While doing test on my website, SQLMap deleted data in my database tables. Everything is corrupt.
What is a safe way of using this tool without touching other items on a live server? How do you use SQLMap on a live server?
Asked
Active
Viewed 3,025 times
2
-
4If possible, you should never pentest a live system because sometimes things get broken. Clone your system and test on the clone – Neil Smithline Apr 28 '16 at 05:18
3 Answers
2
Maybe you used the option --risk with a value higher than 1.
from the official doc:
The default value is 1 which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also OR-based SQL injection tests.
so if it's extremely necessary to run the scanner on prod, don't use a higher value for that option [sqlmap by default use --risk=1 but can be the case that a query is so malformed that can create a chaos on your database]
official doc: https://github.com/sqlmapproject/sqlmap/wiki/Usage#risk
raziel
- 71
- 9
1
As @Neil said in his comment, you should not do pentests on production systems. If this should be necessary for some reason, make sure that there are backups available...
Regarding SQLmap, read the documentation. There are more and less "secure" operations available. There is no guarantee though that the "secure" operations won't cause any troubles.
Lukas
- 3,138
- 1
- 15
- 20
0
The other answers are right, but one thing that wasn't mentioned is where you inject. If you inject on a statement that performs a DELETE, you'll risk deleting everything if you inject on it. Likewise, if you inject on an INSERT, you'll risk corrupting everything.
When performing assessments, care must be taken to understand the functionality before you attempt to exploit it. Not only does this help you in exploiting vulnerabilities, but it helps you write better recommendations on how to resolve the problem.
h4ckNinja
- 3,006
- 15
- 24