Yesterday saw the launch of Sqlmap, an open source vulnerability testing tool that can automatically detect and exploit SQL injection flaws for the takeover of database servers. It’s a potentially valuable tool as developers, operations and DevOps move to leverage automation and protect web applications from the hive of scum and villainy that is the Internet.
A few data points on Sqlmap from the project’s site (emphasis theirs):
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
- Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
- Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
- Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
And so on. Sqlmap is available on Github, and there’s already a small community taking up the tool’s development.
A thread on Hacker News provides a lot of insight into when and where you might actually want to employ Sqlmap. The consensus: For most intrusion tests across a wide spectrum of web app attack avenues, the go-to is Burp Suite, which offers enhanced security testing automation (which most developers should be using anyway), and which auditors tend to use anyway.
But if you need to prove a vulnerability exists beyond a vague possibility and actually dump a database to prove the threat to colleagues or higher-ups. Otherwise, generally and on balance, as long as you’re fixing database exceptions and other bugs, the general agreement seems to be that an all-purpose intrusion testing tool is what’s called for.