LabEx
Log InJoin Free

Perform a Basic Scan on a GET Parameter with sqlmap

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will gain practical experience with sqlmap, an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Specifically, you will focus on performing a basic scan against a web application's GET parameter to identify potential SQL injection vulnerabilities. Understanding how to initiate a scan and interpret its initial output is a fundamental skill for anyone involved in web security or penetration testing. This lab will guide you through the necessary steps, from setting up a vulnerable environment to executing your first sqlmap command and analyzing the results.

Identify a Target URL with a GET Parameter

In this step, you will identify the target URL that contains a GET parameter, which sqlmap will use to test for SQL injection vulnerabilities. A GET parameter is typically found in the URL after a question mark (?), followed by key-value pairs separated by ampersands (&). For this lab, we have set up a simple vulnerable PHP application that takes an id parameter via GET.

First, open the web browser within the LabEx environment. You can access the browser by clicking on the "Web Browser" icon in the desktop environment.

Navigate to the following URL: http://localhost/index.php?id=1

Observe the page content. You should see a simple output indicating that the application is displaying data based on the id parameter. This confirms that the id parameter is a suitable target for our sqlmap scan.

Construct the Basic Scan Command with the -u Option

In this step, you will learn how to construct the basic sqlmap command to target a specific URL with a GET parameter. The primary option for specifying the target URL is -u (or --url).

Open a terminal in the LabEx environment. The default user is labex, and the default working directory is ~/project.

The basic syntax for sqlmap to scan a URL with a GET parameter is:

sqlmap -u "http://example.com/page.php?param=value"

Replace http://example.com/page.php?param=value with our target URL.

For our lab, the target URL is http://localhost/index.php?id=1. Therefore, the command you will use is:

sqlmap -u "http://localhost/index.php?id=1"

This command tells sqlmap to start scanning the specified URL and test the id GET parameter for SQL injection vulnerabilities.

Execute the Scan Against the Target URL

Now that you have constructed the sqlmap command, it's time to execute it in the terminal. This will initiate the automated SQL injection scan.

In your terminal, execute the sqlmap command you constructed in the previous step:

sqlmap -u "http://localhost/index.php?id=1"

sqlmap will begin sending various payloads to the id parameter to test for different types of SQL injection vulnerabilities. During the scan, sqlmap might ask you a few questions. For this basic scan, you can generally accept the default options by pressing Enter or typing y for yes when prompted.

For example, sqlmap might ask:
[INFO] the back-end DBMS is MySQL. Do you want to skip test payloads specific for other DBMSs? [Y/n]
Type Y and press Enter.

It might also ask:
for the URL 'http://localhost/index.php?id=1', parameter 'id' appears to be injectable. Do you want to keep testing others (if any)? [y/N]
Type N and press Enter to focus on the identified injectable parameter.

The scan will proceed, and you will see various messages indicating the progress and the tests being performed.

        _
       ___ ___ ___ ___
      |_ -| . | . | . |
      |___|_  |_  |_  |
            |_| |_| |_|   3.7#stable
[INFO] starting @ 12:34:56 /2023-01-01/
[INFO] testing connection to the target URL
[INFO] checking if the target is protected by some kind of WAF/IPS
[INFO] the back-end DBMS is MySQL. Do you want to skip test payloads specific for other DBMSs? [Y/n] Y
[INFO] for the URL 'http://localhost/index.php?id=1', parameter 'id' appears to be injectable. Do you want to keep testing others (if any)? [y/N] N
[INFO] GET parameter 'id' is vulnerable.
... (truncated output) ...

Analyze the Initial Scan Output for Injection Points

After the sqlmap scan completes, it will provide a summary of its findings. In this step, you will analyze the initial output to identify confirmed SQL injection points.

Review the output in your terminal. Look for lines that indicate sqlmap has found a vulnerable parameter. A key indicator is a message similar to:

[INFO] GET parameter 'id' is vulnerable.

This message confirms that sqlmap has successfully identified a SQL injection vulnerability in the id GET parameter of the target URL. The output will also typically show the type of injection found (e.g., Boolean-based blind, Error-based, Time-based blind, Stacked queries, etc.) and the back-end database management system (DBMS) identified (e.g., MySQL, PostgreSQL, etc.).

Understanding this initial output is crucial as it tells you where the vulnerability lies and what type of database you are dealing with, which can inform further exploitation steps.

... (previous output) ...
[INFO] GET parameter 'id' is vulnerable.
[INFO] the back-end DBMS is MySQL.
[INFO] fetched data:
[INFO] retrieved: 'ID: 1'
[INFO] retrieved: 'ID: 2'
... (truncated output) ...

Locate the Session File in the Output Directory

sqlmap automatically saves all scan results, including identified vulnerabilities, retrieved data, and session information, into a dedicated output directory. In this step, you will learn how to locate this session file.

By default, sqlmap stores its output in the ~/.sqlmap/output/ directory. Inside this directory, you will find subdirectories named after the target host.

Navigate to the sqlmap output directory:

cd ~/.sqlmap/output/localhost/

Then, list the contents of this directory to see the session files and other scan-related data:

ls -l

You should see a directory named after the specific URL or a hash of it, and inside that, files like session.sqlite, log, and potentially dump directories if data was extracted. The session.sqlite file contains the session data, which allows sqlmap to resume scans or review previous findings without re-scanning.

labex@labex-ubuntu:~/project$ cd ~/.sqlmap/output/localhost/
labex@labex-ubuntu:~/.sqlmap/output/localhost$ ls -l
total 12
drwxr-xr-x 2 labex labex 4096 Jan  1 12:35 http%3A%2F%2Flocalhost%2Findex.php%3Fid%3D1
labex@labex-ubuntu:~/.sqlmap/output/localhost$ cd http%3A%2F%2Flocalhost%2Findex.php%3Fid%3D1/
labex@labex-ubuntu:~/.sqlmap/output/localhost/http%3A%2F%2Flocalhost%2Findex.php%3Fid%3D1$ ls -l
total 12
-rw-r--r-- 1 labex labex 1234 Jan  1 12:35 log
-rw-r--r-- 1 labex labex 8192 Jan  1 12:35 session.sqlite

This step is important for understanding where sqlmap stores its persistent data, which is useful for reviewing past scans or continuing complex operations.

Summary

In this lab, you successfully performed a basic SQL injection scan on a GET parameter using sqlmap. You learned how to identify a target URL, construct the sqlmap command with the -u option, execute the scan, and interpret the initial output to confirm an injection point. Furthermore, you located the session file and output directory where sqlmap stores its results. This foundational knowledge is crucial for anyone looking to delve deeper into web application security testing and the capabilities of sqlmap.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux