the crawling process by setting a specific crawling depth using the --crawl-depth flag. The crawling depth determines how many levels deep sqlmap will go when discovering new URLs. A depth of 1 means it will only visit links directly from the initial URL. A depth of 2 means it will visit links from the initial URL, and then links from those newly discovered pages, and so on.

For our small target website, a depth of 2 will be sufficient to discover all available pages.

The syntax for setting the crawling depth is:

sqlmap -u <target_url> --crawl --crawl-depth=<depth_value>

Let's execute sqlmap again, this time specifying a crawling depth of 2.

sqlmap -u http://127.0.0.1:8000 --crawl --crawl-depth=2

Observe how sqlmap's output changes, potentially discovering more links or forms as it goes deeper into the site structure. Again, you can accept default prompts by pressing Enter or typing n for additional tests.

Execute the Crawl and Test Operation

In this step, you will execute the full crawl and test operation. While the previous steps demonstrated the crawling flags, sqlmap by default will also attempt to test for injection points on the discovered URLs. To make the testing more explicit and to ensure sqlmap performs a thorough check, we can add the --batch flag to automate responses to prompts and the --forms flag to specifically target forms.

The --batch flag tells sqlmap to run in non-interactive mode, accepting default answers for all prompts. This is useful for automation. The --forms flag specifically instructs sqlmap to parse and test HTML forms on the target.

Let's combine these flags with our previous command:

sqlmap -u http://127.0.0.1:8000 --crawl --crawl-depth=2 --batch --forms

This command will:

  1. Start crawling from http://127.0.0.1:8000.
  2. Go two levels deep (--crawl-depth=2).
  3. Automatically answer prompts with default values (--batch).
  4. Specifically look for and test HTML forms (--forms).

Observe the output. sqlmap will list the URLs it discovers and the parameters it tests. It will also indicate if it finds any potential injection points.

Review the Discovered URLs and Potential Injection Points

In this final step, you will review the output from sqlmap to understand what URLs and forms were discovered and if any potential injection points were identified.

After sqlmap completes its execution, it will provide a summary of its findings. Look for lines indicating "parameter is vulnerable" or similar messages.

Even if sqlmap doesn't find a confirmed SQL injection vulnerability (which is expected for our simple dummy site), it will still show you the URLs and parameters it tested. This information is crucial for manual analysis or further automated testing.

Example output snippets you might see:

...
[INFO] retrieved new form: 'http://127.0.0.1:8000/search.php' (GET)
...
[INFO] testing GET parameter 'id'
...
[INFO] testing GET parameter 'param'
...
[INFO] testing GET parameter 'query'
...

The key takeaway is that sqlmap successfully crawled the site, identified index.php, page.php, and search.php (via the form), and then proceeded to test their respective parameters (id, name, param, query). This demonstrates the power of sqlmap's crawling feature in automatically mapping out a target application's attack surface.

You can also check the sqlmap log files (usually in ~/.sqlmap/output/) for a more detailed report, though for this lab, the console output is sufficient.

Summary

In this lab, you successfully learned how to use sqlmap's powerful crawling capabilities to discover potential SQL injection points on a target website. You started by identifying a root URL, then used the --crawl flag to instruct sqlmap to explore the site. You further refined the crawling process by setting a specific depth with --crawl-depth. Finally, you executed a comprehensive crawl and test operation using --batch and --forms to automate the process and specifically target forms.

By completing this lab, you now understand how to:

  • Identify a starting URL for sqlmap's crawling.
  • Utilize the --crawl flag to discover links and forms.
  • Control the crawling depth with --crawl-depth.
  • Execute an automated crawl and test operation with --batch and --forms.
  • Interpret sqlmap's output to identify discovered URLs, parameters, and potential injection points.

This skill is fundamental for reconnaissance in web penetration testing, allowing you to efficiently map out the attack surface of a web application before attempting to exploit specific vulnerabilities.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux