Sqlmap User Manual

0x00 Sqlmap Introduction

• Sqlmap is an open-source penetration testing tool that can automatically detect and exploit SQL injection vulnerabilities and servers that access the database. It has a very large detection engine, a variety of characteristics of the penetration of the test, through the database fingerprint extraction access to the underlying file system and through the take-off connection to execute the command.

• Supported databases: Mysql,oracle,postgresql,microsoft SQL server,microsoft access,ibm db2,sqlite,firebird,sybase and SAP MaxDB

• SQL Injection Technology: Error injection, time-based fault injection, error injection, Union injection

• Enumeration data: Users,password Hasher,privileges,roles,databases,tables and columns

0x01 Sqlmap Scan Level (total 7 levels, default is 1)

• 0. Only python errors and critical information are displayed

• 1. Display both basic and warning information. Default

• 2. Simultaneous display of debug information

• 3. Simultaneous display of injected payload

• 4. Simultaneous display of HTTP requests

• 5. Simultaneous display of HTTP response headers

• 6. Display the HTTP response surface at the same time

0x02 getting the target mode

• Parameters:-U or--url

Eg:python sqlmap.py-u http (s)://targeturl[:p ort]/[...]

0x03 to get multiple target scans from text

• Parameter:-M

• The file is saved in the URL format as follows, Sqlmap will be a single detection

Www.target1.com/vuln1.php?q=foobarwww.target2.com/vuln2.asp?id=1www.target3.com/vuln3/id/1*

0x04 loading an HTTP request from a file

• Parameter:-r

• Sqlmap can get HTTP requests from one text, so you can skip setting some other parameters (such as cookie,post data, etc.).

post/vuln.php http/1.1host:www.target.comuser-agent:mozilla/4.0id=1

0x05 Post Mode injection

• Parameter:--data

• This parameter is the data is submitted as post, and Sqlmap detects the post parameters as if it were a get parameter.

Eg:python sqlmap.py-u "http://www.target.com/vuln.php"--data= "id=1"

0X06 Set timeout time

• Parameter:--timeout

• You can set an HTTP (S) request over how long it takes to determine the timeout, 10.5 for 10.5 seconds, and 30 seconds by default.

0x07 Setting Retry timeout

• Parameter:--retries

• When HTTP (S) times out, you can set the Retry connection count by default to 3 times

0x08 Test parameters

• *

• In pseudo-static injection testing, SQLMAP cannot directly use the test parameters, and can be added after the parameters that you want to test

Eg:1.python sqlmap.py-u "http://targeturl/param1/value1*/param2/value2/" 2.python sqlmap.py-u "http://targeturl/ param1/value1/param2/value2/15* "

0x09 enumerating databases of database systems

• Parameter:--dbs

• All databases are listed when the current user has permission to read from a table that contains all the database list information.

0x10 Enumerating Database tables

• Parameter:--tables-d

• Lists all tables of the specified database-d xxxx. If you do not specify-D, all tables in all databases are enumerated.

0x11 enumerating the fields in the library table

• Parameter:--columns-t-D

• Lists the specified number of libraries, specifying the fields in the table.

Eg:python sqlmap.py-u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1"--columns-d testdb-t users[...] Database:sqlite_masterdbtable:users[3 columns]+---------+---------+| Column | Type |+---------+---------+| ID | INTEGER | | name | TEXT | | Surname | TEXT |+---------+---------+

0x12 get the number of data in a table

• Parameter:--count

• Enumerates the number of data in a specified database table.

Eg:python sqlmap.py-u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"--count-d testdb[...] database:testdb+----------------+---------+| Table | Entries |+----------------+---------+| Dbo.users | 4 | | Dbo.users_blob | 2 |+----------------+---------+

0x13 gets the data for the entire table or for a few fields.

• --dump-d-t-c

• Enumerate all the fields of a table in a database

Python sqlmap.py-u http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1--dump-d testdb-t dbo.users

• Enumerates data for a field of a table in a database.

Python sqlmap.py-u http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1--dump-d testdb-t dbo.users-c id,name

This article is from the "Creative Pilgrim" blog, so be sure to keep this source http://dearch.blog.51cto.com/10423918/1827947

Sqlmap User Manual