SQLi with SQLMap
SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities and taking over database servers.
Basic arguments
Generic
-u "<URL>"
-p "<PARAM TO TEST>"
--user-agent=SQLMAP
--random-agent
--threads=10
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>"
--os="<OS>"
-D <database>
-T <table>
--dump
--search -C <search_term>
-r filename.req # HTTP Request
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=http://127.0.0.1:8080
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
Supported SQL Injection Types
We see the types of SQL injections supported by SQLMap with the sqlmap -hh
command:
> sqlmap -hh
...SNIP...
Techniques:
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
The technique characters BEUSTQ
refers to the following:
B
: Boolean-based blindE
: Error-basedU
: Union query-basedS
: Stacked queriesT
: Time-based blindQ
: Inline queries
Retrieve Information
Internal
--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
--privileges #Get privileges
DB Data
--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
General tamper option and tamper's list
tamper=name_of_the_tamper
0x2char.py
Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),…) counterpart
apostrophemask.py
Replaces apostrophe character with its UTF-8 full width counterpart
apostrophenullencode.py
Replaces apostrophe character with its illegal double unicode counterpart
appendnullbyte.py
Appends encoded NULL byte character at the end of payload
base64encode.py
Base64 all characters in a given payload
between.py
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
bluecoat.py
Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator
chardoubleencode.py
Double url-encodes all characters in a given payload (not processing already encoded)
charencode.py
URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
charunicodeencode.py
Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)
charunicodeescape.py
Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)
commalesslimit.py
Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
commalessmid.py
Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
commentbeforeparentheses.py
Prepends (inline) comment before parentheses (e.g. ( -> /**/()
concat2concatws.py
Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'
charencode.py
Url-encodes all characters in a given payload (not processing already encoded)
charunicodeencode.py
Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)
equaltolike.py
Replaces all occurrences of operator equal ('=') with operator 'LIKE'
escapequotes.py
Slash escape quotes (' and ")
greatest.py
Replaces greater than operator ('>') with 'GREATEST' counterpart
halfversionedmorekeywords.py
Adds versioned MySQL comment before each keyword
htmlencode.py
HTML encode (using code points) all non-alphanumeric characters (e.g. ‘ -> ')
ifnull2casewhenisnull.py
Replaces instances like ‘IFNULL(A, B)’ with ‘CASE WHEN ISNULL(A) THEN (B) ELSE (A) END’ counterpart
ifnull2ifisnull.py
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
informationschemacomment.py
Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier
least.py
Replaces greater than operator (‘>’) with ‘LEAST’ counterpart
lowercase.py
Replaces each keyword character with lower case value (e.g. SELECT -> select)
modsecurityversioned.py
Embraces complete query with versioned comment
modsecurityzeroversioned.py
Embraces complete query with zero-versioned comment
multiplespaces.py
Adds multiple spaces around SQL keywords
nonrecursivereplacement.py
Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters
overlongutf8.py
Converts all characters in a given payload (not processing already encoded)
overlongutf8more.py
Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)
percentage.py
Adds a percentage sign ('%') infront of each character
plus2concat.py
Replaces plus operator (‘+’) with (MsSQL) function CONCAT() counterpart
plus2fnconcat.py
Replaces plus operator (‘+’) with (MsSQL) ODBC function {fn CONCAT()} counterpart
randomcase.py
Replaces each keyword character with random case value
randomcomments.py
Add random comments to SQL keywords
securesphere.py
Appends special crafted string
sp_password.py
Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
space2comment.py
Replaces space character (' ') with comments
space2dash.py
Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')
space2hash.py
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
space2morehash.py
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
space2mssqlblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
space2mssqlhash.py
Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
space2mysqlblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
space2mysqldash.py
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
space2plus.py
Replaces space character (' ') with plus ('+')
space2randomblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
symboliclogical.py
Replaces AND and OR logical operators with their symbolic counterparts (&& and
unionalltounion.py
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes.py
Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)
uppercase.py
Replaces each keyword character with upper case value 'INSERT'
varnish.py
Append a HTTP header 'X-originating-IP'
versionedkeywords.py
Encloses each non-function keyword with versioned MySQL comment
versionedmorekeywords.py
Encloses each keyword with versioned MySQL comment
xforwardedfor.py
Append a fake HTTP header 'X-Forwarded-For'
Last updated
Was this helpful?