search

SQLMAP

LogoUsageGitHubchevron-right
LogoSqlmap Tutorialwww.sqlinjection.netchevron-right
LogoSqlmap - HackTricksbook.hacktricks.xyzchevron-right

hashtag
GET Request

circle-info

Note: in this case, option '-u' is used to provide the target URL, while the switch '--batch' is used for skipping any required user-input, by automatically choosing using the default option.

hashtag
POST Request

circle-info

If we have a clear indication that the parameter uid is prone to an SQLi vulnerability, we could narrow down the tests to only this parameter using -p uid. Otherwise, we could mark it inside the provided data with the usage of special marker *

hashtag
Full Request

hashtag
Cookies

hashtag
HTTP Headers

We can apply the same to options like --host, --referer, and -A/--user-agent, which are used to specify the same HTTP headers' values.

--random-agent : randomly select a User-agent header value.

While SQLMap, by default, targets only the HTTP parameters, it is possible to test the headers for the SQLi vulnerability. The easiest way is to specify the "custom" injection mark after the header's value (e.g. --cookie="id=1*"). The same principle applies to any other part of the request.

hashtag
PUT Request

hashtag
Dump Databases

--dump automatically dump all data.

--dump-all --exclude-sysdbs

hashtag
Display Errors

--parse-errors

hashtag
Verbose Output

hashtag
Using Proxy

--proxy option to redirect the whole traffic through a (MiTM) proxy (e.g., Burp)

hashtag
Prefix/Suffix

There is a requirement for special prefix and suffix values in rare cases, not covered by the regular SQLMap run. For such runs, options --prefix and --suffix can be used.

hashtag
Level/Risk

--level (1-5, default 1)

--risk (1-3, default 1)

hashtag
Advanced Tuning

hashtag
Status Codes

For example, when dealing with a huge target response with a lot of dynamic content, subtle differences between TRUE and FALSE responses could be used for detection purposes. If the difference between TRUE and FALSE responses can be seen in the HTTP codes (e.g. 200 for TRUE and 500 for FALSE), the option --code could be used to fixate the detection of TRUE responses to a specific HTTP code (e.g. --code=200).

hashtag
Titles

If the difference between responses can be seen by inspecting the HTTP page titles, the switch --titles could be used to instruct the detection mechanism to base the comparison based on the content of the HTML tag <title>.

hashtag
Strings

In case of a specific string value appearing in TRUE responses (e.g. success), while absent in FALSE responses, the option --string could be used to fixate the detection based only on the appearance of that single value (e.g. --string=success).

hashtag
Text-only

When dealing with a lot of hidden content, such as certain HTML page behaviors tags (e.g. <script>, <style>, <meta>, etc.), we can use the --text-only switch, which removes all the HTML tags, and bases the comparison only on the textual (i.e., visible) content.

hashtag
Techniques

For example, if we want to skip the time-based blind and stacking SQLi payloads and only test for the boolean-based blind, error-based, and UNION-query payloads, we can specify these techniques with --technique=BEU.

hashtag
UNION SQLi Tuning

In some cases, UNION SQLi payloads require extra user-provided information to work. If we can manually find the exact number of columns of the vulnerable SQL query, we can provide this number to SQLMap with the option --union-cols (e.g. --union-cols=17). In case that the default "dummy" filling values used by SQLMap -NULL and random integer- are not compatible with values from results of the vulnerable SQL query, we can specify an alternative value instead (e.g. --union-char='a').

Furthermore, in case there is a requirement to use an appendix at the end of a UNION query in the form of the FROM <table> (e.g., in case of Oracle), we can set it with the option --union-from (e.g. --union-from=users).

5 columns => sqlmap http://83.136.251.226:45849/case7.php?id=1 --union-cols=5

hashtag
Basic DB Data Enumeration

  • hostname of the vulnerable target (--hostname),

  • current user's name (--current-user),

  • current database name (--current-db),

  • password hashes (--passwords).

SQLMap will skip SQLi detection if it has been identified earlier and directly start the DBMS enumeration process.

