Sqlmap Tool Usage Detailed

Sqlmap usually use very much, but the command is also very much. Every time you use, you have to search the Internet. So I decided to summarize the common usage of sqlmap and make it easy for myself to use.

Special parameters

-V

-V indicates the details of the sqlmap in the injection, a total of seven levels, the default is 1

0, only Python errors and serious information are displayed
1, display basic information and warning information at the same time
2, displaying debug information at the same time
3, showing the injected payload at the same time
4, the HTTP request is also displayed
5, simultaneous display of HTTP response headers
6, the HTTP response page is also displayed
–level

By default, SQLMAP only supports injection testing of get/post parameters, but cookie injection tests are performed when the –level parameter is used and the value is >=2, and >=3 and user-agent are injected when referer.

–risk

Risk set the risk level, the default is 1 will test most of the test statements, 2 will increase the event-based test statement, 3 will increase the or test statement.

-F or –fingerprint

Perform a review of the extensive DBMS version of the fingerprint, which is not used very much.

Get URL

-U or –url

-U is the most common and commonly used usage

Python sqlmap.py-u "http://www.example.com/index.php?id=1"
-L

Test each URL for SQL injection from the Burpsuite or WebScarab agent log

-R

Obtaining an HTTP request from a text file (which requires that the text file hold information that is HTTP requested) so that HTTP can take advantage of the parameters in the HTTP request.
For example, the contents of a text file are:

post/index.php http/1.1
Hos:www.example.com
user-agent:mozilla/4.0

Id=1
When injected using Sqlmap, Sqlmap automatically sets the host and user-agent as values in the text file
When the request being processed is HTTPS, it needs to be used with the –forc-ssl parameter, or after the host header: 443.

Request

POST request

Parameters: –data
–data is mainly applicable to post method submissions. Usage is as follows:

Python sqlmap.py-u "http://www.example.com/index.php"--data= "id=1"
Cookie related

Parameters:-cookie,–load-cookies,–drops-set-cookie
The application of cookie parameters in Sqlmap is mainly in 2 aspects:

When Web applications need to be logged in
Test Cookie Injection
If you need to log in using a cookie, you need to assign the cookie through –cookie. In an HTTP request, when a set-cookie is encountered, Sqlmap is automatically fetched and joined in a subsequent request, and an attempt is attempted on the SQL injection.
When –level>=2, a cookie injection test is attempted.
User-agent related

Parameters: –user-agent,–random-agent
By default, the User-agent in the Sqlmap HTTP request header is:

Sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)
You can use the –user-agent parameter to modify it, and you can use the –random-agent parameter to randomly obtain it from./txt/user-agents.txt.
When the –level parameter is set to 3 or above 3, an attempt is made to inject the user-agent into the test.

Referer Head

Parameters: –referer
Sqlmap can forge Referer in HTTP in a request in the same use as user-agent. A referer injection is attempted when the –level parameter is set to 3 or more than 3.

Request settings

Set Request interval

Parameters: –delay
Sets the time interval between requests for two times. If set to 0.5, the interval time is half a second, the default is no delay

Set timeout time

Parameters: –tiemout
Set timeout time, mainly to set a request more than how long was judged as a supermarket. A weak setting of 10.5 indicates 10.5 seconds, and the default is 30 seconds.

Set Timeout retry

Parameters: –retries
When the request times out, set the number of retry attempts, the default is 3 times.

Turn off URL parameter encoding

Parameters: –skip-urlencode
Turn off the URL encoding, which is generally less used. Almost all Web servers currently support the RFC standard.

Execute custom Python code

Parameters: –eval
In some cases, it is necessary to modify another parameter according to the change of one parameter to form a normal request. At this point you need to use the--eval. Examples are as follows

Python sqlmap.py-u "http://www.example.com?id=1&hash=c4ca4238a0b923820dcc509a6f75849b"--eval= "Import hashlib; HASH=HASHLIB.MD5 (ID). Hexdigest () "
The hash value in the request parameter above is the MD5 of the ID value, and you need to use the custom Python code.

Injection

Test parameters

Parameters:-p,–skip
-P, which represents the parameters that need to be injected into the test. For example,-P "id,user-agent"
–skip, which represents a parameter that does not require a test, such as –skip= "User-agent"

Pseudo static injection

Many frameworks use URL rewriting techniques, and SQLMAP cannot use parameter injection at this point, but you can add the following parameters to the test
Examples are as follows

Python sqlmap.py-u "http://blog.spoock.com/2016/09/04*/sqli-bypass/"
Around WAF

Parameters: –tamper
Many times there are WAF devices that intercept sqlmap injection, and then you need to use--tamper to transform the injected SQL statement to bypass it. All tamper scripts are defined in the tamper script in Sqlmap and can be viewed in the tamper directory.

Python sqlmap.py-u "http://www.example.com?id=1"--tamper tamper/between.py,tamper/randomcase.py
Extract data

Sign

Parameters:-b,–banner
Retrieving the identity of the database management system

User

Parameters: –current-user
Returns the administrative user of the current database

Current database

Parameters: –current-db
Returns the database for the current connection

DBA Detection

Parameters: –is-dba
Detects whether the current administrative user is a DBA

Database Enumeration

Parameters: –dbs
If the current user can read all the database information, all the databases will be listed

Database Table Enumeration

Parameters: –tables-d somedatabase
Lists all of the table names in a database (Somedatabase), as shown in the following example:

Python sqlmap.py-u "http://www.example.com?id=1"--tables-d CMS
Field Enumeration

Parameters: –columns-d somedatabase-t sometable
Lists all the field information in the SomeTable table in the Somedatabase database. If a database is not specified with the-d parameter, the current database is used by default

Python sqlamp.py-u "http://www.example.com?id=1"--columns-d cms-t users
Get the number of data in a table

Parameters: –count
Use –count to get the number of data in a table

Python sqlmap.py-u "http://www.example.com?id=1"--count-d CMS
The above SQLMAP statement lists data for all tables in the CMS database

Downloading data from a table

Parameters: –dump-d somedatabase-t sometable-c somecolumns
With –dump, you can download data from a table to local. Specifies the value of-C to download all the data in a column, or to download all the data in the table if it is not specified.

Python sqlmap.py-u "http://www.example.com?id=1"--dump-d cms-t users
MISC

customizing SQL statements

Parameters: –sql-query,–sql-shell
Although Sqlmap will choose the SQL statement to test on its own, you can optionally execute a custom SQL statement.

Python sqlmap.py-u "http://www.example.com?id=1"--sql-query "Select Database ()"
Get shell

Parameters: –os-cmd,–os-shell
Use the –os-shell parameter to simulate a real shell, where you can enter any command you want to execute.
This command usually use less, and so have a certain use of experience to carry out detailed supplementary instructions.