SQLMap
sqlmap.py
Basic arguments for SQLmap
-u URL, --url=URL
Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-p TESTPARAMETER
Testable parameter(s)By default sqlmap performs HTTP requests with the following
User-Agent
header value:However, it is possible to fake it with the option
--user-agent
by providing custom User-Agent as the option's argument.
--random-agent
, sqlmap will randomly select aUser-Agent
from the./txt/user-agents.txt
--threads=THREADS
Max number of concurrent HTTP(s) requests (default 1)
--level=LEVEL
Level of tests to perform (1-5, default 1)
--risk=RISK
Risk of tests to perform (1-3, default 1)
--eta
Display for each output the estimated time of arrival
--dbms=DBMS
Force back-end DBMS to provided value
--os=OS
Force back-end DBMS operating system to provided value
-b, --banner
Retrieve DBMS banner
--is-dba
Detect if the DBMS current user is DBA
--users
Enumerate DBMS users
--passwords
Enumerate DBMS users password hashes
--current-user
Retrieve DBMS current user
--dbs
Enumerate DBMS databases
Load a request file and use mobile user-agent
-r REQUESTFILE
Load HTTP request from a file
--safe-url=SAFEURL
URL address to visit frequently during testing
--mobile
Imitate smartphone through HTTP User-Agent header
--safe-freq=SAFE..
Regular requests between visits to a safe URL
Custom injection in UserAgent/Header/Referer/Cookie
-u URL, --url=URL
Target URL (e.g. "http://www.site.com/vuln.php?id=1")
--data=DATA
Data string to be sent through POST (e.g. "id=1")
--headers=HEADERS
Extra headers (e.g. "Accept-Language: fr\nETag: 123")The injection is located at the '*'
Second-order attack
Options: --second-url
and --second-req
Second-order SQL injection attack is an attack where result(s) of an injected payload in one vulnerable page is shown (reflected) at the other (e.g. frame). Usually that's happening because of database storage of user provided input at the original vulnerable page.
You can manually tell sqlmap to test for this type of SQL injection by using option --second-order
with the URL address or --second-req
with request file for sending to the server where results are being shown.
Shell
Crawl a website with SQLmap and auto-exploit
--batch
= non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl
= how deep you want to crawl a site
--forms
= Parse and test forms
TOR
Proxy
Cookie and a Proxy
Using suffix to tamper the injection
General tamper option
Tamper list
SQLmap without SQL injection
You can use SQLmap to access a database via its port instead of a URL.
Last updated