What is SQL Injection?
If you have no idea about what is SQL Injection it is basically, a very popular method which allows us to run queries on the target db. Things we can accomplished with SQL Injection is numerous, for more info visit Owasp doc from here.
What is Owasp-zap and How to Search for SQL Injection Vulnerabilities?
Owasp-zap is a powerful tool for searching web app vulns. It has simple yet powerful UI for beginners. It’s usually bundled with Pentest OSes like Kali Linux and Parrot. If you are not using any of them you can manually download it from here.
Start the owasp-zap
Owasp-zap Quick Start
The Spider will start to crawl all the links that can be reached from the site:
Then the active scan will start to look for vulnerabilities on that links(This one can take a while).
Owasp-zap Active Scan
In this post I will cover the SQL Injections with GET requests so we will look for the vulns with GET requests.
If you scanned a site with a sql injection vuln you should see flags like this in alerts tab.
Select one of the GET requests and copy the URL. Owasp-zap tells us sql injection may be possible now it’s time too test it. Note: When you click the request the right pane fills with information you can see the parameter here clear the other parameters in the url for better results in the Sqlmap.
Sqlmap is a tool which helps us to test possibly vuln links. It’s also bundled with Pentest OSes. You can manually download it from here.
Start sqlmap from terminal with the
sqlmap -u "URLHERE" command.
It will scan the link and show you the vulns if is there any. If you find a vuln you can test what are the things you can accomplished with this vuln.
Sqlmap Found Vuln
After you found the vuln you can use
sqlmap -u "URL" --dbs command to list dbs on the server which you can access with this vuln. You can list the tables in a db with
sqlmap -u "URL" --tables -d database_name command. You can list the names of columns in a table with
sqlmap -u "URL" --columns -d database_name -T table_name command.
You can get the data in this table with
sqlmap -u "URL" --dump -d database_name -T table_name command.
If you have troubles with dumping the data(a empty table for instance) you can try
--no-cast parameter or
--hex parameter. Also using threads can cause errors on data dump too.
If you have any questions feel free to ask them. Hope you liked this post :)