SqlMap is very powerful tool for Automated Sql Injection testing for Web Application/API (SOAP/REST). This blog describes the procedure to get started with testing
SqlMap & Python Installation:
1.Download Python 2.7.16.
2.Goto https://www.python.org/downloads/release/python-2716/
3.Choose Windows x86-64 MSI installer option for Windows Installation
4.Add the folder where Python is installed in Path (Environment variable). e.g. If Python is installed in C:\Python27 then add this path in Path Variable in Windows
5.Download the .Zip version of SQLMap from http://sqlmap.org/
6.Extract in any folder in any Drive (e.g. D:\sqlmapproject)
Preparation of Test Data:
Here we are going to test Sql Injection in url http://testphp.vulnweb.com/listproducts.php?cat=1
1.Open Chrome Browser
2.Open Postman extension in Chrome. Install from Chrome Web Store if Postman is not installed
3.Hit the url mentioned above using GET request
4.Click on the Right Side of Postman in Link "Code"
5,Choose Http Option.
6.Copy the content & paste in a text file (e.g. attack.txt)
Sql Injection Testing:
1.Open Windows Command prompt
2.Navigate to the folder where SqlMap is extracted (D:\sqlmapproject)
3.Copy the attack.txt in D:\sqlmapproject
4.Run below command. adding --flush-session --fresh-queries will enable to execute the test cases freshly; else the old cached data will be shown in command prompt.
python sqlmap.py -r attack.txt --dbs --flush-session --fresh-queries
This will run all the sql injection test cases automatically & provide the output
Using the same way REST/SOAP API can be tested
Notes: In Windows 10, you might get an error Python not installed & need to install from Microsoft Store. In that case, declare the Python installation path at the top as below:
No comments:
Post a Comment