0

I'm learning about net security and how to deal with SQLmap. A friend made some demo web pages on his server to test SQLmap. One of the pages is a fake phishing site with a refer to a real site (index.asp?ref=REALSITE).

If I scan the fake phishing site with the referrer parameter, would I inadvertently scan the site which is referred too?

Vilican
  • 2,703
  • 8
  • 21
  • 35
New123
  • 1

2 Answers2

2

Either you haven't gone through the SQLmap docs yet or you haven't read the clarity for question which you need to post in the stackexchange docs. Either way, I am going to drop you of the basics since:

  1. The fakesite you are referring to, doesn't matter if it's fake as long as there is a Input Validation vulnerability.
  2. The fakesite 'ref' is called as a parameter. If this parameter isn't protected by parameterized SQL queries, it could be prone to SQL Injections - it's hard to say without testing the real scenario.
  3. REALSITE is a value for the 'ref' parameter. What basically happens is you provide dummy special characters or test conditions to this parameter to detect presence of SQL Injections.

This is a very high level basic overview. SQLMap works the same way. Since the testing would only be limited to the original test suite's parameters which in this case happens to be 'ref', the constraints will be limited to 'FAKESITE' from your perspective. The REALSITE which is referred to shall not be auto-scanned if not fed into SQLMAP.

To scan via SQLMAP, the site which you wanted to test for MS-SQL Injections (since it's ASP), one would do:

sqlmap.py -u http://wwww.testsite.com/index.asp?ref=REALSITE --dbs --thread=10 --risk=5 --level=5

Here:

sqlmap.py is the program.

-u is a sqlmap switch which represents direct URL feed.

http://wwww.testsite.com/index.asp?ref=REALSITE is the test site to be tested.

ref is the parameter which SQLMAP automatically pareses and detects.

Also ref is the parameter where SQLMAP will inject it's payloads.

payloads are test conditions or special characters, via which the application generates abnormal outputs so that SQLMAP could detect these and hence know the presence of SQL Injection by comparing original request to the special request (the ones with payloads).

--thread=10 is the processing power. 10 is maximum, none is normal.

NOTE: you need not enter risk and level as it's for in-depth scans. Just a side note on it.

Shritam Bhowmick
  • 1,602
  • 14
  • 28
0

The answer is no.

SQLmap is not a vulnerability scanner. It is an SQL detection and exploitation tool.

The only thing it will do is to find if the parameter "ref" is vulnerable by replacing the original content (the URL of 'REALSITE') by some payloads.

Then it will try to analyse the response from the webserver and apply some heuristics in order to make sure if the parameter is vulnerable or not.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Fábio Pires
  • 74
  • 4