Either you haven't gone through the SQLmap docs yet or you haven't read the clarity for question which you need to post in the stackexchange docs. Either way, I am going to drop you of the basics since:
- The fakesite you are referring to, doesn't matter if it's fake as long as there is a Input Validation vulnerability.
- The fakesite 'ref' is called as a parameter. If this parameter isn't protected by parameterized SQL queries, it could be prone to SQL Injections - it's hard to say without testing the real scenario.
- REALSITE is a value for the 'ref' parameter. What basically happens is you provide dummy special characters or test conditions to this parameter to detect presence of SQL Injections.
This is a very high level basic overview. SQLMap works the same way. Since the testing would only be limited to the original test suite's parameters which in this case happens to be 'ref', the constraints will be limited to 'FAKESITE' from your perspective. The REALSITE which is referred to shall not be auto-scanned if not fed into SQLMAP.
To scan via SQLMAP, the site which you wanted to test for MS-SQL Injections (since it's ASP), one would do:
sqlmap.py -u http://wwww.testsite.com/index.asp?ref=REALSITE --dbs --thread=10 --risk=5 --level=5
Here:
sqlmap.py
is the program.
-u
is a sqlmap switch which represents direct URL feed.
http://wwww.testsite.com/index.asp?ref=REALSITE
is the test site to be tested.
ref
is the parameter which SQLMAP automatically pareses and detects.
Also ref
is the parameter where SQLMAP will inject it's payloads.
payloads
are test conditions or special characters, via which the application generates abnormal outputs so that SQLMAP could detect these and hence know the presence of SQL Injection by comparing original request to the special request (the ones with payloads).
--thread=10
is the processing power. 10 is maximum, none is normal.
NOTE: you need not enter risk and level as it's for in-depth scans. Just a side note on it.