If you obtained a SQL Injection (SQLi) in your scan results with the Website Scanner or SQLi Scanner, you can use the SQLi Exploiter to validate the Attack Vector and obtain proof of concept for these findings.
You can specify which data to extract from the database by exploiting the SQL injection using the Enumeration options. The tool is purposely designed to extract only:
- Current user
- Current database
- Server hostname
The SQLi Exploiter can also perform light spidering (crawling) of the target website by enabling the option Light Crawling. However, this doesn’t perform extensive crawling and we recommend you to scan as close as possible to the page that you suspect to be vulnerable.
The Advanced parameters are there in case you need to fine-tune the scan, however, in most cases, the tool should work just fine without needing to modify any of these:
There are some cases where you might need to modify the parameters:
- If the SQLi is behind a login page, you’ll need to check the Advanced Settings and paste the session cookie header. See here how to get the session cookie.
- You might also need to increase the detection level in case the scan doesn’t find what you expect. If you suspect your server won’t be able to handle a very resource-intensive scan, you shouldn’t attempt a scan with a high detection risk level or run the scan during off-hours because the heavy load might make your website unresponsive during the scan.
- If you know for sure which database you are using, you can select that specific option.
Here is an example of how to detect and validate an SQL injection using Pentest-Tools.com.
For this example, we will use our test application, www.pentest-ground.com/private-dev.
To identify the SQL injection with Pentest-Tools.com, we will perform a scan with either Website Scanner or SQL Injection Scanner. Make sure to also check this pentesting guide to learn more about performing in-depth scans and find SQL injection vulnerabilities.
After performing an authenticated scan with Website Scanner on www.pentest-ground.com/private-dev, we obtain the following result:
The finding includes the Attack Vector, which we will exploit. By clicking the ‘Attack Target’ button in the right, we submit the vulnerable payload. A new tab opens with the following message:
The Attack Vector includes an identification key (the account number) and a quote in URL format, that opens the SQL statement that will run in the database.
The final step is to validate the SQL injection using SQLi Exploiter.
We need to enter the URL of the vulnerable page together with the target parameters. This can be taken from the results of the scanners mentioned above. We will use the Advanced options and add the session Cookie, as the target requires authentication.
The SQLi Exploiter supports both GET and POST parameters. The GET parameters will be extracted automatically from the target URL.
And here is the result:
The SQL injection is validated and it has extracted details about the database, operating system, and server hostname.