0

I recently delivered a website to a client and he claims that he can access database and database tables using "Python and SQLMap binaries" tools on his server. Same website copy is set on my development server and he cannot access database of tables using same tools.

So, is this any server setting which is stopping him ? If yes then what setting we have to do to stop hackers access database using this tool?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Jose
  • 51
  • 2
  • 6
  • SQLMap tells you what problems/exploits it found. You can just run it yourself (vs both servers) and compare. Well, maybe ask your client's consent first, or ask him for his results. And for completeness, check your country's law if you are allowed to use such tools. If you have problems fixing it, post the result (without the address of the actual site of course). Guessing which of the 1736123621636 possible problems it is is not very useful. – Solarflare Nov 16 '16 at 08:46
  • SQLMap is a SQL injection scanner. According to your client, your application is vulnerable to SQL injection, so this question is a duplicate of [this](http://stackoverflow.com/questions/7929364/python-best-practice-and-securest-to-connect-to-mysql-and-execute-queries) or [this](http://stackoverflow.com/questions/10950362/protecting-against-sql-injection-in-python) or [this](http://stackoverflow.com/questions/13613037/is-this-python-code-vulnerable-to-sql-injection-sqlite3) question. – Gabor Lengyel Nov 16 '16 at 09:10

1 Answers1

0

SQLmap and other vulnerabilities scanners kind of crawls the website and uses forms to make requests to the server to see the vulnerabilities. One way to fix this is to create a dummy login/signup form that has the body display set to none and has no links connected on the website. That means any normal user will not see it but a crawler will. Now anytime a crawler submits the form, you log the crawler's IP address to a log file and let Fail2ban block them

Junior
  • 1,007
  • 4
  • 16
  • 26