by

Optimize SQLmap – Penetration Testing

Should we rely on SQLMAP for Pentest activities? How to Optimize SQLmap for Penetration Testing?

This question is always comes in my mind since i step in to the world of professional penetration tester. i have limited time to do penetration, and i have to test ALL of the requests for SQL injection vulnerability (please dont ever.. EVER.. ask me to do pentest in 3 hours). If i rely on SQLMAP to automate the tests, there must be a false negative result from SQLMAP. i am not saying that SQLMAP is not good enough. SQLMAP is a great (THE BEST) tool for testing SQL injection, but we have to optimize it to reduce the time and also to prevent false negative results.

Here is the SQL injection vulnerabilities published in 2016 and 2017 (source : https://www.cvedetails.com) :

Optimize SQLmap for Penetration Testing

Optimize SQLmap for Penetration Testing

From the above results, it was increased significantly. This is the highest number since 2011.

TLDR;

i was doing SQL injection testing manually against a website, and i found that the website is vulnerable to (Stacked Injection) SQL injection attack; I tested using Time Based payload (i got delay response from server). But when i tried to get more information against the website using SQLMAP, it said that the parameter was not vulnerable. The response captured as response code 500 and SQLmap put it to the negative result. After i google a while about response code in SQLmap, i found this issue on sqlmap github.

after doing some (a lot) of injections, i found the answer whats stamparm’s mean.

The 500 response of the server because i put stacked queries injection and put comment as a suffix to pass the next queries while the results from queries are needed to be processed in the next command (server backend). Thats why it always turn into 500. We need to do injection manually to make the response turned as normal pages before we pass it to the SQLMAP. When we found the normal pages, we can add the additional queries into the suffix parameter in the sqlmap to do the job.

So, its not a bad idea to learn SQL injection manually right?

Please Donate To Bitcoin Address: [[address]]

Donation of [[value]] BTC Received. Thank You.
[[error]]

Leave a Reply

Your email address will not be published. Required fields are marked *