Guidebooks
TerminalCode

sqlmap

Contains the details of the topic Web Attacks/SQLi/Tools/sqlmap.

sqlmap

sqlmap -u <URL?id=val>            # GET
sqlmap -u <URL> --data=<id=val>   # POST

Options

-u

Specify URL. sqlmap -u <URL>

--data

Specifies POST parameters

-p

Specifies the parameter to be tested, otherwise by default it tests all of them. Possible to also use * at the end of the parameter. sqlmap -u <URL?id=val&name=test> -p id

sqlmap -u <URL?id=val*&name=test>

-r

Specifies a file containing the request to be used. Possible to get it from BurpSuite with Copy to file. sqlmap -r <REQUEST.TXT>

-v

Verbosity level: 0-6

-t

Stores traffic (requests and responses). -t <FILE_OUTPUT>

-H

Specific headers. -H 'Cookie:PHPSESSID=ABC'

--cookie

Specify the cookie (the one in the Cookie field). --cookie='PHPSESSID=ABC'

-A

Specify User-agent. Better use: --random-agent : Generates real random User-agent --mobile : Generates User-agent of a smartphone

--proxy

Specify proxy. --proxy "http://127.0.0.1:8080"

--flush-session

To delete session data.

--threads

Specify threads, from 1 to 10 (default 1).

--technique

Specify the technique: BEUSTQ (See Techniques) --technique=BEU

--union-cols

Specifies the number of columns to be used for the Union technique. Also possible to specify a range. To be tested as it may not work without it. --union-cols=5 --union-cols=5-10

--union-char

Specifies the value to use in the columns for Union, if the standard ones in sqlmap do not fit (NULL and numbers) --union-char='a'

--level

Increases vectors and boundaries. Default level 1 but ranges from 1-5. 2 = CookieHeader 3 = User-agent/ReferrerHeaders

--risk

Specify risk level, which payloads to use. Default level 1 but ranges from 1-3. 2 = Time-basedHeavy

3 = OR-based (dangerous in update query).

--prefix

Prefix to the payloads to be correct, specify boundaries. --prefix “%'))” (these is already present)

--suffix

Suffixes to the payloads to be correct, specify boundaries. --suffix “-- -” (these is already present)

--string

Specify true condition. String that is always present on output pages true. --string “good”

--not-string

Specify the false condition.

String that is always present in output pages false. --not-string “bad”

--text-only

If there are a lot of dynamic elements such as <script>, <style>, <meta>, etc. you can tell SQLmap not to consider them for true and false condition, but rely only on the visible text.

--titles

Specify to consider the <title> tag for the true and false condition.

--dbms

Specify the dbms that the server is using (if sqlmap misdetects or fails).

--parse-errors

To automatically print DBMS error, for error analysis.

--banner

Banner Grabbing.

--hostname

Target hostname.

--current-user

Current user.

--is-dba

If the user is a database administrator.

--current-db

Current database.

--users

List users.

--passwords

To obtain passwords hashes.

--dbs

List of accessible databases.

-D

Select database.

--tables

List of tables in the selected database.

-T

Select table.

--columns

List columns, attributes.

-C

Select column.

--dump

Retrieve data from the selected column. --dump -T <TABLE> (the whole table) --dump -D <DATABASE> (the whole db)

--where

Specify a condition, ex. ID=4 (with --dump) --where="name LIKE 'f%'"

--schema

View the schema, the structure of the tables.

--dump-all --exclude-sysdbs

Specifies to dump the contents of all databases. The second specifies to skip system databases. --dump-all --exclude-sysdbs

--search

Lets you search databases, tables, or columns. --search <WHERE> <STRING> --search -T user (table names with user)

--search -C pass (column names with pass)

--csrf-token

Specifies the CSRF token to be processed in requests. By default tries to identify those containing csrf, xsrf, token. --csrf-token=”<NOME_TOKEN_CSRF>”

--randomize

Unique values may be requested instead of the CSRF token. Allows random values to be generated for the specified parameter. --randomize=”<PARAM>”

--eval

Specify operations to be done in python on parameters before the request, useful for bypassing some control mechanisms such as h=MD5(id). If http://<IP>/?id=1&h=??: --eval="import hashlib; h=hashlib.md5(id).hexdigest()"

--tor --check-tor

To use the tor proxy for requests. Adding --check-tor performs verification by sending a request to https://check.torproject.org/ --tor

--tor --check-tor

--skip-waf

If we want to skip WAF detection in the initial part to generate less noise.

--tamper

Allows you to specify Scripts that are applied to requests before they are sent. These scripts make changes to requests to bypass WAFs. You can also specify more than one, the order is not important because priority is established internally in sqlmap. --tamper=<TAMPER1>,<TAMPER2> --tamper=between

--list-tampers

To view the tamper list and description (see Tampers).

--file-read

If you have the necessary privileges (most likely if you are DBA) we can read a file by specifying its path. --file-read="<PATH>"

--file-write --file-dest

If you have necessary privileges (not only DBA but also where to write etc.) we can write a given file with --file-write to a destination specified with --file-dest. --file-write <FILE> --file-dest <DEST>

--keep-alive

Establish permanent connection for faster data dumping.

--os-cmd

To execute a command. See SQLi.

--os-shell

To get interactive shell (needs minimum write permissions). Try specifying different techniques. See SQLi.

--web-root

Specify where to save the files for interactive shell or other, it must be a writable folder.

--batch

If there are any requests/questions during the program sqlmap, with this flag we are telling it to always use the default answers, useful for long processes.

Techniques

  • B: Boolean-based blind

  • E: Error-based

  • U: Union query-based

  • S: Stacked queries

  • T: Time-based blind

  • Q: Inline queries

Tampers

Tamper-Script
Description

0eunion

Replaces instances of UNION with e0UNION

base64encode

Base64-encodes all characters in a given payload

between

Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #

commalesslimit

Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart

equaltolike

Replaces all occurrences of operator equal (=) with LIKE counterpart

halfversionedmorekeywords

Adds (MySQL) versioned comment before each keyword

modsecurityversioned

Embraces complete query with (MySQL) versioned comment

modsecurityzeroversioned

Embraces complete query with (MySQL) zero-versioned comment

percentage

Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)

plus2concat

Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart

randomcase

Replaces each keyword character with random case value (ex. SELECT -> SEleCt)

space2comment

Replaces space character ( ) with comments `/

space2dash

Replaces space character ( ) with a dash comment (--) followed by a random string and a new line (\n)

space2hash

Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line (\n)

space2mssqlblank

Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters

space2plus

Replaces space character ( ) with plus (+)

space2randomblank

Replaces space character ( ) with a random blank character from a valid set of alternate characters

symboliclogical

Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)

versionedkeywords

Encloses each non-function keyword with (MySQL) versioned comment

versionedmorekeywords

Encloses each keyword with (MySQL) versioned comment

Payloads

sqlmap -u <target> --dbs
sqlmap -u <target> -D <database> --tables
sqlmap -u <target> -D <database> -T <table> --columns
sqlmap -u <target> -D <database> -T <table> -C <column1,column2> --dump

Last updated