Sqlmap usually use very much, but the command is also very much. Every time you use, you have to search the Internet. So I decided to summarize the common usage of sqlmap and make it easy for myself to use.
Special parameters
-V
-V indicates the details of the sqlmap in the injection, a total of seven levels, the default is 1
0, only Python errors and serious information are displayed
1, display basic information and warning information at the same time
2, displaying debug information at the same time
3, showing the injected payload at the same time
4, the HTTP request is also displayed
5, simultaneous display of HTTP response headers
6, the HTTP response page is also displayed
–level
By default, SQLMAP only supports injection testing of get/post parameters, but cookie injection tests are performed when the –level parameter is used and the value is >=2, and >=3 and user-agent are injected when referer.
–risk
Risk set the risk level, the default is 1 will test most of the test statements, 2 will increase the event-based test statement, 3 will increase the or test statement.
-F or –fingerprint
Perform a review of the extensive DBMS version of the fingerprint, which is not used very much.
Get URL
-U or –url
-U is the most common and commonly used usage
Python sqlmap.py-u "http://www.example.com/index.php?id=1"
-L
Test each URL for SQL injection from the Burpsuite or WebScarab agent log
-R
Obtaining an HTTP request from a text file (which requires that the text file hold information that is HTTP requested) so that HTTP can take advantage of the parameters in the HTTP request.
For example, the contents of a text file are:
post/index.php http/1.1
Hos:www.example.com
user-agent:mozilla/4.0
Id=1
When injected using Sqlmap, Sqlmap automatically sets the host and user-agent as values in the text file
When the request being processed is HTTPS, it needs to be used with the –forc-ssl parameter, or after the host header: 443.
Request
POST request
Parameters: –data
–data is mainly applicable to post method submissions. Usage is as follows:
Python sqlmap.py-u "http://www.example.com/index.php"--data= "id=1"
Cookie related
Parameters:-cookie,–load-cookies,–drops-set-cookie
The application of cookie parameters in Sqlmap is mainly in 2 aspects:
When Web applications need to be logged in
Test Cookie Injection
If you need to log in using a cookie, you need to assign the cookie through –cookie. In an HTTP request, when a set-cookie is encountered, Sqlmap is automatically fetched and joined in a subsequent request, and an attempt is attempted on the SQL injection.
When –level>=2, a cookie injection test is attempted.
User-agent related
Parameters: –user-agent,–random-agent
By default, the User-agent in the Sqlmap HTTP request header is:
Sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)
You can use the –user-agent parameter to modify it, and you can use the –random-agent parameter to randomly obtain it from./txt/user-agents.txt.
When the –level parameter is set to 3 or above 3, an attempt is made to inject the user-agent into the test.
Referer Head
Parameters: –referer
Sqlmap can forge Referer in HTTP in a request in the same use as user-agent. A referer injection is attempted when the –level parameter is set to 3 or more than 3.
Request settings
Set Request interval
Parameters: –delay
Sets the time interval between requests for two times. If set to 0.5, the interval time is half a second, the default is no delay
Set timeout time
Parameters: –tiemout
Set timeout time, mainly to set a request more than how long was judged as a supermarket. A weak setting of 10.5 indicates 10.5 seconds, and the default is 30 seconds.
Set Timeout retry
Parameters: –retries
When the request times out, set the number of retry attempts, the default is 3 times.
Turn off URL parameter encoding
Parameters: –skip-urlencode
Turn off the URL encoding, which is generally less used. Almost all Web servers currently support the RFC standard.
Execute custom Python code
Parameters: –eval
In some cases, it is necessary to modify another parameter according to the change of one parameter to form a normal request. At this point you need to use the--eval. Examples are as follows
Python sqlmap.py-u "http://www.example.com?id=1&hash=c4ca4238a0b923820dcc509a6f75849b"--eval= "Import hashlib; HASH=HASHLIB.MD5 (ID). Hexdigest () "
The hash value in the request parameter above is the MD5 of the ID value, and you need to use the custom Python code.
Injection
Test parameters
Parameters:-p,–skip
-P, which represents the parameters that need to be injected into the test. For example,-P "id,user-agent"
–skip, which represents a parameter that does not require a test, such as –skip= "User-agent"
Pseudo static injection
Many frameworks use URL rewriting techniques, and SQLMAP cannot use parameter injection at this point, but you can add the following parameters to the test
Examples are as follows
Python sqlmap.py-u "http://blog.spoock.com/2016/09/04*/sqli-bypass/"
Around WAF
Parameters: –tamper
Many times there are WAF devices that intercept sqlmap injection, and then you need to use--tamper to transform the injected SQL statement to bypass it. All tamper scripts are defined in the tamper script in Sqlmap and can be viewed in the tamper directory.
Python sqlmap.py-u "http://www.example.com?id=1"--tamper tamper/between.py,tamper/randomcase.py
Extract data
Sign
Parameters:-b,–banner
Retrieving the identity of the database management system
User
Parameters: –current-user
Returns the administrative user of the current database
Current database
Parameters: –current-db
Returns the database for the current connection
DBA Detection
Parameters: –is-dba
Detects whether the current administrative user is a DBA
Database Enumeration
Parameters: –dbs
If the current user can read all the database information, all the databases will be listed
Database Table Enumeration
Parameters: –tables-d somedatabase
Lists all of the table names in a database (Somedatabase), as shown in the following example:
Python sqlmap.py-u "http://www.example.com?id=1"--tables-d CMS
Field Enumeration
Parameters: –columns-d somedatabase-t sometable
Lists all the field information in the SomeTable table in the Somedatabase database. If a database is not specified with the-d parameter, the current database is used by default
Python sqlamp.py-u "http://www.example.com?id=1"--columns-d cms-t users
Get the number of data in a table
Parameters: –count
Use –count to get the number of data in a table
Python sqlmap.py-u "http://www.example.com?id=1"--count-d CMS
The above SQLMAP statement lists data for all tables in the CMS database
Downloading data from a table
Parameters: –dump-d somedatabase-t sometable-c somecolumns
With –dump, you can download data from a table to local. Specifies the value of-C to download all the data in a column, or to download all the data in the table if it is not specified.
Python sqlmap.py-u "http://www.example.com?id=1"--dump-d cms-t users
MISC
customizing SQL statements
Parameters: –sql-query,–sql-shell
Although Sqlmap will choose the SQL statement to test on its own, you can optionally execute a custom SQL statement.
Python sqlmap.py-u "http://www.example.com?id=1"--sql-query "Select Database ()"
Get shell
Parameters: –os-cmd,–os-shell
Use the –os-shell parameter to simulate a real shell, where you can enter any command you want to execute.
This command usually use less, and so have a certain use of experience to carry out detailed supplementary instructions.