Small white diary 45:kali penetration testing of Web infiltration-sqlmap automatic Injection (iii)-SQLMAP parameter details-optimization,injection,detection,techniques,fingerprint

Source: Internet
Author: User
Tags sql injection

SQLMAP Automatic Injection


"Optimize performance parameters for increased efficiency"

- o: Specify the first three parameters (--predict-output 、--keep-alive 、--null-connection)


According to the detection method, the ratio of the return value and the statistical table content , reduce the detection range, improve detection efficiency

Detectable return Values: Version name, user name, password, privaleges, role, database name, table name, column name

Incompatible with the--threads parameter


--keep-alive:"can avoid the unusual connection very big situation, but triggers the alarm"

Good performance with HTTP (s) long connections

Incompatible with the--proxy parameter

Long connections avoid the network overhead of repeatedly establishing connections, but a large number of long connections can seriously consume server resources


Get only the size value of the corresponding page, not the page content

Usually used for blind to determine true/false, reducing network bandwidth consumption

Incompatible with the--text-only parameter (True/False based on page content comparison)

--threads: "1 By default"

Maximum concurrent threads

The blinds are each thread gets one character (7 requests <--low ASCII code), gets completed after the thread ends

The default value is 1, no more than 10 is recommended, or it may affect site availability

Incompatible with the--predict-output parameter



Specifies the parameters for the scan, except for this parameter, which does not detect other parameters, making the--level invalid

-P "User-agent,referer" #指定此两个参数


Exclude the specified scan parameters

--level=5--skip= "Id,user-agent"

URI injection point: "If the name and value of the variable in the URL address are represented by a URL (looks like a directory), you need to manually add an asterisk to the variable (URI and URL)

Sqlmap-u "http://targeturl/value1*/param2/value2/"

--dbms: "Specify the database type of the scan server"

--ddbms= "MySQL"




Usually sqlmap use a negative number to invalidate a parameter, i.e. id=13->id=13

Bignum use large numbers to invalidate parameter values id==99999999999

Logical using Boolean judgment to invalidate the value id=13 and 18=19


When extracting data, Sqlmap converts all the results to a string and uses a space instead of a null result

This switch needs to be turned on in the old version of MySQL database

--no-escape "Sqlmap By default there is almost no configuration to escape by encoding"

For the purpose of confusion and avoidance of errors, when using single quotation marks to delimit strings in payload, Sqlmap replaces the string with the char () encoding escape method

### Select ' Foo '--"select CHAR (102) +char (111) +char (111)

This parameter turns off this feature

--prefix/--suffix "prefix/suffix"

$query = "SELECT * from Users WHERE id= ('". $_get[' id '] . "') LIMIT 0, 1";

# #如:sqlmap-u ""-P ID

--prefix "')"--suffix "and (' abc ' = ' abc ')

query = "SELECT *" from Users WHERE id= (' 1 ') <PAYLOAD> and

(' abc ' = ' abc ') LIMIT 0, 1 ";

--tamper "Premise: Discovery scan is filtered"

Specifies the obfuscation script, which bypasses application layer filtering, IPS, WAF

Sqlmap-u "Http://dadad"--

#脚本Location:/usr/share.sqlmap/tamper "Dpkg-l sqlmap can be used | grep Tam Filter "

Sqlmap-u "Http://URL"--tamper= "tamper/"- v 3 # "-V: Show more Information "

Detection "Detection"


Level 1-5 (default 1)



1-4 (default 1/harmless)

Risk increased risk of data tampering (update)

--string,--not-string,--regexp,--code,--text-only,--Titles "Specifies the basis for injection based on the type returned"

Page comparison, based on Boolean injection detection, according to the changes in the content of the return page to determine the true and false logic, but some of the page age timescale changes, it is necessary to think that the specified identity is true and false string

Techniques "Detecting the type of technology that SQL injection exists"

Use all technologies by default

B:boolean-based Blind


U:union query-based

s:stacked queries (file system, operating system, registry must be used)

T:time-based Blind


Time-based injection detection response delay time (default 5 seconds )


Default union Query 1-10 column, up to 50 columns with--level increase

--union-clos 6-9


Union queries use NULL by default, and in extreme cases null may be invalidated, at which point the value can be specified manually

--union-char 123 "Web application needs to be analyzed in advance"


Scenario : An attacker controls a DNS server and uses this feature to increase data extraction rates



The result of a page injection, reflected from another page


Fingerprint "Fingerprint Information"


Database Management System Fingerprint information

DBMS, operating system, architecture, patches

Small white diary 45:kali penetration testing of Web infiltration-sqlmap automatic Injection (iii)-SQLMAP parameter details-optimization,injection,detection,techniques,fingerprint

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.