SQLi with SQLMap

SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities and taking over database servers.

Basic arguments

Generic

-u "<URL>" 
-p "<PARAM TO TEST>" 
--user-agent=SQLMAP 
--random-agent 
--threads=10 
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>" 
--os="<OS>"
-D <database>
-T <table>
--dump
--search -C <search_term>
-r filename.req     # HTTP Request
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=http://127.0.0.1:8080
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char

Supported SQL Injection Types

We see the types of SQL injections supported by SQLMap with the sqlmap -hh command:

> sqlmap -hh
...SNIP...
  Techniques:
    --technique=TECH..  SQL injection techniques to use (default "BEUSTQ")

The technique characters BEUSTQ refers to the following:

  • B: Boolean-based blind

  • E: Error-based

  • U: Union query-based

  • S: Stacked queries

  • T: Time-based blind

  • Q: Inline queries

Retrieve Information

Internal

--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
--privileges #Get privileges

DB Data

--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column

General tamper option and tamper's list

tamper=name_of_the_tamper
Tamper
Description

0x2char.py

Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),…) counterpart

apostrophemask.py

Replaces apostrophe character with its UTF-8 full width counterpart

apostrophenullencode.py

Replaces apostrophe character with its illegal double unicode counterpart

appendnullbyte.py

Appends encoded NULL byte character at the end of payload

base64encode.py

Base64 all characters in a given payload

between.py

Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'

bluecoat.py

Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator

chardoubleencode.py

Double url-encodes all characters in a given payload (not processing already encoded)

charencode.py

URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)

charunicodeencode.py

Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)

charunicodeescape.py

Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)

commalesslimit.py

Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'

commalessmid.py

Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'

commentbeforeparentheses.py

Prepends (inline) comment before parentheses (e.g. ( -> /**/()

concat2concatws.py

Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'

charencode.py

Url-encodes all characters in a given payload (not processing already encoded)

charunicodeencode.py

Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)

equaltolike.py

Replaces all occurrences of operator equal ('=') with operator 'LIKE'

escapequotes.py

Slash escape quotes (' and ")

greatest.py

Replaces greater than operator ('>') with 'GREATEST' counterpart

halfversionedmorekeywords.py

Adds versioned MySQL comment before each keyword

htmlencode.py

HTML encode (using code points) all non-alphanumeric characters (e.g. ‘ -> ')

ifnull2casewhenisnull.py

Replaces instances like ‘IFNULL(A, B)’ with ‘CASE WHEN ISNULL(A) THEN (B) ELSE (A) END’ counterpart

ifnull2ifisnull.py

Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'

informationschemacomment.py

Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier

least.py

Replaces greater than operator (‘>’) with ‘LEAST’ counterpart

lowercase.py

Replaces each keyword character with lower case value (e.g. SELECT -> select)

modsecurityversioned.py

Embraces complete query with versioned comment

modsecurityzeroversioned.py

Embraces complete query with zero-versioned comment

multiplespaces.py

Adds multiple spaces around SQL keywords

nonrecursivereplacement.py

Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters

overlongutf8.py

Converts all characters in a given payload (not processing already encoded)

overlongutf8more.py

Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)

percentage.py

Adds a percentage sign ('%') infront of each character

plus2concat.py

Replaces plus operator (‘+’) with (MsSQL) function CONCAT() counterpart

plus2fnconcat.py

Replaces plus operator (‘+’) with (MsSQL) ODBC function {fn CONCAT()} counterpart

randomcase.py

Replaces each keyword character with random case value

randomcomments.py

Add random comments to SQL keywords

securesphere.py

Appends special crafted string

sp_password.py

Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs

space2comment.py

Replaces space character (' ') with comments

space2dash.py

Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')

space2hash.py

Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

space2morehash.py

Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

space2mssqlblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

space2mssqlhash.py

Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')

space2mysqlblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

space2mysqldash.py

Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')

space2plus.py

Replaces space character (' ') with plus ('+')

space2randomblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

symboliclogical.py

Replaces AND and OR logical operators with their symbolic counterparts (&& and

unionalltounion.py

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes.py

Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)

uppercase.py

Replaces each keyword character with upper case value 'INSERT'

varnish.py

Append a HTTP header 'X-originating-IP'

versionedkeywords.py

Encloses each non-function keyword with versioned MySQL comment

versionedmorekeywords.py

Encloses each keyword with versioned MySQL comment

xforwardedfor.py

Append a fake HTTP header 'X-Forwarded-For'

Last updated

Was this helpful?