Successful SQL injection attempts can cause an attacker to not only steal data from a database, but also modify and/or delete it. Certain SQL Servers may also contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire system and through it, access other systems on the network.

Testing for SQL injection vulnerabilities is often a tedious and labor intensive process. Sqlmap is a powerful tool that aid in this test process. Currently at version 0.7 release candidate 1, sqlmap is a command-line automatic SQL Injection tool developed in python.

Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to retrieve remote DBMS databases, user names, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

sqlmap implements multiple techniques to attempt and exploit a SQL injection vulnerability. Inferential blind SQL injection, also known as boolean based blind SQL injection, UNION query (inband) SQL injection, also known as full UNION query SQL injection and Batched (stacked) queries support, also known as multiple statements support.

In addition to the common input sources, the tool can also test cookies. Since many applications store their session information using a cookie, this is a common practice during SQL injection attempts — one that most penetration tests often overlook.

Sqlmap excels more at exploiting an identified SQL injection vulnerability than finding it. Even with the high degree of automation, it still takes some time to identify vulnerabilities and requires some knowledge of SQL injection techniques.

Latest version of sqlmap is available at sourceforge. For information on preventing SQL injection vulnerabilities, refer to this cheat sheet.

Jobberbase’s main features are:

• Allows job posts with a simple one time e-mail verification
• Allows applying to jobs without requiring an account
• Browse / Search based on type (Full-time / part-time), category (E.g: Programmer) and locations of jobs
• RSS feeds of latest jobs
• Counter indicating # of applicants for each posted job
• Clean and crisp UI
• Admin control panel for maintaining jobs & stats

Requirements for jobberbase:

• PHP 5+ and MySQL 4.1+ installed with the Apache module mod_rewrite enabled.
• Privileged access to set/reset directory permissions
• MySQL Database creation privileges.

Installation instructions that come with the package are rather sketchy. However, the jobberbase community has more detailed installation guides that should enable someone with basic SQL & PHP understanding and admin skills to install the package without much issue.

Once installed, the package can be customized by editing the various templates included in the ‘css’ and ‘_templates’ directories. Note that these directories also exist separately for the admin user. So, you have to make the edits twice if you want them to change the admin as well. The smarty templates allow separating the presentation layer from the application layer. More information on smart can be found at http://www.smarty.net/

While using the package is pretty intuitive, setting up / modifying it to suit individual needs could take a bit of work. For example, while allowing any one to post a job might be a desirable feature for a community job board, it may not be so if you wanted to use jobberbase as a job board for your business.

We found that it took modification in several files just to remove the prompt for posting a new job. We ended up modifying the home.tpl, no-job.tpl, header.tpl, index.php, posts-loop.tpl and footer.tpl just for this task. However, it looks like most basic modifications can be made by editing the header.tpl and footer.tpl.

Jobberbase has a very active and often highly helpful community that’s constantly improving and extending its feature set. There are already commercial plugins that extends jobberbase support for supporting ‘pay for post’ type of applications.

All-in all, we were able to download, install and run a brand new job board with out of the box features in under an hour. Basic customization took several hours even with a PHP expert on hand for customization. It would have taken far less, if we didn’t have to look all over the jobberbase forums for even the most basic information.

As long as your needs don’t go beyond what jobberbase offers out of the box, this is a great package that requires very little technical skills to deploy and administer. If you need anything beyond customizing the prompts, color schemes and what’s available through the admin panel (Job Categories etc), you will probably be best of hiring a jobberbase expert. The jobberbase forums are a great place to find them.

Have a question about jobberbase that you can’t find an answer on the jobberbase board? Ask away – we can try to help