Enumeration usually starts with the retrieval of the basic information:

  • Database version banner (switch --banner)

  • Current user name (switch --current-user)

  • Current database name (switch --current-db)

  • Checking if the current user has DBA (administrator) rights.

circle-info

Note: The 'root' user in the database context in the vast majority of cases does not have any relation with the OS user "root", other than that representing the privileged user within the DBMS context. This basically means that the DB user should not have any constraints within the database context, while OS privileges (e.g. file system writing to arbitrary location) should be minimalistic, at least in the recent deployments. The same principle applies for the generic 'DBA' role.

hashtag
Table Enumeration

circle-info

Tip: Apart from default CSV, we can specify the output format with the option --dump-format to HTML or SQLite, so that we can later further investigate the DB in an SQLite environment.

hashtag
Conditional Enumeration

hashtag
DB Schema Enumeration

hashtag
Searching for Data

hashtag
Search Tables

hashtag
Search Columns

hashtag
DB Users Password Enumeration and Cracking

Content of system tables containing database-specific credentials (e.g., connection credentials)

hashtag
Bypass

hashtag
Anti-CSRF Token Bypass

hashtag
Unique Value Bypass

hashtag
Calculated Parameter Bypass

the option --eval should be used, where a valid Python code is being evaluated just before the request is being sent to the target

hashtag
WAF Bypass

hashtag
User-agent Blacklisting Bypass

--random-agent

hashtag
Tamper Scripts

Logoredteamrecipe.com is for sale! Check it out on ExpiredDomains.comExpiredDomains.comchevron-right

To get a whole list of implemented tamper scripts, along with the description as above, switch --list-tampers can be used

circle-info

Start with --tamper=between,randomcase

Tamper-Script

Description

0eunion

Replaces instances of UNION with e0UNION

base64encode

Base64-encodes all characters in a given payload

between

Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #

commalesslimit

Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart

equaltolike

Replaces all occurrences of operator equal (=) with LIKE counterpart

halfversionedmorekeywords

Adds (MySQL) versioned comment before each keyword

modsecurityversioned

Embraces complete query with (MySQL) versioned comment

modsecurityzeroversioned

Embraces complete query with (MySQL) zero-versioned comment

percentage

Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)

plus2concat

Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart

randomcase

Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)

space2comment

Replaces space character ( ) with comments `/

space2dash

Replaces space character ( ) with a dash comment (--) followed by a random string and a new line ()

space2hash

Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line ()

space2mssqlblank

Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters

space2plus

Replaces space character ( ) with plus (+)

space2randomblank

Replaces space character ( ) with a random blank character from a valid set of alternate characters

symboliclogical

Replaces AND and OR logical operators with their symbolic counterparts (&& and |)

versionedkeywords

Encloses each non-function keyword with (MySQL) versioned comment

versionedmorekeywords

Encloses each keyword with (MySQL) versioned comment

hashtag
All in one

hashtag
Miscellaneous Bypasses

--chunked splits the POST request's body into so-called "chunks." Blacklisted SQL keywords are split between chunks in a way that the request containing them can pass unnoticed

HTTP parameter pollution (HPP), where payloads are split in a similar way as in case of --chunked between different same parameter named values (e.g. ?id=1&id=UNION&id=SELECT&id=username,password&id=FROM&id=users...), which are concatenated by the target platform if supporting it (e.g. ASP)

LogoWSTG - Latest | OWASP Foundationowasp.orgchevron-right
LogoHTTP Parameter Pollution | Examples & Mitigation Methods | ImpervaLearning Centerchevron-right

hashtag
OS Exploitation

hashtag
File Read/Write

Is DBA ?

Read File

Write File

hashtag
OS Command Execution

circle-info

SQLMap defaulted to UNION technique to get an OS shell, but eventually failed to give us any output No output

Try to specify another technique --technique=E

hashtag
Techniques

The technique characters BEUSTQ refers to the following:

  • B: Boolean-based blind

  • E: Error-based

  • U: Union query-based

  • S: Stacked queries

  • T: Time-based blind

  • Q: Inline queries

hashtag
Boolean-based blind SQL Injection

hashtag
Error-based SQL Injection

hashtag
UNION query-based

hashtag
Stacked queries

hashtag
Time-based blind SQL Injection

hashtag
Inline queries

hashtag
Out-of-band SQL Injection

PreviousRubeusNextVulnerability Scanners

Last updated