Small white diary 44:kali penetration testing of Web infiltration-sqlmap automatic Injection (ii)-SQLMAP parameters detailed request

Source: Internet
Author: User
Tags eval

SQLMAP Automatic Injection (ii)



#inurl:. php?id=

1. Data segment:--data

Get/post are used

the POST method " Sqlmap-u ""--data= "user=1&pass=2" –f

#sqlmap可自动识别 "&"

the GET method " Sqlmap–u "" –-data= "user=1&pass=2"

2. variable delimiter:--param-del

#大部分web application Use & As a delimiter between variables, but some use ";", "/" and so on. You need to use-param-del to specify

Sqlmap–u "" –data= "Q=foo;id" –param-del= ";" –f

3. Cookies Head ( target drone: DVWA)

Web apps require cookie-based identity authentication

The injection point in the cookie (Sqlmap automatic test) is also checked.

# Scan the cookie for injection points only when level>=2 is present

# When the cookie information is updated, Sqlmap automatically detects the new HTTP header and automatically adds a new cookie. "Can use-drop-set-cookie to pause its function"

Sqlmap–u "" –cookie= "a=1;b=2" –f

4. --user-agent

Sqlmap/1.0-dev-xxxxxx (This is the case by default)

--random-agent "Random use of user-agent , User-agent dictionary file "

5. App/waf/ips/ids Filter Exception User-gent Error

[Hh:mm:20] [ERROR] The target URL responded with an unknown HTTP

Status code, try to force the HTTP user-agent header with option--user-

Agent or--random-agent

6. Host Head:--host "There may also be injection points that are relatively rare"

Premise: Level=5

7. Referer Head :--referer "Theoretically, there's a possibility."

When the browser sends a request to the Web server, it usually takes an HTTP REFERER to tell the server which page link I took from, and the server can get some information for processing.

Premise: Level>=3

8. Additional Headers :--headers "Developers may customize the HTTP Head "

Single row per header (name is case sensitive)

Sqlmap-u ""--headers= "Host:\nuser-agent: yqwr" "\ n: For line wrapping ; Be aware of the case "

## by default, use of Get method, if failed, then try Post Method


9. based on HTTP authentication of the Protocol

BASIC/DIGEST/NTLM "Authentication type (v=sql.105). aspx"

Sqlmap–u "" –auth-type basic–auth-cred "User:pass"

10. --auth-cert/--auth-file "Rare"

Identity authentication based on client certificate

--auth:file= "ca. PEM "

with a private key (or containing a PEM format of the certificate chain) of PEM Format certificate file

11. http (s) Agent

--proxy= ""

--proxy-cred= "Name:pass"


Ignore system-level proxy settings, typically used to scan local network targets

Sqlmap–u "" –proxy= ""-F

# Command Specification "-- command = " parameters " "


Delay time between each HTTP (s) request, floating-point number in seconds, default no delay, network bandwidth, maximum packet


Request time-out, floating-point number, default is 30 seconds


HTTP (s) connection Timeout retry count, default 3 times


Specifies the parameter name of the random value for each request, if the length, type, and the original value are consistent

#如: Sqlmap–u "" –randomize= "id"

、--scope "function: Specify Range"

Filtering log content, filtering scanned objects with regular expressions

Sqlmap-l burp.log–scope= "(www)? \.target\. (com | net | org) "

Sqlmap–l 2.log–scope= "(19)? \.168\.20\. (1|10|100) "–level 3–dbs

user-agent injection points in the

#使用靶场mutillidae, get Get/post request

0x00 using Burpsuit to log information

0x01 Manual Crawl in Mutillidae


Detection and blind truncation can result in a large number of failed requests, and the server side may destroy the session

Send a normal request every time a--safe-freq (frequency) Injection request is sent


The default get method encodes the transmitted content, and some Web servers do not follow the RFC standard encoding and submit data using raw characters. "This is a feature of the Web application that needs to be analyzed before scanning"


"Typical usage scenario: links to retrieve passwords in some Web application

(sqlmap–u "http:/mailaddress&hash=wqd32ni5abvi7a"---eval= "import haslib;hashlib.md5 (ID). hexdigest ( ) {Where the hash value is the hash value of the email address; Other cases: hash value is time} "

Execute the specified Python code before each request

Each request to change or add a new parameter value ( time dependency, other parameter value dependency)

Small white diary 44:kali penetration testing of Web infiltration-sqlmap automatic Injection (ii)-SQLMAP parameters detailed request

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.